OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

kmip message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [kmip] Groups - Client Registration Proposal - Examples (2) (Client_Registration_Examples-E.ppt) uploaded


Bob,

Many thanks for reviewing the proposal and your comments. My comments are below, marked with [DP].

Regards,
Denis

-----Original Message-----
From: Bob.Nixon@Emulex.Com [mailto:Bob.Nixon@Emulex.Com] 
Sent: Wednesday, May 18, 2011 3:23 PM
To: Pochuev,Denis; kmip@lists.oasis-open.org
Subject: RE: [kmip] Groups - Client Registration Proposal - Examples (2) (Client_Registration_Examples-E.ppt) uploaded

Hi, Denis, here are a few comments:

 - In table 68, several operations are “Allowed to Entity only”. This would appear to be inconsistent with the statement on page 4 of the Examples document, that “Clients can register themselves (self-registration) or other clients using certificates or username/passwords”. A privileged Entity (e.g., software operated by a system admin) that registered a less privileged Entity (e.g., me) would then lose control of it, and the created Entity would gain control. Should this table instead show “owner” as being allowed the sensitive operations? This would require a change to table 112, as well, to allow Entity objects to have an Owner attribute.
[DP] This is a great observation, we do have a problem with losing control over registered entities. I admit, I have not thought through the whole Entity creating another Entity concept in enough detail to be comfortable. For example, if you register an Entity and that Entity creates a bunch of Objects, should you have access to those Objects? Should Entity Operation Policy be extended to address Object access by the "parent Entities"?
For now I will make the changes you suggested and update the Entity definition (table 35) to require an Owner.

 - in line 973, do you mean “SHALL NOT” or in OASIS does “MAY NOT” have a defined meaning that you intend?
[DP] "SHALL NOT" is correct, thank you.

 - In table 115, “allowed to all” in the “Policy” column seems irrelevant.  How would the Entity Policy attribute of an Entity apply to anything but the entity itself? The Policy would seem to be either “allowed” or “not allowed”.
[DP] The intent of the Entity Policy is to specify access rights to the Objects it owns. The goal of table 115 is to show that a normal Entity would be allowed to control everything it created, except registering other Entities. In other words, by default, an Entity is not an admin (or not allowed to be a parent of another Entity).

 - Table 113 seems to regress the table numbering.
[DP] I'll fix that, thanks!

 - Near the bottom of table 197, it appears that the tag for “Entity Identifier” has been deleted. Is that the intention?
[DP] Yes, it was intentional. If the "Entity Identifier" is moved from being a parameter of Locate to being an Attribute, we no longer need the tag value. However, I'm not convinced this is the change we want.

Thanks for carrying this work forward!
   - bob

-----Original Message-----
From: denis.pochuev@safenet-inc.com [mailto:denis.pochuev@safenet-inc.com] 
Sent: Tuesday, May 17, 2011 3:20 PM
To: kmip@lists.oasis-open.org
Subject: [kmip] Groups - Client Registration Proposal - Examples (2) (Client_Registration_Examples-E.ppt) uploaded

The document named Client Registration Proposal - Examples (2)
(Client_Registration_Examples-E.ppt) has been submitted by Mr. Denis
Pochuev to the OASIS Key Management Interoperability Protocol (KMIP) TC
document repository.

Document Description:
Update and clarifications following a review.

View Document Details:
http://www.oasis-open.org/committees/document.php?document_id=42202

Download Document:  
http://www.oasis-open.org/committees/download.php/42202/Client_Registration_Examples-E.ppt


PLEASE NOTE:  If the above links do not work for you, your email application
may be breaking the link into two pieces.  You may be able to copy and paste
the entire link address into the address field of your web browser.

-OASIS Open Administration

The information contained in this electronic mail transmission 
may be privileged and confidential, and therefore, protected 
from disclosure. If you have received this communication in 
error, please notify us immediately by replying to this 
message and deleting it from your computer without copying 
or disclosing it.




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]