insert your name insert your title insert date client registration open issues update 5/27/2011...

10
Insert Your Name Insert Your Title Insert Date Client Registration Open Issues Update 5/27/2011 Denis Pochuev (original proposal by Alan Frindell)

Upload: wesley-simon

Post on 04-Jan-2016

215 views

Category:

Documents


1 download

TRANSCRIPT

Page 1: Insert Your Name Insert Your Title Insert Date Client Registration Open Issues Update 5/27/2011 Denis Pochuev (original proposal by Alan Frindell)

Insert Your Name

Insert Your Title

Insert Date

Client Registration Open Issues

Update 5/27/2011

Denis Pochuev

(original proposal by Alan Frindell)

Page 2: Insert Your Name Insert Your Title Insert Date Client Registration Open Issues Update 5/27/2011 Denis Pochuev (original proposal by Alan Frindell)

List of the open issues

Username vs. Entity Name Implicit Registration response “Locate self” – parameter or attribute? Which Locate operations should be allowed on

Entities? Device Credential Proxy Registration/Authentication CSR Credential

2

Page 3: Insert Your Name Insert Your Title Insert Date Client Registration Open Issues Update 5/27/2011 Denis Pochuev (original proposal by Alan Frindell)

Username vs. Entity Name

Entity

UUID: ABCD-1234

Attribute

Attribute Name: “Credential”

Attribute Value:

Attribute

Attribute Name: “Name”

Attribute Value: user1

3

KMIP Client KMIP Server

Auth Request+Create Entity

Register Entity

Entity UUID

Create Object

Obj UUID Create Object

KMIP Client

Authentication Credential Credential Type: Username and Password Credential Value: Username: “user1” Password: “password”

Register Object Type=Entity Template-Attribute Attribute Attribute Name: “Credential” Attribute Value: Credential Type: Username and Password Credential Value: Username: “user1” Password: “password”

Page 4: Insert Your Name Insert Your Title Insert Date Client Registration Open Issues Update 5/27/2011 Denis Pochuev (original proposal by Alan Frindell)

Implicit Registration Response

4

KMIP Client KMIP Server Auth Request+Create Entity +Create Object

Create Object

Entity UUID + Obj UUID

Create Object

Obj UUID Create Object

Authentication Credential Credential Type: Transport Certificate Credential Value: <empty>

Implicit self-registration with cert (+2 object creations)

What if we did not return Entity UUID No Error => Both Entity and Object were created Use “Locate self” to get Entity UUID

Page 5: Insert Your Name Insert Your Title Insert Date Client Registration Open Issues Update 5/27/2011 Denis Pochuev (original proposal by Alan Frindell)

Locate Self – parameter or attribute?

5

Alternative 1:• Part of Locate

• Entity Identifier, see 9.1.3.2.31

• A enumeration object used by the client to locate Entities with special properties

Locate

Entity Identifier = Self

Alternative 2:• New attribute

Locate

Attribute

Attribute Name = Entity Identifier

Attribute Value = Self

Page 6: Insert Your Name Insert Your Title Insert Date Client Registration Open Issues Update 5/27/2011 Denis Pochuev (original proposal by Alan Frindell)

What Locate operations should be allowed on Entities?

Find all Entities with Transport Certificate Credentials:Locate

Credential

Credential Type: Transport Certificate

Find an Entity by its transport certificate:Locate

Credential

Credential Type: Transport Certificate

Credential Value:

Certificate: <certificate>

Find yourself:Locate

Entity Identifier = Self

Find all objects owned by <UUID>:Locate

Owner = <UUID>

6

Page 7: Insert Your Name Insert Your Title Insert Date Client Registration Open Issues Update 5/27/2011 Denis Pochuev (original proposal by Alan Frindell)

Device Credential

7

Credential/Subject Type Value

Username and Password (KMIP v1)

00000001

Username 00000002

Device 00000003

World Wide Name 00000004

Distinguished Name 00000005

SAML Subject 00000006

Open ID 00000007

Authentication Information Type

Value

Password 00000001

X.509 Certificate 00000002

Kerberos Ticket 00000003

Extensions 8XXXXXXX

Part of an earlier proposal Needs “secret” part to

protect against entity impersonation

Page 8: Insert Your Name Insert Your Title Insert Date Client Registration Open Issues Update 5/27/2011 Denis Pochuev (original proposal by Alan Frindell)

Proxy Registration/Authentication

8

Important use-case KMIP participants• Single proxy is responsible for establishment and

running of the TLS tunnel• Multiple lightweight KMIP clients are connected through

the proxy to the server

Should it be a part of the current proposal? Support for devices that cannot save their own UUIDs

Page 9: Insert Your Name Insert Your Title Insert Date Client Registration Open Issues Update 5/27/2011 Denis Pochuev (original proposal by Alan Frindell)

Optional Entity in Authentication Header

9

Current assumption: 1-to-1 mapping between Credential and Entity (only one Entity corresponds to a given Credential)

Adding attributes to Entity registration + sending Entity UUID in Authentication header addresses that issue

KMIP Client KMIP Server

Auth Request+Create Entity

Register Entity

Entity UUID

Create Object

Obj UUID Create Object

Authentication Credential Credential Type: Transport Certificate Credential Value: <empty> Entity UUID=0x172b45a435890c9078243589de2309458

KMIP Client

Register Object Type=Entity Template-Attribute Attribute Attribute Name: “Credential” Attribute Value: Credential Type: Transport Certificate Credential Value: Certificate Certificate Type: X.509 Certificate Value: <cert> Attribute id=0xb34a32b23a43093d Attribute ip-addr=10.10.10.10 Attribute mac-addr=02:ba:d0:ca:fe:99

Page 10: Insert Your Name Insert Your Title Insert Date Client Registration Open Issues Update 5/27/2011 Denis Pochuev (original proposal by Alan Frindell)

Register Object Type=Entity Template-Attribute Attribute Attribute Name: “Credential” Attribute Value: Credential Type: Certificate Request Credential Value: Certificate Certificate Type: X.509 Certificate Value: CSR

Certificate Server Request Credential

10

Client wants to register an entity and receive a signed Transport Certificate

KMIP Server

Auth Request+Create Entity

Register Entity

Entity UUID

Create Object

Obj UUID Create Object

KMIP Client

using new certificateAuthentication Credential Credential Type: Transport Certificate Credential Value: <empty>

Get Certificate

Obj UUID