OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

kmip message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [kmip] Groups - Locate By Value 2 uploaded

Anthony,

Now that you've clarified the intended server control policy around this extended Locate, I'm OK with the proposal.  Thanks.  Kinda leaning to the second representation, but my vote could easily be swayed with a free beverage.

But now I'm puzzled by the assertion in the slides that "Server policy is not part of the KMIP specification".  To semi-quote a former US president, perhaps the issue is what "is" means.  My view is that the current, OASIS-approved KMIP spec for 1.2 still has section 3.18 in it, which gives clear instruction (in RFC 2119 terms) about required server policy (see lines 770 and following, which state (in part)..."A key management system implementation SHALL implement at least one named operation policy, which is used for objects when the Operation Policy attribute is not specified by the Client in operations that result in a new Managed Object on the server").  So in KMIP 1.2, there is a server policy defined in the specification, and clients that see their object has an OperationPolicyName attribute with a value of "default" would expect the server to honor that policy.  We have recently been so bold as to deprecate this mechanism in drafts of KMIP 1.3 without yet defining a successor, but our online discussion has illustrated the problem we may have, to wit, absent a defined server policy and access control mechanism that enforces such policy, why choose a KMIP server to safeguard your secrets?  I was reluctant to consider the extended Locate until you asserted policy about access control...and I would note that the deprecated-in-1.3-OperationPolicyName-policy-for-"default" actually would have addressed my concern about access in section 3.18.2.1, by saying that a successful Locate on a "Secret Object" would be restricted to the owner of that object, which is kinda what you asserted should be the case.  So maybe OPN is useful enough to not be deprecated just yet.  But that's a bigger topic than your proposal here, for which I started off by saying "Now...I'm OK with the proposal".

Bruce A Rich
brich at-sign us dot ibm dot com




From:        Anthony Berglas <anthony.berglas@cryptsoft.com>
To:        kmip@lists.oasis-open.org
Date:        11/17/2015 09:22 PM
Subject:        [kmip] Groups - Locate By Value 2 uploaded
Sent by:        <kmip@lists.oasis-open.org>



Submitter's message
Hello All,

This is an updated proposal on Locate by Value in response to the comments by Mark and Bruce.
-- Anthony Berglas
Document Name: Locate By Value 2
Description
Proposal to be able to Locate managed objects based on their values.
Download Latest Revision
Public Download Link
Submitter: Anthony Berglas
Group: OASIS Key Management Interoperability Protocol (KMIP) TC
Folder: Proposals
Date submitted: 2015-11-17 19:21:44



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]