kmip message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: Fw: [kmip] Additional clarity around KMIP object owner
- From: Bruce Rich <brich@us.ibm.com>
- To: kmip@lists.oasis-open.org
- Date: Wed, 14 Oct 2009 20:02:16 -0500
It's been pointed out that the spec
uses the term "creator" rather than "owner" (thanks,
Steve and Marko), so better text might be:
3.1.4 Relationship
between credential and object creator
KMIP objects have a creator. The KMIP server SHALL interpret the
Credential object as the identity of the requestor if such a Credential
is specified in the request. If a Credential object is not specified,
KMIP SHALL use the certificate passed in the channel binding (or some unique
value derived from the certificate or its components) as the identity of
the requestor. For those KMIP requests that result in new managed
objects this identity SHALL be used as the creator of the managed object.
For those operations that only access pre-existent managed objects,
this identity SHALL be checked against the creator, and access SHALL be
controlled as detailed in section 3.13 of [KMIP].
And I'll refrain from talking the "creator endowed with certain unalienable
rights...", but I really wanted to slip that in there somewhere.
Bruce A Rich
brich at-sign us dot ibm dot com
----- Forwarded by Bruce
Rich/Austin/IBM on 10/14/2009 07:52 PM -----
| From:
| Bruce Rich/Austin/IBM@IBMUS
|
| To:
| kmip@lists.oasis-open.org
|
| Date:
| 10/14/2009 12:51 PM
|
| Subject:
| [kmip] Additional clarity around KMIP
object owner |
Although we've clarified KMIP client/server authentication in the KMIP
Profiles document, I think the concept of "owner of KMIP object"
needs to be tied a bit more tightly to the authentication.
I propose this language be added as section 3.1.4 in the Profiles doc:
3.1.4 Object Ownership
KMIP objects have an owner. The KMIP server SHALL interpret the Credential
object as the identity of the requestor if such a Credential is specified
in the request. If a Credential object is not specified, KMIP SHALL
use the certificate passed in the channel binding (or some unique value
derived from the certificate or its components) as the identity of the
requestor. For those KMIP requests that result in new managed objects
this identity SHALL be used as the owner of the managed object. For
those operations that only access pre-existent managed objects, this identity
SHALL be checked against the owner, and access SHALL be controlled as detailed
in section 3.13 of [KMIP].
Bruce A Rich
brich at-sign us dot ibm dot com
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]