OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

kmip message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [kmip] Cryptographic Usage Mask

On 10/04/2014 7:45 AM, Saikat Saha wrote:
> This suggests a KMIP server should not:
> -  In the definition of Secret Data (2.2.7), it says Secret Data is "a
shared secret value that is not a key or certificate (e.g. a password)."
> In the description of Cryptographic Usage Mask (section 3.19), it says
"The Cryptographic Usage Mask defines the cryptographic usage of a key".
> - The values in the bit mask do not correspond to non-key (e.g.
password) use cases. Values such as Encrypt, Sign, Derive Key, etc would
not be valid for a password.

Responding just to the second point within Saikat's email:

The suggestion above that none of the Cryptographic Usage Mask values
apply to Secret Data items is incorrect - and directly contradicted by
the specification text - which can be seen by looking at the Derive Key
operation which can result in Symmetric Key or Secret Data managed
objects as the result.

If you read this statement in Derive Key:

"The request SHALL only apply to Managed Cryptographic Objects that have
the Derive Key bit set in the Cryptographic Usage Mask attribute of the
specified Managed Object (i.e., are able to be used for key derivation)."

Following the logic chain:
1) The Derive Key bit of the Cryptographic Usage Mask means that a
Managed Cryptographic Object can be used in the Derive Key operation
2) The Derive Key operation allows Secret Data items as inputs and
derives keys from those inputs which can result in Secret Data items
(it does allow other inputs and outputs but the context here is to just
show that it is explicit that key derivation on secret data objects is
defined)

It makes it very clear that setting a Cryptographic Usage Mask of Derive
Key against a Secret Data managed object is entirely expected.
There are also multiple references to this within the description of
Derive Key.

I believe this counters the suggestion that the specification did not
intend for the Cryptographic Usage Mask to be a valid attribute for
Secret Data managed objects.
I do agree we have some relatively loose wording around "key" in a few
places within the specification - but that it is clear from the context
when referring to particular managed object types when we reference the
defined terms.

Tim.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]