The need for authentication credentials to be moved into profiles

["Subhash Sankuratripati" <Subhash.Sankuratripati@netapp.com>]

Folks,

 

I would like to bring forth the following concerns that I had with the HTTP vs SSL/TLS ballot. The goal/plan is to discuss further on the reflector and vote on it during the face-to-face meeting.

 

From my  understanding, the things we need to vote are:

 

1.       Use

a.       HTTPS OR

b.      SSL/TLS

over TCP to prove server authenticity and ensure privacy of the channel.

2.       Mandate the use of X509 certificates to prove client authenticity (Currently section 10)

 

#2 is the contentious issue as it deviates from the foundation of the spec/profiles which is to allow for a vast variety of devices with differing threat models and deployment scenarios to use KMIP but the lack of a mandatory authentication type would go against interoperability.

 

So, given that, here is what I propose:

 

·         Client authentication is dictated by profiles – i.e. a profile is free to choose whatever authentication mechanisms it would like to support

·         Section 10 of the spec would remove the sentence which states normatively that clients are authenticated using certificates

·         Base profile would mandate client authentication using X509 certificates (for now, let us leave the details on which attributes of the certificate should be used for authentication and just stick to the key). The contents of the Credential object in this scenario SHALL be ignored. This would ensure that we have an interoperable way of ensuring client authenticity.

·         Other extended profiles would be free to choose the authentication flavors that they would like to support by enumerating the Credential object.

 

Questions/Comments?

 

Thanks,

-Subhash.