OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

kmip-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [kmip-comment] KMIP & EKMI Credential Bootstrapping

Hi Anders -

I anticipate that we'll deal with alternative approaches to KMIP
client/server authentication as part of the V2 work. I'm hoping we can
kick off this work at the face-to-face in September. It might be good to
plan on short presentations about keygen2 and other alternatives at that
meeting?

Regards,

Bob

-----Original Message-----
From: Anders Rundgren [mailto:anders.rundgren@telia.com] 
Sent: Wednesday, June 10, 2009 11:45 PM
To: kmip-comment@lists.oasis-open.org
Subject: [kmip-comment] KMIP & EKMI Credential Bootstrapping

When you are about to perform trustworthy operations between different
entities, authentication of the end-points is typically necessary.

It seems that KMIP (as well as EKMI) leaves the bootstrapping of
end-point authentication credentials to somebody else to cater for.

Since this process is both highly device-dependent as well as generally
difficult, KMIP interoperability may in practice prove to be quite
limited.

As a comparison, my own brain-child, KeyGen2, builds on the fact that
devices are shipped with a device certificate.
One may claim that KeyGen2 requires enhanced devices, and yes this is
true!

The problem with not requiring enhanced devices is that "the tyranny of
the least common denominator" will rule which is a stopgap to progress.
That is, the missing bootstrap may severely impede market acceptance.
 
Note: KeyGen2 does not compete with KMIP because KeyGen2 (deliberately)
supports a very limited range of devices that are used by everybody
(phones) but would be totally useless for storage.  I would if I were
you consider "borrowing" the device certificate concept.
 
Properly implemented, all kinds of shared secrets and enrollment
passwords are eliminated by device certificates.
If you are curious on how such a scheme could work you may take a peek
in section "Dual-use Device IDs" in:
http://webpki.org/papers/keygen2/secure-key-store.pdf
<http://webpki.org/papers/keygen2/secure-key-store.pdf> 
 
thanks
Anders

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]