[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: The need for authentication credentials to be moved into profiles
Folks, I
would like to bring forth the following concerns that I had with the HTTP vs
SSL/TLS ballot. The goal/plan is to discuss further on the reflector and vote
on it during the face-to-face meeting. From
my understanding, the things we need to vote are: 1.
Use
a. HTTPS OR b. SSL/TLS over
TCP to prove server authenticity and ensure privacy of the channel. 2.
Mandate
the use of X509 certificates to prove client authenticity (Currently section
10) #2
is the contentious issue as it deviates from the foundation of the
spec/profiles which is to allow for a vast variety of devices with differing
threat models and deployment scenarios to use KMIP but the lack of a mandatory
authentication type would go against interoperability. So,
given that, here is what I propose: ·
Client
authentication is dictated by profiles – i.e. a profile is free to choose
whatever authentication mechanisms it would like to support ·
Section
10 of the spec would remove the sentence which states normatively that clients
are authenticated using certificates ·
Base
profile would mandate client authentication using X509 certificates (for now,
let us leave the details on which attributes of the certificate should be used
for authentication and just stick to the key). The contents of the Credential
object in this scenario SHALL be ignored. This would ensure that we have an
interoperable way of ensuring client authenticity. ·
Other
extended profiles would be free to choose the authentication flavors that they
would like to support by enumerating the Credential object. Questions/Comments? Thanks, -Subhash. |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]