KMP 1.2 Create Split Key

[John Leiseboer <JL@quintessencelabs.com>]

I recently started looking at the new Create Split Key operation in KMIP 1.2, and I am confused...

The wording appears to allow two types of operation:

    1. Split an existing key into multiple parts;
    2. Create a new key, and split it into multiple parts.

I don't believe that the specification for the response properly supports the second type of operation. Or if it does, it is unclear to me what to return in the response.

The response has a required field that identifies the (singular) object type. This is okay for usage 1, where only Split Keys will be created. Object type is Split Key, and what follows is a list of Split Key UIDs.

But for usage 2, if say a new Symmetric Key is created, as well as its constituent Split Key parts, what should the Object Type be? Should it be the Symmetric key, or the Split Key object type (given that both a symmetric key and a number of split key objects would be created; i.e. two different Object Types)? What makes up the list of UIDs - symmetric key and split keys, just the symmetric, just the split keys? Is there a required order; e.g. the symmetric key is the first UID, split keys in the rest of the list? And if only the symmetric key UID, or split key UIDs are returned, how are the UIDs of the missing objects in the list found? Maybe there is a link type required to bind all this together?

Also, what should be returned in the Template-Attribute when both a new key, as well as key parts are created? To which newly created object, or objects do the Template-Attributes apply?

Regards,
John

John Leiseboer | Chief Technology Officer | QuintessenceLabs | W: quintessencelabs.com
E: jl@quintessencelabs.com | M(AU): +61 409 487 510 | M(US): +1 202 294 6825 | Skype: jleiseboer
AU: 15 Denison St | Deakin | ACT 2601 | T: +61 2 6260 4922
US: Suite 220 | 175 Bernal Road | San Jose CA 95119 | T: +1 650 870 9920