[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [kmip] Groups - Client Registration (2)(kmip-1.0-spec-client-reg-d.doc) uploaded
Hi Denis, I reviewed the spec changes and the updated proposal. Please see my comments below. Additional clarification and guidance should also be added to the Usage Guide, including examples. In addition, we need to update sections 3.1 (Authentication) and 3.1.1 (Credential) of the Usage Guide. Thanks, Indra Spec changes: 1. Line 224 mentions that the Transport Certificate Credential Types instructs the server to extract the transport certificate (e.g.; TLS client certificate) and derive the client's identity from it. The TLS handshake occurs prior to exchanging any KMIP messages. During the handshake, the server wouldn't know whether it is required to extract the client's identity from the transport certificate. The server becomes aware of any entity authentication requirements after successfully establishing a TLS session. What exactly is expected from the server? Also, when specifying the Authentication structure in the Message Header and specifying Credential Type Transport Certificate, no additional authentication will be performed by the server since the TLS session has already been established. 2. Line 483 mentions that Username and Credential certificates SHALL be unique within a given a key management domain. Does this only apply to Credential certificates? Does this mean that if clients do not explicitly specify a transport certificate as a credential, the certificate does not have to be unique? 3. Table 68: Allows Get Attributes and Get Attribute List to all. This means that anyone can have access to the credential attribute(s). Do we want this? 4. Line 1003: What is the purpose of the Entity Identifier? Additional clarification is required in the spec and guidance in the Usage Guide. 5. For consistency, the Rules table for certain attributes (e.g., Entity Operation Policy Name and Entity Identifier) should say "Entity Objects" instead of "Entity" Proposal comments: Slide 5, implicit self-registration with cert: It is not clear from the example what exactly is being performed. If you are creating an entity, shouldn't you perform a Register? During the first Create Object, the entity is not being authenticated; during the second Create Object, authentication is performed using the transport cert (although the TLS session has already been established). Slide 7: What happens if multiple credential attributes are specified for the entity (password and certificate)? Slide 10: Can the name attribute of an entity and the username specified inside the credential attribute be different? -----Original Message----- From: denis.pochuev@safenet-inc.com [mailto:denis.pochuev@safenet-inc.com] Sent: Tuesday, May 17, 2011 3:58 PM To: kmip@lists.oasis-open.org Subject: [kmip] Groups - Client Registration (2) (kmip-1.0-spec-client-reg-d.doc) uploaded The document named Client Registration (2) (kmip-1.0-spec-client-reg-d.doc) has been submitted by Mr. Denis Pochuev to the OASIS Key Management Interoperability Protocol (KMIP) TC document repository. Document Description: Spec with the client registration proposed changes View Document Details: http://www.oasis-open.org/committees/document.php?document_id=42203 Download Document: http://www.oasis-open.org/committees/download.php/42203/kmip-1.0-spec-client-reg-d.doc PLEASE NOTE: If the above links do not work for you, your email application may be breaking the link into two pieces. You may be able to copy and paste the entire link address into the address field of your web browser. -OASIS Open Administration
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]