RE: re-chartering KMIP

[John Leiseboer <JL@quintessencelabs.com>]

Hi everyone,

 

I just found time to properly read the current charter with a legal eye. I found the following interesting.

 

Section talking about the initial goal of the TC:

 

“The initial goal is ... Out of scope areas include: ... registration of clients, server-to-server communication and key migration ...”

 

And towards the end, where in scope items of KMIP are described:

 

“KMIP ... will be scoped to include the following: ... actor discovery and enrolment, ... key, certificate and policy migration ...”

 

I read this to mean that only the initial scope excludes registration of clients, etc. But the full scope of KMIP (beyond initial) includes registration of clients (“actor discovery and enrolment”), etc. Does anyone have a legal opinion on this that is different to mine?

 

This is not a reason to abandon the charter change work, but I think it warrants us better understanding what really is in and out of scope. For example, in my reading of the in scope section of the charter, I see nothing that allows us to include the crypto operations. Neither is there an explicit statement that directly says we cannot. But the only sensible interpretation of the charter would be that items not specifically included (where such items could be interpreted to go beyond the scope of key management) are by default excluded. (I think the crypto operations proposal is the only one that would be out of scope given this interpretation. Everything else we’ve been considering for 1.2 is in scope.)

 

So while we’re looking at these changes to the charter, and if we’re also wanting to add crypto operations, I think we at least need to have the discussion on whether we need to also change the charter to specifically include cryptographic operations as in scope. And possibly, this would the only reason that we need to change the charter.

 

John

 

From: kmip@lists.oasis-open.org [mailto:kmip@lists.oasis-open.org] On Behalf Of Griffin, Robert
Sent: Tuesday, 19 March 2013 3:25 AM
To: kmip@lists.oasis-open.org
Subject: [kmip] re-chartering KMIP

 

Hi (yet again!) –

At the KMIP F2F, the TC agreed that we’d like to move ahead with considering re-chartering the TC. I asked Chet if we needed to wait until the V1.1 Errata are done before starting the process; he didn’t think so (“You would work on the Errata under either version of the charter”). So I’d like to discuss the following draft motion in our call this week: 

 

“I move that the KMIP TC request OASIS administration to initiate a special majority ballot to determine whether the KMIP TC wishes to modify the current charter, such that the following bulleted items are removed from the list of out-of-scope areas currently defined in the charter:

 ·  Framework interfaces not dedicated to secure key and certificate management

·  Certain areas of functionality related to key management are also outside the scope of this technical committee, in particular registration of clients, server-to-server communication and key migration.

·  Bindings other than tag-length-value wire protocol and XSD-based encodings.”

 

A couple of things I’d call out:

-           Chet felt that this motion didn’t need to be a ballot, since OASIS will be setting up a Special Majority ballot.

-           

-          I assume that some or many of the member organizations will need to have their legal departments review this change to the charter. So we probably want to wait to make and vote on this motion until such review has taken place? Should we have a statement of intent that folks can take back to their companies?

Regards,

Bob

 

 

The motion is fine. You can just approve it as a motion in a meeting if you want to. No need for you to create a ballot (7 days) to ask me to initiate a ballot (7 more days). Then (since we don't have a ticket for this) just send me the link in an email and I'll set the ballot up.  

 

 

--