[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: KMIP & EKMI Credential Bootstrapping
When you are about to perform trustworthy
operations between different entities, authentication of the end-points is
typically necessary.
It seems that KMIP (as well as EKMI) leaves the bootstrapping of end-point authentication credentials to somebody else to cater for. Since this process is both highly device-dependent as well as generally difficult, KMIP interoperability may in practice prove to be quite limited. As a comparison, my own brain-child, KeyGen2, builds on the fact that devices are shipped with a device certificate. One may claim that KeyGen2 requires enhanced devices, and yes this is true! The problem with not requiring enhanced devices is
that "the tyranny of the least common denominator" will rule which is a stopgap
to progress. That is, the missing bootstrap may
severely impede market acceptance.
Note: KeyGen2 does not compete with KMIP because
KeyGen2 (deliberately) supports a very limited range of devices that are
used by everybody (phones) but would be totally useless for storage. I
would if I were you consider "borrowing" the device certificate
concept.
Properly implemented, all kinds of shared secrets
and enrollment passwords are eliminated by device certificates.
If you are curious on how such a scheme could work
you may take a peek in section "Dual-use Device IDs" in:
thanks
Anders
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]