Clarifying Key Wrapping Sections of KMIP Spec

[<Furlong_Judith@emc.com>]

In reviewing the Key Wrapping related sections of the KMIP Spec and
Usage Guide it's not obvious that we have accommodated for the use case
where a symmetric key is encrypted using a public key of an asymmetric
key pair.  I think some clarifying text should be added to the KMIP Spec
to indicate that this is a supported use case.  Also if possible,
another example showing how the Encrypt wrapping method can be used with
an asymmetric public key should be added to the KMIP Usage Guide.

On a related note, it is not always clear as to how the Wrapping Method
'MAC/Sign" should be interpreted.  From descriptions of MAC/Sign Key
Information it appears that one would either MAC the Key Value or Sign
the Key Value but would not both MAC and Sign the Key Value.  Text
clarifying how this wrapping method should be interpreted should also be
added to the KMIP Spec. 

I've gone through the Key Wrapping related sections of the KMIP Spec and
compiled a set of editorial changes that will help to clarify these two
topics.

*********************************************************************
Section 2.1.3

*	Line 94:  Typo - please change 'Cryptogtaphic' to
'Cryptographic'

*	Lines 99/100:  Suggest following revision to sentence:
		The Key Block may optionally contain Key Wrapping Data
structure, which indicates that the key is wrapped (encrypted), MAC'ed,
signed, wrapped and MAC'ed, or wrapped and signed.

Section 2.1.5

*	Lines 117/118:  Suggest the following revision to the bullet
(updates include aligning wording with section 2.1.6):
		An Encryption Key Information with the Unique Identifier
value for the encryption key, used to wrap the Key Value, and associated
cryptographic parameters.

*	Lines 119/120:  Suggest the following revision to the bullet
(updates include aligning wording with section 2.1.6):
		A MAC/Signature Key Information with the Unique
Identifier value for the MAC'ing or signing key and associated
cryptographic parameters.

*	Line 129/130:  Suggest the following revision to the bullet:
		Encrypt only (Covers both wrapping performed using a
symmetric key and wrapping performed using the public key of an
asymmetric key pair.  Possibly includes authenticated encryption
algorithms that use a single key.)

*	Line 131:  Change 'MAC/sign only' to 'MAC or sign only'

*	Line 132:  Change 'Encrypt then MAC/sign' to 'Encrypt then MAC
or sign'

*	Line 133:  Change 'MAC/sign then encrypt' to 'MAC or sign then
encrypt'

*	Table following Line 135, Encryption Key Information Row:
Suggest that the following note is added into the Required Field column
after 'No':
		Corresponds to the symmetric key or the asymmetric
public key used to wrap (encrypt) the Key Value.

*	Table following Line 138, Unique Identifier Row:  Suggest the
following revisions to the text in the Required Field column:
		Yes.  It can be the Unique Identifier of the symmetric
key used to MAC the Key Value or the asymmetric public key used to sign
the Key Value.

Section 2.1.6

*	Line 151/152:  Suggest the following revision to the bullet:
		An Encryption Key Information with the Unique Identifier
value of the encryption key, used to wrap the Key Value, and associated
cryptographic parameters.

*	Table after Line 156:  Suggest that you include the same notes
in the Required Field column for Encryption Key Information and
MAC/Signature Key Information as appears in the table following Line
135.  (see comment above for added text for the Encryption Key
Information row.)

Section 9.1.3.2.3

*	Table following Line 1575:  Change instances of 'MAC/sign' to
'MAC or sign'

*********************************************************************

For convenience I've also attached a Word document which includes the
direct edit to the affected sections of the KMIP Spec.

 <<KMIPEditsforKeyWrap.doc>> 

Judy

Judith Furlong | Principal Product Manager | EMC Product Security Office
| RSA -The Security Division of EMC | t: 508 249 3698 |  f: 508 249 6107
| e: Furlong_Judith@emc.com

KMIPEditsforKeyWrap.doc