OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

kmip message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: KMIP Spec wd06: Process Start Date and Protect Stop Date Clarification

kmip-spec-v1.2-wd06

I think the specification needs to be clarified for consistency with NIST SP 800-57 Part 1 for MAC and asymmetric keys being subject to Process Start Date and Protect Stop Date attributes.

3.22 State, says, "... (Note: These states correspond to those described in
[SP800-57-1]).", and "Active: The object MAY be used for all cryptographic purposes that are allowed by its Cryptographic Usage Mask attribute and, if applicable, by its Process Start Date (see 3.25) and Protect Stop Date (see 3.26) attributes."

3.25 Process Start Date, says, "This is the date and time when a Managed Symmetric Key Object MAY begin to be used to process cryptographically protected information (e.g., decryption or unwrapping), ..." It is silent on MAC and signature verification operations, and refers only to symmetric keys.

3.26 Protect Stop Date, says, "This is the date and time when a Managed Symmetric Key Object SHALL NOT be used for applying cryptographic protection (e.g., encryption or wrapping), ..." It is silent on MAC and signing operations, and refers only to symmetric keys.

SP800-57-1 (referenced in the KMIP specification), says, "Active state: The key may be used to cryptographically protect information or to cryptographically process previously protected information (e.g., decrypt ciphertext or verify a digital signature) or both. When a key is active, it may be designated to protect only, process only, or both protect and process. Private signature generation keys are implicitly designated as protect only; public signature verification keys are designated as process only."

The text from 3.22 above refers to the Cryptographic Usage Mask (section 3.19) "that indicates to the client which cryptographic functions MAY be performed using the key, and which ones SHALL NOT be performed". The cryptographic functions enumerated are: Sign, Verify, Encrypt, Decrypt, Wrap Key, Unwrap Key, Export, MAC Generate, MAC Verify, Derive Key, Content Commitment, Key Agreement, Certificate Sign, CRL Sign, Generate Cryptogram, Validate Cryptogram, Translate Encrypt, Translate Decrypt, Translate Wrap, and Translate Unwrap. 3.22 references decryption and verification in the bulleted item for the Deactivated state. It does not mention encryption, MAC and signing.

John

----------------------------------------------------------------------
John Leiseboer                          QuintessenceLabs Pty Ltd
Chief technology Officer                Suite 23, Physics Building #38
Phone:  +61 7 5494 9291 (Qld)           Science Road
Phone:  +61 2 6125 9498 (ACT)           Australian National University
Mobile: +61 409 487 510                 Acton ACT 0200
Fax:    +61 2 6125 7180                 AUSTRALIA
Email:  JL@quintessencelabs.com         www.quintessencelabs.com
----------------------------------------------------------------------

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]