RE: KMIP as a TTLV message format only...

[Jon Geater <Jon.Geater@thales-esecurity.com>]

There are other applications too: I know of several Government applications where KMIP is interesting but is currently blocked specifically because of this TLS property.  As I (and Landon, and others) said at the time it was baked in at the face to face all that time ago it was a good pragmatic shortcut at the time but we need to be able to do away with it eventually and support other transport security options as well as inherently secure keyblocks.

I thought we had mentioned this and excluded it from 1.1 but we need to keep the awareness up.  So by all means shot Bob but make sure they're only tranquilizer darts because this is going to come up again.

Jon

-----Original Message-----
From: Lockhart, Robert [mailto:Robert.Lockhart@thalesesec.com]
Sent: 22 July 2011 02:09
To: kmip@lists.oasis-open.org
Subject: [kmip] KMIP as a TTLV message format only...

All,

I was looking through the Profiles v1.1 draft 02 and realized we were still requiring IP and TLS.  I was hoping we could start to remove them as an requirement unless using TCP/IP as the transport and network layer protocols respectively.

This is something that concerns T11 which may not have TCP/IP available to the end point and X9 who do not use TLS for their link encryption (I don't think they support AES yet either but are still using 3DES for most symmetric operations).  While most servers will sit on IP networks the clients may not and by keeping the normative to only the TTLV messaging portions with TLS as a requirement for when using TCP/IP, we allow other organizations better control of their own datalink, network and tranport (layer 2, 3 & 4) protocols.

Is there some way to consider this for 1.1 so as to allow for potentially more outside profile development for KMIP 1.1 and later?  It may be opening a can of worms but if we can make recommendations versus SHALL statements for this I think it will ease adoption.

Comments are greatly appreciated but please keep the caliber of the bullets to small bore if possible.

Bob L.

Robert A. (Bob) Lockhart
Senior Solutions Architect
THALES Information Systems Security

---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

Consider the environment before printing this mail.

Thales e-Security Limited is incorporated in England and Wales with company registration number 2518805. Its registered office is located at 2 Dashwood Lang Road, The Bourne Business Park, Addlestone, Nr. Weybridge, Surrey KT15 2NX.

The information contained in this e-mail is confidential. It may also be privileged. It is intended only for the stated addressee(s) and access to it by any other person is unauthorised. If you are not an addressee or the intended addressee, you must not disclose, copy, circulate or in any other way use or rely on the information contained in this e-mail. Such unauthorised use may be unlawful. If you have received this e-mail in error, please inform us immediately on +44 (0)1223 723600 and delete it and all copies from your system.  Commercial matters detailed or referred to in this e-mail are subject to a written contract signed for and on behalf of Thales e-Security Limited.