[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [kmip-comment] KMIP & EKMI Credential Bootstrapping
Hi Anders - I anticipate that we'll deal with alternative approaches to KMIP client/server authentication as part of the V2 work. I'm hoping we can kick off this work at the face-to-face in September. It might be good to plan on short presentations about keygen2 and other alternatives at that meeting? Regards, Bob -----Original Message----- From: Anders Rundgren [mailto:anders.rundgren@telia.com] Sent: Wednesday, June 10, 2009 11:45 PM To: kmip-comment@lists.oasis-open.org Subject: [kmip-comment] KMIP & EKMI Credential Bootstrapping When you are about to perform trustworthy operations between different entities, authentication of the end-points is typically necessary. It seems that KMIP (as well as EKMI) leaves the bootstrapping of end-point authentication credentials to somebody else to cater for. Since this process is both highly device-dependent as well as generally difficult, KMIP interoperability may in practice prove to be quite limited. As a comparison, my own brain-child, KeyGen2, builds on the fact that devices are shipped with a device certificate. One may claim that KeyGen2 requires enhanced devices, and yes this is true! The problem with not requiring enhanced devices is that "the tyranny of the least common denominator" will rule which is a stopgap to progress. That is, the missing bootstrap may severely impede market acceptance. Note: KeyGen2 does not compete with KMIP because KeyGen2 (deliberately) supports a very limited range of devices that are used by everybody (phones) but would be totally useless for storage. I would if I were you consider "borrowing" the device certificate concept. Properly implemented, all kinds of shared secrets and enrollment passwords are eliminated by device certificates. If you are curious on how such a scheme could work you may take a peek in section "Dual-use Device IDs" in: http://webpki.org/papers/keygen2/secure-key-store.pdf <http://webpki.org/papers/keygen2/secure-key-store.pdf> thanks Anders
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]