Charter questions

[Anders Rundgren <anders.rundgren@telia.com>]

I have a number of questions regarding the current (2009-03-17) charter:

The initial goal is to define an interoperable protocol for standard communication between key management servers, and clients and other actors which can utilize these keys. Secure key management for TPMs (Trusted Platform Modules) and Storage Devices will be addressed. The scope of the keys addressed is enterprise-wide, including a wide range of actors: that is, machine, software, or human participants exercising the protocol within the framework. Actors for KMIP may include:

• Storage Devices
• Networking Devices
• Personal devices with embedded storage (e.g. Personal Computers, Handheld Computers, Cell Phones)
• Users
• Applications
• Databases
• Operating Systems
• Input/Output Subsystems
• Management Frameworks
• Key Management Systems
• Agents

and KMIP Specification v0.98

http://xml.coverpages.org/KMIP/KMIP-v0.98-final.pdf

Q1: I can't find any support for PINs in the spec.  Does this mean that user-based authentication and signature keys are out of scope?

Q2: TPMs support attested key-pair generation.  Where in the spec. is this addressed?

Q3: Does the enterprise scope mean that KMIP is unsuitable for consumers?

Q4: Key-provisioning for unregistered end-user devices cannot be through APIs only; there must be a user-acknowledge part as well.   Or is the intention that end-users and devices are already authenticated to Active Directory or similar before KMIP can begin its operation?

Q5: Related to Q4: Is KMIP supposed to be able to power future versions of Microsoft's Autonrollment system?

Q6: What is the relation between KMIP and browser-invoked schemes like <keygen>, generateCRMFRequest (), and CertEnroll?

thanks
Anders Rundgren