kmip message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: More rekey questions
- From: Bruce Rich <brich@us.ibm.com>
- To: kmip@lists.oasis-open.org, kmip-interop-tech@lists.oasis-open.org
- Date: Wed, 13 Mar 2013 21:44:30 -0500
And while I'm on the topic of rekey, I
must confess I'm a little mystified as to the meaning of lines 1155 and
1156, which state
"If no Offset is specified, the
Activation Date, Process Start Date, Protect Stop Date and Deactivation
Date values are copied from the existing key."
If the original key is already deactivated,
then a rekey without an offset will cause the Deactivation Date to be copied
to the new key, so we will now have two deactivated keys. Not terribly
useful.
Somewhat less poignant is the Protect
Stop Date already being in the past, but that being copied to the rekeyed
key also leads to the rekeyed key being useless.
And since the offset is an optional
parameter, does "no Offset specified" mean an offset of zero,
or a null parameter? The test cases (9.3) talk about an offset of
zero but show the use of a null instead. One could argue that an
offset of zero has a quite different effect than a null, as an offset of
zero means that one sets an Initial Date for the rekey to be now, then
sets the rekey activation time to be now + offset (now+0=now), then adjusts
the start+stop+deact to be the originals plus the difference in the activation
times.
Bruce A Rich
brich at-sign us dot ibm dot com
----- Forwarded by Bruce
Rich/Austin/IBM on 03/13/2013 08:57 PM -----
From:
Bruce Rich/Austin/IBM@IBMUS
To:
kmip@lists.oasis-open.org
Date:
03/07/2013 04:14 PM
Subject:
[kmip] Rekey
vs Object Group
Sent by:
<kmip@lists.oasis-open.org>
The ReKey and ReKeyKeyPair operations
have an impact on the Object Group attribute. The exact nature of
that impact is a bit vague.
Table 108 says that Object Group is "implicitly set" when a key
is rekeyed, or keypairs are rekeyed, but neither of the operations sections
(4.4 and 4.5) mentions the Object Group attribute in the description of
their operation.
I would imagine that the new version of the key picks up the Object Group
attribute from the old, and the old version no longer references that Object
Group ("the key is dead, long live the key").
But it would probably be better if the world were not at the mercy of my
imagination.
Am I overlooking clear direction in the spec?
Bruce A Rich
brich at-sign us dot ibm dot com
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]