RE: [kmip] Certificates and Cryptographic Usage Mask attribute

[Jain Nitin <nitin.jain@gemalto.com>]

Regarding Usage Mask for Secret Data Object,

As Per KMIP spec Derive Key Usage Mask can be used with Secret Data Object.

 

Do we have a Test case regarding this for better understanding?

 

 

Thanks,

Nitin

From: Jain Nitin
Sent: 04 April 2018 12:17
To: 'Tim Hudson' <tjh@cryptsoft.com>
Cc: Furlong, Judith <Judith.Furlong@dell.com>; Chevalier, Tim <Tim.Chevalier@netapp.com>; Mark Joseph <mark@p6r.com>; OASIS KMIP Technical Committee <kmip@lists.oasis-open.org>; Tony Cox <tony.cox@cryptsoft.com>
Subject: RE: [kmip] Certificates and Cryptographic Usage Mask attribute

 

Thanks Tim.

 

From: Tim Hudson [mailto:tjh@cryptsoft.com]
Sent: 04 April 2018 12:14
To: Jain Nitin <nitin.jain@gemalto.com>
Cc: Furlong, Judith <Judith.Furlong@dell.com>; Chevalier, Tim <Tim.Chevalier@netapp.com>; Mark Joseph <mark@p6r.com>; OASIS KMIP Technical Committee <kmip@lists.oasis-open.org>; Tony Cox <tony.cox@cryptsoft.com>
Subject: Re: [kmip] Certificates and Cryptographic Usage Mask attribute

 

Note that the use of "key" in the prose there is not specifying an object type.

And if you keep reading to the actual table that defines which object type the attribute applied to ... a little further down ... . 

 

Applies to Object Types      = Cryptographic Objects

 

And Cryptographic Objects includes everything except Opaque Object (and Template for pre-2.0 if you don't mind deprecated usage).

 

So the specification explicitly says Cryptographic Usage Mask applied to more than "keys". 

 

Tim.

 

 

On Wed, Apr 4, 2018 at 3:29 PM, Jain Nitin <nitin.jain@gemalto.com> wrote:

Guys in KMIP spec it is clearly written that Usage Mask defines the usage of a Key (No Certificates and Secret data)

 

 

Thanks,

Nitin

From: kmip@lists.oasis-open.org [mailto:kmip@lists.oasis-open.org] On Behalf Of Furlong, Judith
Sent: 04 April 2018 03:16
To: Chevalier, Tim <Tim.Chevalier@netapp.com>; Tim Hudson <tjh@cryptsoft.com>; Mark Joseph <mark@p6r.com>
Cc: OASIS KMIP Technical Committee <kmip@lists.oasis-open.org>; Tony Cox <tony.cox@cryptsoft.com>
Subject: [+SPAM+]: RE: [kmip] Certificates and Cryptographic Usage Mask attribute

 

Ok sounds like we need to revisit the whole cryptographic usage mask concept and have it apply to only to the objects (e.g. keys) where usages actually make sense.  We have also the proposal that Nitin brought forward around changes to the usage mask themselves which we should also make sure we revisit as part of this F2F discussion.

 

Judy

 

Judith Furlong

Sr. Consultant Product Security Architect

Dell EMC | Product Security Office

Office:  +1-508-249-1124

Judith.Furlong@dell.com

 

From: kmip@lists.oasis-open.org [mailto:kmip@lists.oasis-open.org] On Behalf Of Chevalier, Tim
Sent: Tuesday, April 3, 2018 5:40 PM
To: Tim Hudson <tjh@cryptsoft.com>; Mark Joseph <mark@p6r.com>
Cc: OASIS KMIP Technical Committee <kmip@lists.oasis-open.org>; Tony Cox <tony.cox@cryptsoft.com>
Subject: Re: [kmip] Certificates and Cryptographic Usage Mask attribute

 

Hi,

 

Along those lines I’ve never understood the requirement for a cryptographic mask for the Secret Data object…

 

--Tim

 

From: <kmip@lists.oasis-open.org> on behalf of Tim Hudson <tjh@cryptsoft.com>
Date: Tuesday, April 3, 2018 at 4:16 PM
To: Mark Joseph <mark@p6r.com>
Cc: OASIS KMIP Technical Committee <kmip@lists.oasis-open.org>, Tony Cox <tony.cox@cryptsoft.com>
Subject: Re: [kmip] Certificates and Cryptographic Usage Mask attribute

 

Or perhaps we completely remove the manadory requirement for a cryptographic usage mask ... some vendors don't actually support it. 

 

The masks themselves also need to be more clearly defined in terms of their intended impact on KMIP servers and clients in terms of both KMIP operations and underlying cryptographic usage.

 

Tim.

 

On Tue, 3 Apr. 2018, 1:09 pm Mark Joseph, <mark@p6r.com> wrote:

Hi all,

 

    I am not the first to ask why does KMIP require a Cryptographic Usage Mask for a Certificate?    And exactly which value for the Mask makes sense?

It has caused some problems during the interop and I can just see our customers having trouble with this.

 

   How about we discuss this in the Face to Face next week?   Maybe we can agree that Certificates don't need Cryptographic Usage Masks for KMIP 2.0, which is what I would like to propose.

 

 

Best,

Mark 

 

 

 

---

This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus.

 

---

This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus.