Re: [kmip-groups-proposal] RE: Entity: thoughts

[Tim Hudson <tjh@cryptsoft.com>]

On 15/09/2011 8:09 AM, Pochuev,Denis wrote:

911CD906C745614FAADF0DB12EC05D0B0131219D5A@BEL1EXCH02.amer.sfnt.local" type="cite">

And finally, is Entity proposal the right context for this?

I see Entity as the code word for does-something-which-needs-to-know-about-permissions.

Entity is a proposed solution for a range of as yet not documented use cases which KMIP currently simply "ignores" because permissions and users are effectively outside of its current scope.
During the discussion on Entity to date we got entangled in the conflicting undocumented requirements so sorting out what we are trying to address is the first step IMHO.

A story to add to the list:
- company is happily using vendor X
- vendor X goes out of business
- company needs to move to vendor Y
- auditors and other such fun people require assurance that nothing has changed in the swap over from vendor X to vendor Y

Another story:
- company operates in jurisdictions X and Y with a network of multiple KMIP servers in both jurisdictions
- keys created in jurisdiction X must never leave jurisdiction X, but keys in jurisdiction Y can go anywhere; users in jurisdiction Y must never have access to plaintext keys (or must never have any access depending on the rules in jurisdiction and/or the purpose of the key)
- and then change vendors involved in each of the jurisdictions

These are all issues that (hopefully) most of us have hit in one shape or another - they are not theoretic - and the 'solutions' at the moment turn into simply convincing folks the right things have been done by the people involved. KMIP doesn't solve any of these issues. KMIP-vNext could put in place the building blocks to address these sorts of challenges.

Tim.