<soapbox>Yes. We have several precedents in KMIP for acknowledging things are broken and then adding new features built on the broken
stuff.</soapbox>
John
From: Mark Joseph [mailto:mark@p6r.com]
Sent: Friday, 22 August 2014 8:12 AM
To: John Leiseboer; kmip@lists.oasis-open.org
Subject: RE: [kmip] Server to Client Query
So this is not a new issue it exists today with the current server to client operations. As such it's not really an issue with the new operations I have proposed to query and so I propose it is handled as such as a different proposal
entirely
Mark Joseph, PhD
-------- Original message --------
Date:08/21/2014 2:29 PM (GMT-08:00)
Subject: [kmip] Server to Client Query
As requested on the call today, I am sending a description of the server to client query issue that was discussed in the TC call on June 19.
There is an asymmetry in KMIP, such that KMIP clients may use a proxy to connect to a KMIP server, where the proxy terminates the TLS connection with the server. This asymmetry does not permit a server to directly address a client sitting behind the proxy for server to client messages. Incidentally, this is also an issue for the Notify and Put operations, and could perhaps be resolved in a similar manner.
This is not an issue in the client to server direction because:
a. The server is the end point (as far as KMIP request messages are concerned) and we do not (yet) have the concept of a server proxy in KMIP;
b. As the proxy is acting on behalf of clients, it can manage the pairing of requests and their responses, and map these to its end-point clients.
There are many practical examples of this type of configuration: tape library as proxy to tape drives; disk array controller as proxy to disk drives; VM manager as proxy to VM instances; communications controller as proxy to radio receivers and transmitters; key loader as proxy to end-point encryption devices; etc.
As expressed on the call, some TC members' products, and customers, support configurations where clients with DIFFERENT capabilities connect through a proxy. The current proposal for server to client queries assumes a one-to-one direct relationship between the server and the client. The proposal does not specify how a server can direct a query to a specific end-point client behind the proxy, or how a proxy can indicate which end-point client a query response applies to.
I will try to describe some of the possible solutions to this in a later email. Right now, I have other work to do.
John
John Leiseboer | Chief Technology Officer | QuintessenceLabs | W: quintessencelabs.com
E: jl@quintessencelabs.com | M(AU): +61 409 487 510 | M(US): +1 202 294 6825 | Skype: jleiseboer
AU: 15 Denison St | Deakin | ACT 2601 | T: +61 2 6260 4922
US: Suite 1077 Bldg 19 | NASA Ames Research Park | Moffett Field CA 94035 | T: +1 650 870 9920
---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail. Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php