RE: [kmip] Groups - KMIP-SP800-130-152.pdf uploaded

["Furlong, Judith" <judith.furlong@emc.com>]

Bob,

In KMIP we never restricted the Revoke operation to just asymmetric keys and certificates.  It can apply to any type of managed cryptographic or opaque object.  Currently this is the operation to use if you want to say a symmetric key is compromised.

However, if NIST is changing the state diagram and transitions to cover Suspend separate from Revoke then introducing new Suspend/Reactivate operations may make sense.  We may also want to consider going back and restricting the Revoke operation to just asymmetric keys and certificates and introducing a Compromise operation to cover the symmetric key cases.  But I would see these type of changes to be better suited for KMIIP 2.0 vs. KMIP 1.x.

Judy

-----Original Message-----
From: Lockhart, Robert [mailto:Robert.Lockhart@thalesesec.com] 
Sent: Tuesday, February 18, 2014 8:09 PM
To: Furlong, Judith
Cc: Charles White; kmip@lists.oasis-open.org
Subject: Re: [kmip] Groups - KMIP-SP800-130-152.pdf uploaded

My concern is that NIST appears to be looking to update the SP800-57 Part 1 state model to include revoke, suspend and return to activation.  The are also calling out these states in the Second Draft of SP800-152.

It would be nice to consider at least the addition of the states to KMIP or as other attributes at a minimum so that they may be used by key owners without requiring server vendors getting in the way if NIST or someone else has a need.

As for use cases there are potential use cases for these states for not just certificates but symmetric keys as well (e.g. Tape falls off the back of a truck but is found in the library two weeks later - real world use case that I have seen three or four times before).

Robert A. (Bob) Lockhart
Chief Solutions Architect - Key Management
Thales e-Security, Inc.


On Feb 18, 2014, at 1:39 PM, "Furlong, Judith" <judith.furlong@emc.com<mailto:judith.furlong@emc.com>> wrote:

Chuck

In Slide 7, last bullet you suggest adding new operations for Suspend/Re-activate and associated date attributes

Instead of adding new operations one could leverage the Revoke operation to support this - We deferred support of the certificateHold and removeFromCRL revocation reasons from current KMIP versions mainly because we didn't see folks using KMIP to support the suspending/unsuspending of public key certificates.  But SP800-130 support could be used as justification for adding the certificateHold and removeFromCRL options to the revocation reason enumerations.

If we leverage the Revoke operation in this way you could also leverage the existing Compromise Date to handle when the key was Suspended.  This assume folks are not bothered by using an attribute named 'compromise' for something which is 'suspended'. A new attribute to track when the key was reactivated would still need to be added - assuming you don't want to overload Activation Date.

Judy

From: kmip@lists.oasis-open.org<mailto:kmip@lists.oasis-open.org> [mailto:kmip@lists.oasis-open.org] On Behalf Of Charles White
Sent: Thursday, February 13, 2014 7:49 AM
To: kmip@lists.oasis-open.org<mailto:kmip@lists.oasis-open.org>
Subject: [kmip] Groups - KMIP-SP800-130-152.pdf uploaded

Submitter's message
Good morning/evening KMIP TC!

KMIP-SP800-130-152.pdf provides an overview of how NIST guidelines for Cryptographic Key Management Systems impact KMIP. Also this presentation provides options for further alignment of KMIP to NIST standards. Note there is a corresponding spreadsheet - NIST-KMIP CR.xlsx that documents the relationship between the collective set of standards.

Thanks!

Chuck
-- Charles White
Document Name: KMIP-SP800-130-152.pdf<https://www.oasis-open.org/apps/org/workgroup/kmip/document.php?document_id=52201>
________________________________
Description
Review of NIST SP800-130 and NIST SP800-152. Discussing options to update
KMIP 1.3 to align with NIST guidance. Note that there is a corresponding
spreadsheet - NIST KMIP CR.xlsx
Download Latest Revision<https://www.oasis-open.org/apps/org/workgroup/kmip/download.php/52201/latest/KMIP-SP800-130-152.pdf>
Public Download Link<https://www.oasis-open.org/committees/document.php?document_id=52201&wg_abbrev=kmip>
________________________________
Submitter: Charles White
Group: OASIS Key Management Interoperability Protocol (KMIP) TC
Folder: Drafts
Date submitted: 2014-02-13 04:48:46