[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Specification clarification in regard to managed object retrieval
KMIP Team, Section 4.22 of the KMIP spec at http://docs.oasis-open.org/kmip/spec/v1.1/os/kmip-spec-v1.1-os.html#_Toc333494539 doesn’t mention any state restrictions. It’s very unlikely this is an oversight. More likely Get is allowed in any state. The section 3.22 in the KMIP spec quoted below says "Pre-Active: The object exists but is not yet usable for any cryptographic purpose." Retrieving using Get is not a cryptographic purpose so returning a pre-active key does not violate this. This is reinforced by the text in test 4.1 which says “[being in the compromised state] does not stop a client from being able to add, modify and delete attributes or even get the key (since we assume here that the out-of-band registration has been used to make the server aware of the fact that the client is capable of interpreting the attributes of the key and determining what it is allowed to do with the key).” Emphasis added by me. Therefore it appears it is the client’s responsibility to determine what is allowed to be done with the key based on the attributes returned by the KS/DS. Test case 3.1.3 at http://docs.oasis-open.org/kmip/testcases/v1.1/cn01/kmip-testcases-v1.1-cn01.html#_Toc333488775 is titled “Test Case: Create / Locate / Get / Destroy”. That sequence of commands is supposed to succeed. Requiring that the Activate command or setting the Activation Date such that the key becomes Active before the Get command is called would cause this test case to fail. Given above, what is committee members consensus of allowing the “Get” command to retrieve a “Pre-Active” key or Secret Data object? One view is that precluding Get from retrieving Pre-Active keys does appear to violate spec. Other view is that why would the KMIP server allow to retrieve a key that is in “Pre-active” state. Some real-life customers have proposed that server should not allow clients to retrieve an object in pre-active state. Would appreciate some feedback from the committee members. Regards, Saikat The information contained in this electronic mail transmission may be privileged and confidential, and therefore, protected from disclosure. If you have received this communication in error, please notify us immediately by replying to this message and deleting it from your computer without copying or disclosing it. |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]