OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

kmip message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: More rekey questions

And while I'm on the topic of rekey, I must confess I'm a little mystified as to the meaning of lines 1155 and 1156, which state

"If no Offset is specified, the Activation Date, Process Start Date, Protect Stop Date and Deactivation Date values are copied from the existing key."

If the original key is already deactivated, then a rekey without an offset will cause the Deactivation Date to be copied to the new key, so we will now have two deactivated keys.  Not terribly useful.  
Somewhat less poignant is the Protect Stop Date already being in the past, but that being copied to the rekeyed key also leads to the rekeyed key being useless.

And since the offset is an optional parameter, does "no Offset specified" mean an offset of zero, or a null parameter?  The test cases (9.3) talk about an offset of zero but show the use of a null instead.  One could argue that an offset of zero has a quite different effect than a null, as an offset of zero means that one sets an Initial Date for the rekey to be now, then sets the rekey activation time to be now + offset (now+0=now), then adjusts the start+stop+deact to be the originals plus the difference in the activation times.

Bruce A Rich
brich at-sign us dot ibm dot com
----- Forwarded by Bruce Rich/Austin/IBM on 03/13/2013 08:57 PM -----

From:        Bruce Rich/Austin/IBM@IBMUS
To:        kmip@lists.oasis-open.org
Date:        03/07/2013 04:14 PM
Subject:        [kmip] Rekey vs Object Group
Sent by:        <kmip@lists.oasis-open.org>



The ReKey and ReKeyKeyPair operations have an impact on the Object Group attribute.  The exact nature of that impact is a bit vague.
Table 108 says that Object Group is "implicitly set" when a key is rekeyed, or keypairs are rekeyed, but neither of the operations sections (4.4 and 4.5) mentions the Object Group attribute in the description of their operation.
I would imagine that the new version of the key picks up the Object Group attribute from the old, and the old version no longer references that Object Group ("the key is dead, long live the key").
But it would probably be better if the world were not at the mercy of my imagination.

Am I overlooking clear direction in the spec?

Bruce A Rich
brich at-sign us dot ibm dot com

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]