RE: [kmip] Fwd: The language for Key Mangement Domain

["White, Charles" <chuck@fornetix.com>]

I appreciate this line of Logic â  it makes sense. 

 

I vote for Timâs option!

 

Thanks!

 

Chuck

 

From: kmip@lists.oasis-open.org <kmip@lists.oasis-open.org> On Behalf Of Tim Hudson
Sent: Thursday, November 7, 2019 7:13 AM
To: OASIS KMIP Technical Committee <kmip@lists.oasis-open.org>
Subject: Re: [kmip] Fwd: The language for Key Mangement Domain

 

The concept of uniqueness here is something entirely enforced by the server - it has nothing to do with clients at all. 

Including the client in the definition walks into an entirely different concept in my view.

 

Given we have gone around in multiple circles here, I have an alternate solution - we remove "key management domain" from the specification in the (now) five places where it occurs and we replace it with "key management server" making it consistent with that usage elsewhere.

 

This fixes the historical choice of the word "domain" slipping into the specification and avoids using any vendor-specific terminology for a server vendor multi tenancy approach. 

 

Note for reference a typical definition of multitenancy ... 

 

Multitenancy is a reference to the mode of operation of software where multiple independent instances of one or multiple applications operate in a shared environment.

The instances (tenants) are logically isolated, but physically integrated.

 

The KMIP specification refers to clients and servers and the uniqueness enforcement is about the server. We don't state the nature of the technology choices used in the server.

 

So my view is "none of the above" for the two suggested choices in your email below as they both hit issues.

 

Tim.

 

 

On Thu, Nov 7, 2019 at 9:34 PM Tony Cox <tony.cox@cryptsoft.com> wrote:

Folks,

As discussed on last week's call - here is the alternate definition from Chuck W along with his rationale for it's construction.

In summary (and for ease of comparison), the two proposed definitions we have on the table so far are:

"A logical grouping of clients and servers where there is a reasonable expectation that a key, or key name is unique. "

and

"An instance of a key management system where uniqueness of objects can reasonably be expected. A key management system may comprise multiple logical partitions (Key management Domains) where uniqueness is preserved within each partition but is not required across all partitions."

 

Cheers,
-Tony Cox

 

 

-------- Forwarded Message --------

Subject:	The language for Key Maangement Domain
Date:	Thu, 31 Oct 2019 14:42:49 +0000
From:	White, Charles <chuck@fornetix.com>
To:	'tony.cox@cryptsoft.com' <tony.cox@cryptsoft.com>

"A logical grouping of clients and servers where there is a reasonable expectation that a key, or key name is unique. "

If you apply a sanity test of an identity domain - you can use similar language: A logical grouping of systems where there is a reasonable expectation that a given system identifier is unique.

This addresses the fact that a domain is more than just servers it is a collection of Clients and Servers - whether it is physical, virtual, partition, imaginary, rainbows, unicorns, etc

This also has the benefit of not using the term Domain in the definition.



Chuck White
Fornetix

CONFIDENTIALITY NOTICE: This message is confidential and may also be privileged. It is for the exclusive use of the intended recipient. If you are not the intended recipient please note that any distribution, copying, or use of this communication or the information in it is prohibited and may be unlawful. If you have received this communication in error, please return it to the sender and then delete the email and destroy any copies of it.