Re: [kmip] KMIP 2.0 Delete Attribute --- Re: [kmip] Groups - Introduction to KMIP v2.0 WD01 uploaded

[Tim Hudson <tjh@cryptsoft.com>]

> Is it possible to set more than one multi-value attribute instance to the same value as another instance of the same attribute?

No it is not. Multi-instance attribute instances are identified by their value rather than the former (removed for KMIP 2.0) attribute index.

This was discussed at the face to face at length and in the presentation materials.

It naturally impacts both the Modify Attribute and Delete Attribute operation parameters and handling. 

Allowing a reference to the attribute (Attribute Reference) as an option rather than Current Attribute would enable specification of the Attribute independent of its value and would make Delete Attribute straight forward for single instance attributes but I think that went beyond the proposal. Modify Attribute however allows a new replacement for single instance.

"If no Current Attribute is specified in the request, then if there is only a single instance of the Attribute it SHALL be selected as the attribute instance to be modified to the New Attribute value, and if there are multiple instances of the Attribute an error SHALL be returned (as the specific instance of the attribute is unable to be determined"

Extending that same approach to Delete Attribute is well worth exploring - the change is simple - and consistent in my view.

Tim.

On Thu, Dec 14, 2017 at 1:19 PM, John Leiseboer <JL@quintessencelabs.com> wrote:

Is it possible to set more than one multi-value attribute instance to the same value as another instance of the same attribute? Is it possible to modify an existing multi-value attribute’s value to the same value as an another instance of the multi-value attribute? If these are possible, is there anything that distinguishes between multi-valued attributes with identical values? Does an attempt to delete a multi-value attribute instance which has other instances with the same value (assuming this is permitted) delete all the instances, or just one? If just one, which one? Similar question for modifying a value.

 

John

 

From: kmip@lists.oasis-open.org [mailto:kmip@lists.oasis-open.org] On Behalf Of Bruce Rich
Sent: Thursday, 14 December 2017 10:08 AM
To: Mark Joseph <mark@p6r.com>
Cc: Tony Cox <tony.cox@cryptsoft.com>; OASIS KMIP Technical Committee <kmip@lists.oasis-open.org>
Subject: Re: [kmip] KMIP 2.0 Delete Attribute --- Re: [kmip] Groups - Introduction to KMIP v2.0 WD01 uploaded

 

Mark,

 

For a multivalued attribute, given we don't have an attribute index any more, how would the server know which one to delete?

Given we've pitched the index, we now need to know which value.

Unless we're talking about adopting the "don't argue with me, young man, you know what I meant" approach whereby the server just randomly shoots a value.  That might prove difficult to write a conformance test for.

 

Bruce

 

On Wed, Dec 13, 2017 at 10:58 AM, Mark Joseph <mark@p6r.com> wrote:

Looking at the definition of "Delete Attribute" operation in the current KMIP 2.0 spec and comparing that to KMIP 1.4 there is a difference I am not sure we want.

 

In KMIP 1.4 the value of the attribute to delete is not required (only the attribute's Name and index)

In KMIP 2.0 the "Current Attribute" structure is required which includes the attribute's value.   There is no text in the KMIP 2.0 spec that I have found that clearly contradicts that.   So the KMIP client would have to know the current value of the attribute to delete it.   That would be a new requirement and one I don't see the need for.

 

 

Best,

Mark Joseph

P6R, Inc

From: Tony Cox <tony.cox@cryptsoft.com>
To: <kmip@lists.oasis-open.org>
Sent: 12/7/2017 5:18 AM
Subject: [kmip] Groups - Introduction to KMIP v2.0 WD01 uploaded

Document Name: Introduction to KMIP v2.0 WD01

---

No description provided.
Download Latest Revision
Public Download Link

---

Submitter: Mr. Tony Cox
Group: OASIS Key Management Interoperability Protocol (KMIP) TC
Folder: Proposals
Date submitted: 2017-12-07 05:17:29

 

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service for QuintessenceLabs Pty Ltd.
______________________________________________________________________