KMIP-interop-tech

There may still be glitches in this but I think it is fairly complete for what is required.  I used XML based on readability although my cut and paste from the parser required reformatting thus the lateness of the delivery today.  I put it back in Word 97 to 2003 format which my current version changed some formatting I had, so more delays.   The test cases cover AES and 3DES as mandatory and Skipjack as optional.  I included 3DES 112 (2 key) but I know that is being or has been deprecated so can be removed if people want.   These are the first set of tests I would like to include in next week’s interoperability tests for RSA again as optional tests for those who want to give it a go.  I am looking for feedback on these test cases as some of the test cases included apply to existing profiles in 1.1 and thus 1.2 as well as some of the newer proposed or discussed profiles.  If I get a chance to ship one additional by tomorrow I will do so as it relates to opaque objects ranging in size from a few bytes to potentially megabytes as discussed on the call today (John Leiseboer, if you have something already I am wide open to it as time is very limited for me over the next week or two).   Bob L.   Robert A. (Bob) Lockhart Chief Solutions Architect – Key Management Thales e-Security, Inc.   Attachment: kmip-test-v1.2-sym-key-foundry-FIPS140-wd01.doc Description: kmip-test-v1.2-sym-key-foundry-FIPS140-wd01.doc

Yes, please move DES3-112 from mandatory
to optional (so cases SKFF-M-4, SKFF-M-9, SKFF-M-14...all to SKFF-O-somethingorother).

The only other immediate comment was
that it was a little jarring to see most of the testcases run AFTER revoking
the key, but I agree that since the server doesn't police the key state
but just reports it, the testcases should run just fine.

Bruce A Rich
brich at-sign us dot ibm dot com




From:      
  "Lockhart, Robert"
<Robert.Lockhart@thalesesec.com>
To:      
  "kmip-interop-tech@lists.oasis-open.org"
<kmip-interop-tech@lists.oasis-open.org>
Date:      
  01/11/2013 02:06 AM
Subject:    
    [kmip-interop-tech]
Symmetric Key Foundry FIPS140 test cases proposal
Sent by:    
    <kmip-interop-tech@lists.oasis-open.org>




There may still be glitches in this but
I think it is fairly complete for what is required.  I used XML based
on readability although my cut and paste from the parser required reformatting
thus the lateness of the delivery today.  I put it back in Word 97
to 2003 format which my current version changed some formatting I had,
so more delays.
 
The test cases cover AES and 3DES as mandatory
and Skipjack as optional.  I included 3DES 112 (2 key) but I know
that is being or has been deprecated so can be removed if people want.
 
These are the first set of tests I would
like to include in next week’s interoperability tests for RSA again as
optional tests for those who want to give it a go.  I am looking for
feedback on these test cases as some of the test cases included apply to
existing profiles in 1.1 and thus 1.2 as well as some of the newer proposed
or discussed profiles.  If I get a chance to ship one additional by
tomorrow I will do so as it relates to opaque objects ranging in size from
a few bytes to potentially megabytes as discussed on the call today (John
Leiseboer, if you have something already I am wide open to it as time is
very limited for me over the next week or two).
 
Bob L.
 
Robert A. (Bob) Lockhart
Chief Solutions Architect
– Key Management
Thales e-Security, Inc.
 [attachment "kmip-test-v1.2-sym-key-foundry-FIPS140-wd01.doc"
deleted by Bruce Rich/Austin/IBM]
---------------------------------------------------------------------
To unsubscribe, e-mail: kmip-interop-tech-unsubscribe@lists.oasis-open.org
For additional commands, e-mail: kmip-interop-tech-help@lists.oasis-open.org

