Re: [kmip] Groups - T11 profile for EAP/GPSK/FC-SP-2 (11-022v2.pdf)uploaded

[Tim Hudson <tjh@cryptsoft.com>]

On 20/05/2011 12:14 PM, david.black@emc.com wrote:
> Tim,
> 
>> The argument expressed is basically taking a position that the credentials
>> structure should be removed from KMIP (if it can never differ then why include
>> it at all) and that I don't think that would gain the support of the TC.
> 
> Not exactly ;-).
> 
> As the expresser of the argument, I observe that a specific profile is under discussion,
> not KMIP in general.  The argument is expressing the position that for this profile's
> intended Fibre Channel usage, the notions of user and system coincide (if there even is
> a notion of user), and hence the profile should not permit them to differ.

Thanks for the expansion - I'd suggest then the 'right' solution for this
profile then is to *exclude* the use of the credentials structure entirely -
i.e. any request including credentials should be simply rejected. Including a
note within the profile as to the context of why this has been included would be
useful.

That is the simple solution - and one I think would be well suited to that
context - and be sufficiently simple to implement and avoid the whole current
discussion on mapping between the client authentication information from the TLS
link through to the many and varied forms of 'credential' in the context of KMIP.

It is also important I think to provide some mechanism whereby the server can
indeed determine that the client is requesting to operate within this 'profile'
so that such things can be enforced - however that is not something which any of
the profiles to date have tackled.

Tim.