OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

kmip-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: KMIP & EKMI Credential Bootstrapping

When you are about to perform trustworthy operations between different entities, authentication of the end-points is typically necessary.

It seems that KMIP (as well as EKMI) leaves the bootstrapping of end-point authentication credentials to somebody else to cater for.

Since this process is both highly device-dependent as well as generally difficult, KMIP interoperability may in practice prove to be quite limited.

As a comparison, my own brain-child, KeyGen2, builds on the fact that devices are shipped with a device certificate.
One may claim that KeyGen2 requires enhanced devices, and yes this is true!
The problem with not requiring enhanced devices is that "the tyranny of the least common denominator" will rule which is a stopgap to progress.  That is, the missing bootstrap may severely impede market acceptance.
Note: KeyGen2 does not compete with KMIP because KeyGen2 (deliberately) supports a very limited range of devices that are used by everybody (phones) but would be totally useless for storage.  I would if I were you consider "borrowing" the device certificate concept.
Properly implemented, all kinds of shared secrets and enrollment passwords are eliminated by device certificates.
If you are curious on how such a scheme could work you may take a peek in section "Dual-use Device IDs" in:

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]