insert your name insert your title insert date client registration open issues update 5/27/2011...
TRANSCRIPT
Insert Your Name
Insert Your Title
Insert Date
Client Registration Open Issues
Update 5/27/2011
Denis Pochuev
(original proposal by Alan Frindell)
List of the open issues
Username vs. Entity Name Implicit Registration response “Locate self” – parameter or attribute? Which Locate operations should be allowed on
Entities? Device Credential Proxy Registration/Authentication CSR Credential
2
Username vs. Entity Name
Entity
UUID: ABCD-1234
Attribute
Attribute Name: “Credential”
Attribute Value:
…
Attribute
Attribute Name: “Name”
Attribute Value: user1
3
KMIP Client KMIP Server
Auth Request+Create Entity
Register Entity
Entity UUID
Create Object
Obj UUID Create Object
KMIP Client
Authentication Credential Credential Type: Username and Password Credential Value: Username: “user1” Password: “password”
Register Object Type=Entity Template-Attribute Attribute Attribute Name: “Credential” Attribute Value: Credential Type: Username and Password Credential Value: Username: “user1” Password: “password”
Implicit Registration Response
4
KMIP Client KMIP Server Auth Request+Create Entity +Create Object
Create Object
Entity UUID + Obj UUID
Create Object
Obj UUID Create Object
Authentication Credential Credential Type: Transport Certificate Credential Value: <empty>
Implicit self-registration with cert (+2 object creations)
What if we did not return Entity UUID No Error => Both Entity and Object were created Use “Locate self” to get Entity UUID
Locate Self – parameter or attribute?
5
Alternative 1:• Part of Locate
• Entity Identifier, see 9.1.3.2.31
• A enumeration object used by the client to locate Entities with special properties
Locate
Entity Identifier = Self
Alternative 2:• New attribute
Locate
Attribute
Attribute Name = Entity Identifier
Attribute Value = Self
What Locate operations should be allowed on Entities?
Find all Entities with Transport Certificate Credentials:Locate
Credential
Credential Type: Transport Certificate
Find an Entity by its transport certificate:Locate
Credential
Credential Type: Transport Certificate
Credential Value:
Certificate: <certificate>
Find yourself:Locate
Entity Identifier = Self
Find all objects owned by <UUID>:Locate
Owner = <UUID>
6
Device Credential
7
Credential/Subject Type Value
Username and Password (KMIP v1)
00000001
Username 00000002
Device 00000003
World Wide Name 00000004
Distinguished Name 00000005
SAML Subject 00000006
Open ID 00000007
Authentication Information Type
Value
Password 00000001
X.509 Certificate 00000002
Kerberos Ticket 00000003
Extensions 8XXXXXXX
Part of an earlier proposal Needs “secret” part to
protect against entity impersonation
Proxy Registration/Authentication
8
Important use-case KMIP participants• Single proxy is responsible for establishment and
running of the TLS tunnel• Multiple lightweight KMIP clients are connected through
the proxy to the server
Should it be a part of the current proposal? Support for devices that cannot save their own UUIDs
Optional Entity in Authentication Header
9
Current assumption: 1-to-1 mapping between Credential and Entity (only one Entity corresponds to a given Credential)
Adding attributes to Entity registration + sending Entity UUID in Authentication header addresses that issue
KMIP Client KMIP Server
Auth Request+Create Entity
Register Entity
Entity UUID
Create Object
Obj UUID Create Object
Authentication Credential Credential Type: Transport Certificate Credential Value: <empty> Entity UUID=0x172b45a435890c9078243589de2309458
KMIP Client
Register Object Type=Entity Template-Attribute Attribute Attribute Name: “Credential” Attribute Value: Credential Type: Transport Certificate Credential Value: Certificate Certificate Type: X.509 Certificate Value: <cert> Attribute id=0xb34a32b23a43093d Attribute ip-addr=10.10.10.10 Attribute mac-addr=02:ba:d0:ca:fe:99
Register Object Type=Entity Template-Attribute Attribute Attribute Name: “Credential” Attribute Value: Credential Type: Certificate Request Credential Value: Certificate Certificate Type: X.509 Certificate Value: CSR
Certificate Server Request Credential
10
Client wants to register an entity and receive a signed Transport Certificate
KMIP Server
Auth Request+Create Entity
Register Entity
Entity UUID
Create Object
Obj UUID Create Object
KMIP Client
using new certificateAuthentication Credential Credential Type: Transport Certificate Credential Value: <empty>
Get Certificate
Obj UUID