OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

kmip message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Additional clarity around KMIP object owner

Although we've clarified KMIP client/server authentication in the KMIP Profiles document, I think the concept of "owner of KMIP object" needs to be tied a bit more tightly to the authentication.

I propose this language be added as section 3.1.4 in the Profiles doc:

3.1.4        Object Ownership
KMIP objects have an owner.  The KMIP server SHALL interpret the Credential object as the identity of the requestor if such a Credential is specified in the request.  If a Credential object is not specified, KMIP SHALL use the certificate passed in the channel binding (or some unique value derived from the certificate or its components) as the identity of the requestor.  For those KMIP requests that result in new managed objects this identity SHALL be used as the owner of the managed object.  For those operations that only access pre-existent managed objects, this identity SHALL be checked against the owner, and access SHALL be controlled as detailed in section 3.13 of [KMIP].

Bruce A Rich
brich at-sign us dot ibm dot com

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]