I will take care of moving them later tonight when I get back to the Bay Area if no one else minds. I was hesitant to put them as mandatory but I figured might as well keep algorithms grouped. Bob L. Robert A. (Bob) Lockhart Chief Solutions Architect - Key Management THALES e-Security, Inc. -------------------------------------------- T: +1 954 888 6245 (Direct) M: +1 510 410 0585 F: +1 408 457 7681 E: Robert.Lockhart@thalesesec.com< mailto:Robert.Lockhart@thalesesec.com > W: www.thales-esecurity.com< http://www.thales-esecurity.com > On Jan 11, 2013, at 9:51, "Bruce Rich" <brich@us.ibm.com< mailto:brich@us.ibm.com >> wrote: Yes, please move DES3-112 from mandatory to optional (so cases SKFF-M-4, SKFF-M-9, SKFF-M-14...all to SKFF-O-somethingorother). The only other immediate comment was that it was a little jarring to see most of the testcases run AFTER revoking the key, but I agree that since the server doesn't police the key state but just reports it, the testcases should run just fine. Bruce A Rich brich at-sign us dot ibm dot com From: "Lockhart, Robert" <Robert.Lockhart@thalesesec.com< mailto:Robert.Lockhart@thalesesec.com >> To: "kmip-interop-tech@lists.oasis-open.org< mailto:kmip-interop-tech@lists.oasis-open.org >" <kmip-interop-tech@lists.oasis-open.org< mailto:kmip-interop-tech@lists.oasis-open.org >> Date: 01/11/2013 02:06 AM Subject: [kmip-interop-tech] Symmetric Key Foundry FIPS140 test cases proposal Sent by: <kmip-interop-tech@lists.oasis-open.org< mailto:kmip-interop-tech@lists.oasis-open.org >> ________________________________ There may still be glitches in this but I think it is fairly complete for what is required. I used XML based on readability although my cut and paste from the parser required reformatting thus the lateness of the delivery today. I put it back in Word 97 to 2003 format which my current version changed some formatting I had, so more delays. The test cases cover AES and 3DES as mandatory and Skipjack as optional. I included 3DES 112 (2 key) but I know that is being or has been deprecated so can be removed if people want. These are the first set of tests I would like to include in next week’s interoperability tests for RSA again as optional tests for those who want to give it a go. I am looking for feedback on these test cases as some of the test cases included apply to existing profiles in 1.1 and thus 1.2 as well as some of the newer proposed or discussed profiles. If I get a chance to ship one additional by tomorrow I will do so as it relates to opaque objects ranging in size from a few bytes to potentially megabytes as discussed on the call today (John Leiseboer, if you have something already I am wide open to it as time is very limited for me over the next week or two). Bob L. Robert A. (Bob) Lockhart Chief Solutions Architect – Key Management Thales e-Security, Inc. [attachment "kmip-test-v1.2-sym-key-foundry-FIPS140-wd01.doc" deleted by Bruce Rich/Austin/IBM] --------------------------------------------------------------------- To unsubscribe, e-mail: kmip-interop-tech-unsubscribe@lists.oasis-open.org< mailto:kmip-interop-tech-unsubscribe@lists.oasis-open.org > For additional commands, e-mail: kmip-interop-tech-help@lists.oasis-open.org< mailto:kmip-interop-tech-help@lists.oasis-open.org >

Since I don't officially support 1.1 yet, and will not for the RSA conference, my server will fail all of these tests because they all use KMIP 1.1 client. At the of the doc, it refers to "Key Management Interoperability Protocol Profiles Version 1.0", so I'm not sure if this is intentional (to exclude 1.0 servers) or not. It's not a problem for me -- I'm just pointing it out. I would like to verify, though, that the proper response for any 1.1 request to a 1.0 server is to fail the command. That is, a 1.0 server is not allowed to execute any request from a 1.1 client. Regards, Jim On Fri, Jan 11, 2013 at 12:14 PM, Lockhart, Robert < Robert.Lockhart@thalesesec.com > wrote: I will take care of moving them later tonight when I get back to the Bay Area if no one else minds. I was hesitant to put them as mandatory but I figured might as well keep algorithms grouped. Bob L. Robert A. (Bob) Lockhart Chief Solutions Architect - Key Management THALES e-Security, Inc. -------------------------------------------- T:     +1 954 888 6245 (Direct) M:   +1 510 410 0585 F:     +1 408 457 7681 E:     Robert.Lockhart@thalesesec.com <mailto: Robert.Lockhart@thalesesec.com > W:     www.thales-esecurity.com < http://www.thales-esecurity.com > On Jan 11, 2013, at 9:51, "Bruce Rich" < brich@us.ibm.com <mailto: brich@us.ibm.com >> wrote: Yes, please move DES3-112 from mandatory to optional (so cases SKFF-M-4, SKFF-M-9, SKFF-M-14...all to SKFF-O-somethingorother). The only other immediate comment was that it was a little jarring to see most of the testcases run AFTER revoking the key, but I agree that since the server doesn't police the key state but just reports it, the testcases should run just fine. Bruce A Rich brich at-sign us dot ibm dot com From:        "Lockhart, Robert" < Robert.Lockhart@thalesesec.com <mailto: Robert.Lockhart@thalesesec.com >> To:        " kmip-interop-tech@lists.oasis-open.org <mailto: kmip-interop-tech@lists.oasis-open.org >" < kmip-interop-tech@lists.oasis-open.org <mailto: kmip-interop-tech@lists.oasis-open.org >> Date:        01/11/2013 02:06 AM Subject:        [kmip-interop-tech] Symmetric Key Foundry FIPS140 test cases proposal Sent by:        < kmip-interop-tech@lists.oasis-open.org <mailto: kmip-interop-tech@lists.oasis-open.org >> ________________________________ There may still be glitches in this but I think it is fairly complete for what is required.  I used XML based on readability although my cut and paste from the parser required reformatting thus the lateness of the delivery today.  I put it back in Word 97 to 2003 format which my current version changed some formatting I had, so more delays. The test cases cover AES and 3DES as mandatory and Skipjack as optional.  I included 3DES 112 (2 key) but I know that is being or has been deprecated so can be removed if people want. These are the first set of tests I would like to include in next week’s interoperability tests for RSA again as optional tests for those who want to give it a go.  I am looking for feedback on these test cases as some of the test cases included apply to existing profiles in 1.1 and thus 1.2 as well as some of the newer proposed or discussed profiles.  If I get a chance to ship one additional by tomorrow I will do so as it relates to opaque objects ranging in size from a few bytes to potentially megabytes as discussed on the call today (John Leiseboer, if you have something already I am wide open to it as time is very limited for me over the next week or two). Bob L. Robert A. (Bob) Lockhart Chief Solutions Architect – Key Management Thales e-Security, Inc.  [attachment "kmip-test-v1.2-sym-key-foundry-FIPS140-wd01.doc" deleted by Bruce Rich/Austin/IBM] --------------------------------------------------------------------- To unsubscribe, e-mail: kmip-interop-tech-unsubscribe@lists.oasis-open.org <mailto: kmip-interop-tech-unsubscribe@lists.oasis-open.org > For additional commands, e-mail: kmip-interop-tech-help@lists.oasis-open.org <mailto: kmip-interop-tech-help@lists.oasis-open.org >

