OASIS Key Management Interoperability Protocol (KMIP) TC

 View Only
  • 1.  Groups - Import Export Operation uploaded

    Posted 11-17-2016 07:38
    Submitter's message This is an update to the proposal presented at this year's face to face to enable objects to be exported and imported. It addresses the concerns that were raised. -- Anthony Berglas Document Name : Import Export Operation Description Revised proposal for a simple Import / Export function. Download Latest Revision Public Download Link Submitter : Anthony Berglas Group : OASIS Key Management Interoperability Protocol (KMIP) TC Folder : Drafts Date submitted : 2016-11-16 23:37:31


  • 2.  RE: [kmip] Groups - Import Export Operation uploaded

    Posted 11-17-2016 11:34
    Hi Anthony,   I’ll be in the air during today’s KMIP call so I won’t be able to attend. If this topic is discussed on the call here are some initial thoughts I have on what needs to be addressed:   Attributes defined as vendor extensions   Drop? Error? Other?    Links   How to handle links to UIDs that don't exist     Should links be allowed to point to non-existent objects?     Should all objects be imported first, and then Add Attribute used?   Incompatible UID format   For example, UID vs URN vs ...   What if a server cannot handle the format of the UID provided in the import?   What if the UID in a link attribute is in a format that the server cannot handle?   Should there be a means for translating the input UID into a format handled by the server     Add a new multi-valued attribute, "Original UID"?   UID clash   This is possible as currently the UID is only required to be unique within a single KM server   Traceability   For some customers it is important to be able to trace back to the source of the object   A new attribute, "Imported From"?     From what?   Wrapped object value   Is this fundamentally different to link?   Are wrapped objects unwrapped during export, or not?   Regards, John   From: kmip@lists.oasis-open.org [mailto:kmip@lists.oasis-open.org] On Behalf Of Anthony Berglas Sent: Thursday, 17 November 2016 1:38 AM To: kmip@lists.oasis-open.org Subject: [kmip] Groups - Import Export Operation uploaded   Submitter's message This is an update to the proposal presented at this year's face to face to enable objects to be exported and imported. It addresses the concerns that were raised. -- Anthony Berglas Document Name : Import Export Operation Description Revised proposal for a simple Import / Export function. Download Latest Revision Public Download Link Submitter : Anthony Berglas Group : OASIS Key Management Interoperability Protocol (KMIP) TC Folder : Drafts Date submitted : 2016-11-16 23:37:31 ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service for QuintessenceLabs Pty Ltd. ______________________________________________________________________


  • 3.  Re: [GRAYMAIL] [kmip] Groups - Import Export Operation uploaded

    Posted 11-17-2016 20:41
    Hi Anthony,     I like this idea and we would add it into our client SDK library.    I do have a few questions:    (1) How do we export a chain of objects?   So for example, lets say we have 2 Opaque objects on a KMIP server where one has a Child link / Parent Link between the two.   I believe your description would have them exported / imported separately, but why not as one unit?   Exporting / importing as one unit will decrease the chance of links being broken.   This is also relevant for Re-keyed objects. (2) Also what happens if an importing server does not understand all the attributes?   I know of a KMIP server that does not implement all 1.2 attributes. (3) I do believe we have an issue with unique identifiers.   If a customer wants to export from one vendor into a completely different vendor the scheme you suggest might lead to import failures. (4) Can this work if a KMIP server is in FIPS mode? Best, Mark Joseph P6R, Inc From: Anthony Berglas <anthony.berglas@cryptsoft.com> To: <kmip@lists.oasis-open.org> Sent: 11/16/2016 11:37 PM Subject: [GRAYMAIL] [kmip] Groups - Import Export Operation uploaded Submitter's message This is an update to the proposal presented at this year's face to face to enable objects to be exported and imported. It addresses the concerns that were raised. -- Anthony Berglas Document Name : Import Export Operation Description Revised proposal for a simple Import / Export function. Download Latest Revision Public Download Link Submitter : Anthony Berglas Group : OASIS Key Management Interoperability Protocol (KMIP) TC Folder : Drafts Date submitted : 2016-11-16 23:37:31


  • 4.  RE: [kmip] Re: [GRAYMAIL] [kmip] Groups - Import Export Operation uploaded

    Posted 11-17-2016 20:59




    Howdy Mark!
     
    As long as the exported data is leaving the defined crypto boundary of a given server in an encrypted format (TLS, SSL, IPSEC, etc) it is FIPS compliant from
    my understanding.
     
    A failure attribute per imported attribute maybe?  It could be an attribute type that defines the name of the attribute that failed
     
    Chaining Export seems like a good idea – maybe an export type? Something along the lines of a recursive export.

     
    Thanks!
     
    Chuck
     


    From: kmip@lists.oasis-open.org [mailto:kmip@lists.oasis-open.org]
    On Behalf Of Mark Joseph
    Sent: Thursday, November 17, 2016 3:41 PM
    To: Anthony Berglas <anthony.berglas@cryptsoft.com>; kmip@lists.oasis-open.org
    Subject: [kmip] Re: [GRAYMAIL] [kmip] Groups - Import Export Operation uploaded


     
    Hi Anthony,

     


        I like this idea and we would add it into our client SDK library.   


     


    I do have a few questions:   


     


    (1) How do we export a chain of objects?   So for example, lets say we have 2 Opaque objects on a KMIP server where one has a Child link / Parent Link between the two.   I believe your description would have them exported / imported separately,
    but why not as one unit?   Exporting / importing as one unit will decrease the chance of links being broken.   This is also relevant for Re-keyed objects.


     


    (2) Also what happens if an importing server does not understand all the attributes?   I know of a KMIP server that does not implement all 1.2 attributes.


     


    (3) I do believe we have an issue with unique identifiers.   If a customer wants to export from one vendor into a completely different vendor the scheme you suggest might lead to import failures.


     


    (4) Can this work if a KMIP server is in FIPS mode?


     


     


    Best,


    Mark Joseph


    P6R, Inc


     







    From: Anthony Berglas < anthony.berglas@cryptsoft.com >

    To: < kmip@lists.oasis-open.org >

    Sent: 11/16/2016 11:37 PM
    Subject: [GRAYMAIL] [kmip] Groups - Import Export Operation uploaded


    Submitter's message
    This is an update to the proposal presented at this year's face to face to enable objects to be exported and imported. It addresses the concerns that were raised.

    -- Anthony Berglas




    Document Name :
    Import Export Operation







    Description
    Revised proposal for a simple Import / Export function.
    Download Latest Revision
    Public Download Link







    Submitter : Anthony Berglas
    Group : OASIS Key Management Interoperability Protocol (KMIP) TC
    Folder : Drafts
    Date submitted : 2016-11-16 23:37:31