Subject: RE: [kmip] Re: [GRAYMAIL] [kmip] Groups - Import Export Operation uploaded
As long as the exported data is leaving the defined crypto boundary of a given server in an encrypted format (TLS, SSL, IPSEC, etc) it is FIPS compliant from my understanding.
A failure attribute per imported attribute maybe? It could be an attribute type that defines the name of the attribute that failed
Chaining Export seems like a good idea – maybe an export type? Something along the lines of a recursive export.
I like this idea and we would add it into our client SDK library.
I do have a few questions:
(1) How do we export a chain of objects? So for example, lets say we have 2 Opaque objects on a KMIP server where one has a Child link / Parent Link between the two. I believe your description would have them exported / imported separately, but why not as one unit? Exporting / importing as one unit will decrease the chance of links being broken. This is also relevant for Re-keyed objects.
(2) Also what happens if an importing server does not understand all the attributes? I know of a KMIP server that does not implement all 1.2 attributes.
(3) I do believe we have an issue with unique identifiers. If a customer wants to export from one vendor into a completely different vendor the scheme you suggest might lead to import failures.
(4) Can this work if a KMIP server is in FIPS mode?