[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [kmip] Revoke operation: Ambiguity w.r.t. Compromise, Compromise Occurrence Date
David I re-read the Revocation related sections of KMIP Spec and KMIP Usage Guide over again. Generally I believe the KMIP Spec is clear on when you set the Compromise Occurrence Date vs Deactivation Date – this is covered in section 4.20 Revoke and in 3.22 State of the KMIP (1.2) Spec. Compromise is distinct state from Deactivation so it is reasonable that they have separate dates to represent the point when an object transitions to that state. When you Revoke an object due to compromise (Key Compromise or CA Compromise) you set the Compromise Occurrence Date and if you Revoke and object of any other reason code (Affiliation Changed, Cessation of Operation) you set the Deactivation Date. That said there are a few issues with the text of section 4.20 Revoke of the KMIP (1.2) Spec. First we neglected to mention the CA Compromise reason code as the other reason code that would transition an object into the compromise state. The other issue with the section is that we give guidance on setting the Compromise Date attribute to the current date and time and seems to leave out the step of setting the Compromise Occurrence Date to the value. The client has specified the Compromise Occurrence Date in the request and that could be for a time earlier than the current date/time (the point of compromise can be earlier than the point when the compromise is reported). So the server should take the value from the request and use that to set the Compromise Occurrence Date. So here is what I believe needs to change in the Revoke section of the KMIP Spec. 4.20 RevokeThis operation requests the server to revoke a Managed Cryptographic Object or an Opaque Object. The request SHALL NOT specify a Template object. The request contains a reason for the revocation (e.g., “key compromise”, “cessation of operation”, etc.). Special authentication and authorization SHOULD be enforced to perform this request (see [KMIP-UG]). Only the object owner or an authorized security officer SHOULD be allowed to issue this request. The operation has one of two effects. If the revocation reason is “key compromise” or “CA compromise”, then the object is placed into the “compromised” state,
Table 185: Revoke Request Payload
Table 186: Revoke Response Payload Judy From: kmip@lists.oasis-open.org [mailto:kmip@lists.oasis-open.org] On Behalf Of Featherstone, David Greetings Possibly two ambiguities exist in the KMIP 1.2 specification’s description of the Revoke attribute. The ambiguities arise from the text in Table 185: Revoke Request Payload, saying that the Compromise Occurrence Date “SHALL be specified if the Revocation Reason is ‘key compromise’”: a) Is a Compromise Occurrence Date permitted/optional when the Revocation Reason is not ‘Key Compromise’? b) Is a Compromise Occurrence Date not also required when the Revocation Reason is ‘CA Compromise’? Here is the current description: 4.20 Revoke This operation requests the server to revoke a Managed Cryptographic Object or an Opaque Object. The request SHALL NOT specify a Template object. The request contains a reason for the revocation (e.g., “key compromise”, “cessation of operation”, etc.). Special authentication and authorization SHOULD be enforced to perform this request (see [KMIP-UG]). Only the object owner or an authorized security officer SHOULD be allowed to issue this request. The operation has one of two effects. If the revocation reason is “key compromise”, then the object is placed into the “compromised” state, and the Compromise Date attribute is set to the current date and time. Otherwise, the object is placed into the “deactivated” state, and the Deactivation Date attribute is set to the current date and time. +-------------------------------------------------------------------------------------------------+ | R E Q U E S T P A Y L O A D | +---------------------------------+---------------------+-----------------------------------------+ | O b j e c t | R E Q U I R E D | D E S C R I P T I O N | +---------------------------------+---------------------+-----------------------------------------+ | Unique Identifier | No | Determines the object being revoked. If | | | | omitted, then the ID Placeholder value | | | | is used by the server as the Unique | | | | Identifier | +---------------------------------+---------------------+-----------------------------------------+ | Revocation Reason, see 3.31 | Yes | Specifies the reason for revocation. | | | | | +---------------------------------+---------------------+-----------------------------------------+ | Compromise Occurrence Date, see | No | SHALL be specified if the Revocation | | 3.29 | | Reason is 'key compromise'. | +-------------------------------------------------------------------------------------------------+ Table 185: Revoke Request Payload The ambiguity could be eliminated with the following alterations: 4.20 Revoke This operation requests the server to revoke a Managed Cryptographic Object or an Opaque Object. The request SHALL NOT specify a Template object. The request contains a reason for the revocation (e.g., “key compromise”, “cessation of operation”, etc.). Special authentication and authorization SHOULD be enforced to perform this request (see [KMIP-UG]). Only the object owner or an authorized security officer SHOULD be allowed to issue this request. The operation has one of two effects. If the revocation reason is “key compromise” or “CA compromise”, then the object is placed into the “compromised” state, and the Compromise Date attribute is set to the current date and time. Otherwise, the object is placed into the “deactivated” state, and the Deactivation Date attribute is set to the current date and time. +-------------------------------------------------------------------------------------------------+ | R E Q U E S T P A Y L O A D | +---------------------------------+---------------------+-----------------------------------------+ | O b j e c t | R E Q U I R E D | D E S C R I P T I O N | +---------------------------------+---------------------+-----------------------------------------+ | Unique Identifier | No | Determines the object being revoked. If | | | | omitted, then the ID Placeholder value | | | | is used by the server as the Unique | | | | Identifier | +---------------------------------+---------------------+-----------------------------------------+ | Revocation Reason, see 3.31 | Yes | Specifies the reason for revocation. | | | | | +---------------------------------+---------------------+-----------------------------------------+ | Compromise Occurrence Date, see | No | SHALL be specified if and only if the | | 3.29 | | Revocation Reason is 'key compromise' | | | | or 'CA compromise'. | +-------------------------------------------------------------------------------------------------+ Table 185: Revoke Request Payload Cheers, … Dave
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]