[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [kmip] kmip-testcases-v1.2-wd01-review: Wrap and Unwrap
I suggest a simple change to 3.17 (lines 861-862 in wd06) to align the description with SP800-57-1 would make sense to include in the following form. A change from the current wording of "Pre-Active: The object exists but is not yet usable for any cryptographic purpose." to new wording of "Pre-Active: The object exists but SHALL NOT be used for any cryptographic purpose." This should not be a technical change in the specification but simply an update to make it clearer. Further reviewing of state and reflecting back on the discussion Saikat recently raised, I think it would also make sense to add additional text into 4.10 in the Get operation to add the following: "A server SHALL NOT return a Managed Cryptographic Object that has a State of Destroyed or Destroyed Compromised." If the server is enforcing the State rules in all contexts then this is also another area where it needs to be clear that this is required. In the two other KMIP 1.1 operations where the server is using a key for cryptographic purposed (Get where wrapping may be occuring, and DeriveKey) there should also be an addition note that the Managed Cryptographic Object being referred to must have State of Active. That should also be included in each of the new KMIP 1.2 cryptographic operations if we are going to take the path of repeating that note in each operation. I'm unclear as to whether or not that should also be applied to Create/Join SplitKey operations - in that those are effectively mechanisms for import/export using multi-party methods. Tim.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]