[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [kmip] Groups - Client Registration Proposal - Examples (2) (Client_Registration_Examples-E.ppt) uploaded
Bob, Many thanks for reviewing the proposal and your comments. My comments are below, marked with [DP]. Regards, Denis -----Original Message----- From: Bob.Nixon@Emulex.Com [mailto:Bob.Nixon@Emulex.Com] Sent: Wednesday, May 18, 2011 3:23 PM To: Pochuev,Denis; kmip@lists.oasis-open.org Subject: RE: [kmip] Groups - Client Registration Proposal - Examples (2) (Client_Registration_Examples-E.ppt) uploaded Hi, Denis, here are a few comments: - In table 68, several operations are “Allowed to Entity only”. This would appear to be inconsistent with the statement on page 4 of the Examples document, that “Clients can register themselves (self-registration) or other clients using certificates or username/passwords”. A privileged Entity (e.g., software operated by a system admin) that registered a less privileged Entity (e.g., me) would then lose control of it, and the created Entity would gain control. Should this table instead show “owner” as being allowed the sensitive operations? This would require a change to table 112, as well, to allow Entity objects to have an Owner attribute. [DP] This is a great observation, we do have a problem with losing control over registered entities. I admit, I have not thought through the whole Entity creating another Entity concept in enough detail to be comfortable. For example, if you register an Entity and that Entity creates a bunch of Objects, should you have access to those Objects? Should Entity Operation Policy be extended to address Object access by the "parent Entities"? For now I will make the changes you suggested and update the Entity definition (table 35) to require an Owner. - in line 973, do you mean “SHALL NOT” or in OASIS does “MAY NOT” have a defined meaning that you intend? [DP] "SHALL NOT" is correct, thank you. - In table 115, “allowed to all” in the “Policy” column seems irrelevant. How would the Entity Policy attribute of an Entity apply to anything but the entity itself? The Policy would seem to be either “allowed” or “not allowed”. [DP] The intent of the Entity Policy is to specify access rights to the Objects it owns. The goal of table 115 is to show that a normal Entity would be allowed to control everything it created, except registering other Entities. In other words, by default, an Entity is not an admin (or not allowed to be a parent of another Entity). - Table 113 seems to regress the table numbering. [DP] I'll fix that, thanks! - Near the bottom of table 197, it appears that the tag for “Entity Identifier” has been deleted. Is that the intention? [DP] Yes, it was intentional. If the "Entity Identifier" is moved from being a parameter of Locate to being an Attribute, we no longer need the tag value. However, I'm not convinced this is the change we want. Thanks for carrying this work forward! - bob -----Original Message----- From: denis.pochuev@safenet-inc.com [mailto:denis.pochuev@safenet-inc.com] Sent: Tuesday, May 17, 2011 3:20 PM To: kmip@lists.oasis-open.org Subject: [kmip] Groups - Client Registration Proposal - Examples (2) (Client_Registration_Examples-E.ppt) uploaded The document named Client Registration Proposal - Examples (2) (Client_Registration_Examples-E.ppt) has been submitted by Mr. Denis Pochuev to the OASIS Key Management Interoperability Protocol (KMIP) TC document repository. Document Description: Update and clarifications following a review. View Document Details: http://www.oasis-open.org/committees/document.php?document_id=42202 Download Document: http://www.oasis-open.org/committees/download.php/42202/Client_Registration_Examples-E.ppt PLEASE NOTE: If the above links do not work for you, your email application may be breaking the link into two pieces. You may be able to copy and paste the entire link address into the address field of your web browser. -OASIS Open Administration The information contained in this electronic mail transmission may be privileged and confidential, and therefore, protected from disclosure. If you have received this communication in error, please notify us immediately by replying to this message and deleting it from your computer without copying or disclosing it.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]