OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

kmip message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [kmip] Re: Split_Key_Proposal_v0.3.docx uploaded

On 27/03/2013 1:10 PM, Bruce Rich wrote:
1) The SplitKeys that are created are not linked in any way to a specific owner, so the server cannot tell whether a get() for split #x should be allowed or not.

There is no concept of a KMIP visible owner as present - we conceptually do have an creator (which really should be renamed to owner as I've previously mentioned) and we have some polices which express permissions based on allowed-to-creator-only, allowed-to-all, disallowed-to-all. See https://lists.oasis-open.org/archives/kmip/201107/msg00028.html

We haven't tackled the issue of making ownership visible within KMIP and we have spent substantial TC resources on going over that topic a number of times so I'm naturally hesitant to suggest that in order to support creating of split keys we tackle the harder issue we have agreed to not resolve to date.

I think the underlying questions are straight forward:
1) do we need to tackle ownership and access controls in order to support a CreateSplit operation?
2) do we want to tackle ownership and access controls in KMIP 1.2?

My sense is that the answer to both of those remains no - however discussing that on the call this week would make sense.

As ACL handling remains outside of KMIP currently, nothing precludes vendors from doing what is currently done for ACL management - in that it is all handled in the server in whatever manner the vendor deems appropriate remaining "invisible" to KMIP clients. That does mean that there are a pile of use cases which are not able to be handled in an interoperable manner.

If we as a group want to tackle ownership and ACLs then we should figure out the scope we are willing to address in that area and whether or not that belongs within KMIP 1.2 or is work for a subsequent release.

For those who want to review the output from the previous discussions the following URLs are a good starting point:
    https://www.oasis-open.org/apps/org/workgroup/kmip/email/archives/201104/msg00028.html
    https://www.oasis-open.org/apps/org/workgroup/kmip/email/archives/201101/msg00015.html
    https://www.oasis-open.org/apps/org/workgroup/kmip/email/archives/201105/msg00023.html
    https://www.oasis-open.org/apps/org/workgroup/kmip/email/archives/201102/msg00030.html
    https://www.oasis-open.org/apps/org/workgroup/kmip/email/archives/201202/msg00038.html

Thanks,
Tim.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]