[kmip] Digital Signature Algorithm attribute: Multiple-instances allowed: Yes and No

["Featherstone, David" <David.Featherstone@safenet-inc.com>]

Greetings

 

The KMIP spec states that the 3.16 Digital Signature Algorithm [see ([KMIP v1.2] Table 76) attribute can have multiple instances in the case of PGP keys, but may not have multiple instances in the case of X.509 certificates. i.e. The set of single-instance attributes is different depending on the type of managed object. This call-me-maybe attribute interferes with an implementation's ability to define a single, exhaustive set of single-instance attributes.

 

I further notice that the KMIP spec has created X.509-specific attributes for Identifier, Subject and Issuer:

• 3.10  X.509 Certificate Identifier
• 3.11  X.509 Certificate Subject
• 3.12  X.509 Certificate Issuer

 

Given that the PGP certificate type has been deprecated as of KMIP v1.2 [see [KMIP v1.2] 2.2.1 Certificate)], I wonder if we could follow the above pattern and create an X.509 Digital Signature Algorithm attribute, whose Attribute Rules table would unambiguously indicate "Multiple instances permitted=No"? [And the existing 3.16 Digital Signature Algorithm attribute's description could be changed (a) to refer only to PGP keys, and (b) to indicate unambiguously that "Multiple instances permitted=Yes"?]

 

Cheers,

… Dave

 

 

The information contained in this electronic mail transmission 
may be privileged and confidential, and therefore, protected 
from disclosure. If you have received this communication in 
error, please notify us immediately by replying to this 
message and deleting it from your computer without copying 
or disclosing it.