Asymmetric Key Profiles and Associated Proposed Changes to KMIP

[<Furlong_Judith@emc.com>]

At yesterday's OASIS TC call I promised to send out an email to
summarize the KMIP Asymmetric Key Profiles body of work and remind all
of you on the committee to review and provide comments on the profiles
document and the associated modification proposals via this email list.

The "Basic Asymmetric Key Profiles" document was posted on November 5,
2009 to the KMIP OASIS TC site.
Please see
http://www.oasis-open.org/committees/document.php?document_id=35010

The Basic Asymmetric Key Profiles document includes five separate
profiles namely:

1.  Basic Asymmetric Key Store (section 1.1):  Key pairs are generated
external to the server and are sent to the server for storage (perhaps
for key escrow reasons or for ease of distribution to other entities).
This profile only requires support for the Register operation.  No
support for certificates imposed on server.

2.  Basic Asymmetric Key and Certificate Store (section 1.2):  Key pairs
and certificates are generated external to the server and are sent to
the server for storage (perhaps for key escrow reasons or for ease of
distribution to other entities).  This profile only requires support for
the Register operation.  [May need to make vaulting of dig sig/non-rep
only keys optional to avoid controversy over whether this type of keys
should be held away from the owner of the keys.]

3.  Basic Asymmetric Key Foundry and Server (Section 1.3):  3.  Key
pairs (but not certificates) are generated by the server.  This profile
only requires support for the Create Key Pair and Rekey (which is
modified supports asymmetric keys) operations.

4.  Basic Certificate Server (Section 1.4):  Key pairs are generated
external to the server (aka locally at the client) but the client would
contact the server to request a certificate to be generated -- either
directly by the KM or the KM proxies the request to a CA.  This profile
would support Certify and Re-certify.  [Optionally this profile could
support register for the key pairs.]

5.  Basic Asymmetric Key Foundry and Certificate Server (Section 1.5):
Key pairs are generated by the server and the server would also handle
getting the corresponding certificates generated (either using its own
capabilities or by contacting a CA).  This profile would include the
Create Key Pair, Rekey (which is modified supports asymmetric keys),
Certify and Re-certify operations.


In support of the Basic Asymmetric Key Profiles document two proposals
for modifying the KMIP Specification and supporting documents (e.g.
Usage Guide) have been submitted:

1.	Proposal for Supporting Rekey of Asymmetric Key Pairs was
submitted on December 4, 2009
Please see
http://www.oasis-open.org/committees/document.php?document_id=35444

The proposal describes a new KMIP operation for rekeying asymmetric key
pairs and also
outlines changes to the KMIP Spec and KMIP Usage Guide in light of the
addition of this new operation.

2.	Proposal for Making Submission of a Certificate Request in the
Certify and Re-certify Operations Optional was submitted on December 3,
2009
Please see
http://www.oasis-open.org/committees/document.php?document_id=35434

This proposal makes the inclusion of the Certificate Request attribute
and 
the associated Certificate Request Type attribute in the Certify and
Re-certify operations as non-mandatory.

If anyone has questions please feel free to post to this mailing list or
contact me directly.

Judy Furlong

|Principal Product Manager|EMC Product Security Office|RSA -The Security
Division of EMC|
|t: 508 249 3698|e: Furlong_Judith@emc.com|