Thank you.
The issue motivating these operations appears to stem from the possibility that a KMIP-compliant server may receive a Register request for a properly wrapped key -- complete with Wrapping Data and including the Encryption Key -- and
then quietly store the wrapped key "as is" [i.e. wrapped], rather than unwrap the key and thereby make that key useful for on-server operations such as Encrypt, Decrypt, Sign, etc.
A new flag in the Register request -- forcing the server to fail registration of a key that the server cannot (or will not) unwrap prior to storage -- would be preferable to the creation of new operations. The flag might work something like
the currently defined Asynchronous Indicator, which tells the server whether the client can accept an asynchronous response. Likewise, a Wrapped Storage Indicator could tell the server that the client can (not) accept wrapped storage of
a key. In theory, the client has the option vary this flag with each request.
Cheers,
… Dave
-----Original Message-----
From: kmip@lists.oasis-open.org [
mailto:kmip@lists.oasis-open.org] On Behalf Of Tim Hudson
Sent: Thursday, July 16, 2015 4:37 PM
To: kmip@lists.oasis-open.org
Subject: Re: [kmip] Groups - detailed_wrap_unwrap_proposal.odt uploaded
On 17/07/2015 12:02 AM, Featherstone, David wrote:
> I must have somehow missed the justification for these
> [*Wrap*/*Unwrap*] operations. Given that the spec already supports
> both the *Register* of a wrapped key [which the server unwraps for
> storage], and the *Get* of a key [which the server wraps for export],
> I wonder what motivates these new operations.
Multiple discussions over the last two years. Most recently raised by Mark at the face to face.
See face to face minutes and action items for the minutes for the meetings since then tracking the status.
And see
for the statement of the problem.
Tim.
---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: