OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

kmip message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Comments on the KMIP Use Cases document


I have been going through the Use Cases document and found a few inconsistencies. Please see my comments below. I also have a few comments on the KMIP spec and a minor editorial comment on the Profiles document. My apologies for not putting these comments in a spreadsheet. I just wanted to send these out before the call tomorrow morning.


P.5: states "...the following use-case scenarios is performed with TTLV encoding over the http transport". Is this still the case? This would also not be inline with the spec. 

P.14: Create a 3DES key instead of a DES key.

P.18: Use-case 3.1.3 performs a Locate on a deleted object by specifying the Unique ID of the destroyed object. The Response of the Locate is empty. We need to clarify that these use-cases assume that the objects get deleted during a Destroy and that this behavior may vary depending on the server's policy. Note that this would mean that the Destroy Date will never be set by these use-cases. Section 12.1 of the KMIP spec, however, requires a server to support this attribute.

P 19: Reword "Here, the identities of the two clients are not considered and since we do not include an Authentication field in the header, they could also be considered to be the same client."

P.31: Change Result Status Failed to "Operation Failed"; change Result Message to "Object does not exist".

P.33: Change Result Status Failed to "Operation Failed"; change Result Message to "Object does not exist". Template is not a cryptographic object.

P.33: Missing "to" in "the client is unable force"

P.46: Activation date is set to 1970. AES did not exist in 1970. Also, does it make sense for the activation date to occur before the initial date?

P.77 (8.1): The Cryptographic Usage Mask should not be set as a common attribute for asymmetric keys.

P.78 (8.2): The Cryptographic Usage Mask should not be set to 0000000C (encrypt & decrypt) for both the private and public key. Private key should either be used for decryption or signing and public key for encryption or signature verification (map accordingly).

P.80 (9.2): text says "Create a new symmetric key with a name". The example does not specify a name.

P.80 (9.2): Change state "Deactive" to "Deactivated" in two places

The use cases do not cover all the conformance clauses as specified in Section 12 of the KMIP spec or Section 4 of the Profiles document. In particular, the following are not mapped to any use cases:
1.	Credential
2.	Cryptographic Parameters
3.	Default Operation Policy
4.	Destroy Date
5.	Archive Date
6.	Check
7.	Activate
8.	Query
9.	Maximum Response Size
10.	Batch Error Continuation Option
11.	Supports Authentication (Section 8 in KMIP spec)
12.	Supports at least one of the profiles defined in the KMIP Profiles Specification
13.	None of the clauses from Secret Data Server KMIP Profile
14.	Process Start Date, Protect Stop Date, 3DES, Transparent Symmetric Key from the Basic Symmetric Key Store and Server KMIP Profile
15.	3DES and Transparent Symmetric Key from the Basic Symmetric Key Foundry and Server KMIP Profile

KMIP Profiles

P.15, 4.1.2: Remove "4. As listed in the KMIP server conformance clauses ([KMIP-Spec] 12.1)"

KMIP Specification

P.76, 4.20: According to the state diagram (Figure 1), an active key cannot be destroyed. This should be mentioned in Section 4.20.

P.128, 12.1: If a server completely deletes an object during a destroy, the Destroy Date will never be set. How can these servers support this attribute?

P.128, 12.1 Does it make sense for Archive Date to be listed in the conformance clause if the Archive operation is not included in Section 12.1?

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]