FW: cryptographic usage mask after key revocation

["Furlong, Judith" <Judith.Furlong@dell.com>]

This was posted to the kmip-comment distribution list forwarding to the main TC distribution list – We’ll discuss at today’s meeting.

 

Judy

 

From: Alex Abell <alex.abell@oracle.com>
Sent: Wednesday, October 12, 2022 5:57 PM
To: kmip
Subject: [kmip-comment] cryptographic usage mask after key revocation

 

[EXTERNAL EMAIL]

Hello all,

 

I had a question about the Cryptographic Usage Mask. In the 2.1 version of the spec, it says the following:

 

“Deactivated: The object SHALL NOT be used for applying cryptographic protection (e.g., encryption, signing, wrapping, MACing, deriving) . The object SHALL only be used for cryptographic purposes permitted by the Cryptographic Usage Mask attribute. The object SHOULD only be used to process cryptographically-protected information (e.g., decryption, signature verification, unwrapping, MAC verification under extraordinary circumstances and when special permission is granted.”

 

If the Cryptographic Usage Mask previously allowed only encryption and decryption, and the key is revoked (deactivated), does this mean that:

1. the Cryptographic Usage Mask’s value on the server is not updated despite the fact that the key should no longer be used for encryption.
2. the Cryptographic Usage Mask’s value is updated when the key is deactivated, unsetting the encryption bit and leaving the decryption bit set.
3. something else I haven’t considered? Perhaps unsetting both the encryption and decryption bits?

 

I had always assumed 1) was the case however I can’t definitively prove it with anything from the spec so input would be very appreciated. Closest I found was that “Revoke” was not listed under “When implicitly set” for “4.17 Cryptographic Usage Mask”.

 

Thank you,

Alex Abell