OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

kmip message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [kmip] Groups - kmip-cs-profile-v1.0-wd01-review.doc uploaded


Only had time to review through to Section 7. I’ll try to find more time next week for the remainder of the document.

 

kmip-cs-profile-v1.0-sd01-review.doc

 

Line 63

"KMIP Baseline Client" should be "KMIP Baseline Server".

 

Line 67

Which "Mandatory Test Cases" are being referred to? (The tests in Section 4?)

 

Line 81

Which "Mandatory Test Cases" are being referred to? (The tests in Section 4?)

 

Line 86

Are these the "Mandatory Test Cases" referred to in lines 67 and 81?

 

Line 87

This conflicts with lines 78, 79 and 80. Line 87 allows a client to support any one of the test cases; e.g. Create/Encrypt/Destroy, but lines 78-80 require that a client support BOTH Encrypt and Decrypt.

 

Starting at line 110, Test case 4.1.6, CS-BC-M-6-12 - Encrypt and Decrypt with Known Symmetric Key

The block cipher mode is not specified. It should be specified either in the key Registration request, or in both of the Encrypt and Decrypt requests.

 

For better interoperability coverage, additional tests for at least the following are required:

 

- Additional block cipher modes. Testing only with the (insecure) ECB mode will not flush out potential implementation mistakes with the various feedback modes.

- In conjunction with additional block cipher modes, some different padding methods should be specified.

- In conjunction with additional block cipher modes, initialisation vector, counter, and nonce (where applicable) input by the client should be specified.

- It is still unclear to me whether Block Cipher Mode and Padding Method attributes specified by the client in Encrypt and Decrypt requests can force the server to override these normally immutable attributes. Some tests illustrating expected behaviour are necessary.

- Some error test cases would be useful; e.g. trying to perform an Encrypt operation using the wrong type of managed object; specifying incompatible or conflicting attributes like mode or padding; providing an IV and/or padding method for ECB mode; etc.

 

Line 117

"KMIP Baseline Client" should be "KMIP Baseline Server".

 

Line 120

Typo: missing "]"

 

Line 121

Which "Mandatory Test Cases" are being referred to? (The tests in Section 7?)

 

Line 134

Typo: missing "]"

 

Line 135

Which "Mandatory Test Cases" are being referred to? (The tests in Section 7?)

 

Line 140

Are these the "Mandatory Test Cases" referred to in lines 121 and 135?

 

Line 141

Does this mean that the vendor decides which test cases are mandatory for the client?

 

Line 142

This says that the server must support all of the test cases listed. Any suggestions on how to perform these tests, as they require different, incompatible server behaviour? Are you assuming some out of band communication (KMIP extension, non-KMIP, server management channel, human to human, etc.) to set up the server behaviour prior to running the tests in question?

 

Seed RNG with Server Accept, Seed RNG with Server partial Accept, Seed RNG with Server Ignore, and Seed RNG with Server Deny each return different responses (and presumably invoke different internal server behaviour - although the specification does not require this) for exactly the same request.

 

If Seed RNG with Server Accept is supported by the server, and performed multiple times, each followed by RNG Retrieve, must each returned random be identical? If not, is it allowed to be identical? If so, under what conditions is it allowed to be identical, or can it be forced to be identical?

 

John

 

From: kmip@lists.oasis-open.org [mailto:kmip@lists.oasis-open.org] On Behalf Of Tim Hudson
Sent: Friday, 28 June 2013 12:25 AM
To: kmip@lists.oasis-open.org
Subject: [kmip] Groups - kmip-cs-profile-v1.0-wd01-review.doc uploaded

 

Submitter's message
Updated conformance wording style. Updated test case style. Included test cases for 1.2. Applied new OASIS template.

Note: the byte values for the test data in the "Advanced Cryptographic Tests" remains to be updated from the placeholder values.
-- Tim Hudson

Document Name: kmip-cs-profile-v1.0-wd01-review.doc


Description
Cryptographic Services Profile
Download Latest Revision
Public Download Link


Submitter: Tim Hudson
Group: OASIS Key Management Interoperability Protocol (KMIP) TC
Folder: Drafts
Date submitted: 2013-06-27 07:25:14

 



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]