OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

kmip-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [External] : Re: [kmip-comment] Key Wrapping Data for a Register request

Hi Paul,

 

Yes I should definitely have specified the version, sorry about that! In the previous email I referred to the 2.1 versions of the spec and usage guide:

https://docs.oasis-open.org/kmip/kmip-ug/v2.1/kmip-ug-v2.1.html

https://docs.oasis-open.org/kmip/kmip-spec/v2.1/kmip-spec-v2.1.html

 

Thanks,

Alex

 

From: Paul Knight <paul.knight@oasis-open.org>
Sent: Tuesday, March 2, 2021 10:42 AM
To: Alex Abell <alex.abell@oracle.com>
Cc: kmip <kmip-comment@lists.oasis-open.org>
Subject: [External] : Re: [kmip-comment] Key Wrapping Data for a Register request

 

Hi Alex,

 

Thanks for your comments. I expect that some knowledgeable members of the KMIP TC will respond to your comments.

 

Can you please provide the specific Version information which you are discussing here? The HTML URI from the front page  (under "This stage:" or maybe "This version:") would probably be helpful.

 

Thanks and best regards,

Paul

 

On Tue, Mar 2, 2021 at 12:37 PM Alex Abell <alex.abell@oracle.com> wrote:

Dear all,

 

I have the following question about a client registering a wrapped key that I do not believe is made clear by the KMIP spec:

 

Assuming that a key value is wrapped with a public key by the client and will be unwrapped with a private key during a register operation, it does seem like the Key Wrapping Dataâs âEncryption Key Informationâ structure would specify the public key that was used to encrypt the key data (and would not include the private key that will be used to unwrap) , given the description âCorresponds to the key that was used to encrypt the Key Valueâ in â3.3 Key Wrapping Dataâ. The server would then presumably use the specified public keyâs linked private key to unwrap the key value. Am I interpreting this correctly?

 

Additionally, for the âMAC/Signature Key Information Structureâ, presuming that the key is being signed with a private key and then verified using a public key, in one part of section 3.3 I see âCorresponds to the symmetric key used to MAC the Key Value or the private key used to sign the Key Valueâ, while later down (still in 3.3) I see âIt SHALL be either the Unique Identifier of the Symmetric Key used to MAC, or of the Private Key (or its corresponding Public Key) used to sign.â,  making it seem like either the private key that was used to sign or the public key that will be used to verify can be specified. So must it be the private key that was used to sign, or can it be either the private or public key? It also seems a bit inconsistent with section 4.2 of the Usage Guide where I see âSimilarly, if the client registers a signed key, the server should verify that the Signature Key, as specified by the client inside the Key Wrapping Data, has the âVerifyâ bit set in the Cryptographic Usage Mask.â, suggesting that we are verifying that the Signature Key is a public key that we are making sure has the Verify bit set.

 

If you are open to suggestions, potentially another example in the Usage Guide that explains âEncrypt-Then-Sign Example with an Asymmetric Key as an Encryption Key and an Asymmetric Key as an Authentication Key for a Register Request and Responseâ (similar to the examples in 4.2.1-4.2.4) would help a lot.

 

Thanks,

Alex

 

 


 

--

Paul Knight

Document Process

OASIS Open

+1 781-883-1783

paul.knight@oasis-open.org

www.oasis-open.org

 

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]