Re: [kmip] kmip-testcases-v1.2-wd01-review: Wrap and Unwrap

[Tim Hudson <tjh@cryptsoft.com>]

I suggest a simple change to 3.17 (lines 861-862 in wd06) to align the
description with SP800-57-1 would make sense to include in the following
form.

A change from the current wording of "Pre-Active: The object exists but
is not yet usable for any cryptographic purpose."
to new wording of "Pre-Active: The object exists but SHALL NOT be used
for any cryptographic purpose."

This should not be a technical change in the specification but simply an
update to make it clearer.

Further reviewing of state and reflecting back on the discussion Saikat
recently raised, I think it would also make sense to add additional text
into 4.10 in the Get operation to add the following:

"A server SHALL NOT return a Managed Cryptographic Object that has a
State of Destroyed or Destroyed Compromised."

If the server is enforcing the State rules in all contexts then this is
also another area where it needs to be clear that this is required.

In the two other KMIP 1.1 operations where the server is using a key for
cryptographic purposed (Get where wrapping may be occuring, and
DeriveKey) there should also be an addition note that the Managed
Cryptographic Object being referred to must have State of Active. That
should also be included in each of the new KMIP 1.2 cryptographic
operations if we are going to take the path of repeating that note in
each operation.

I'm unclear as to whether or not that should also be applied to
Create/Join SplitKey operations - in that those are effectively
mechanisms for import/export using multi-party methods.

Tim.