On 12/01/2013 6:45 AM, Jim Flood wrote: > Since I don't officially support 1.1 yet, and will not for the RSA > conference, my server will fail all of these tests because they all > use KMIP 1.1 client. > I would like to verify, though, that the proper response for any 1.1 > request to a 1.0 server is to fail the command. That is, a 1.0 server > is not allowed to execute any request from a 1.1 client. A variation of those tests which use 1.0 is easily produced but the responses under 1.1 in a couple of places are different. If you don't support a minor version of a protocol you should fail the request rather than respond with an incorrect version. Tim.

Updated document with 2 Key TDES moved to Optional section. For reference SP800-131A has 2TDEA (2 Key 3DES) deprecated as of December 31, 2010. Transition of 2TDEA for NIST started on January 1, 2011 and goes through December 31, 2015 when it is to no longer be used. Bob L. Robert A. (Bob) Lockhart Chief Solution Architect - Key Management THALES e-Security, Inc. ________________________________ From: kmip-interop-tech@lists.oasis-open.org [kmip-interop-tech@lists.oasis-open.org] On Behalf Of Bruce Rich [brich@us.ibm.com] Sent: Friday, January 11, 2013 09:50 To: Lockhart, Robert Cc: kmip-interop-tech@lists.oasis-open.org Subject: Re: [kmip-interop-tech] Symmetric Key Foundry FIPS140 test cases proposal Yes, please move DES3-112 from mandatory to optional (so cases SKFF-M-4, SKFF-M-9, SKFF-M-14...all to SKFF-O-somethingorother). The only other immediate comment was that it was a little jarring to see most of the testcases run AFTER revoking the key, but I agree that since the server doesn't police the key state but just reports it, the testcases should run just fine. Bruce A Rich brich at-sign us dot ibm dot com From: "Lockhart, Robert" <Robert.Lockhart@thalesesec.com> To: "kmip-interop-tech@lists.oasis-open.org" <kmip-interop-tech@lists.oasis-open.org> Date: 01/11/2013 02:06 AM Subject: [kmip-interop-tech] Symmetric Key Foundry FIPS140 test cases proposal Sent by: <kmip-interop-tech@lists.oasis-open.org> ________________________________ There may still be glitches in this but I think it is fairly complete for what is required. I used XML based on readability although my cut and paste from the parser required reformatting thus the lateness of the delivery today. I put it back in Word 97 to 2003 format which my current version changed some formatting I had, so more delays. The test cases cover AES and 3DES as mandatory and Skipjack as optional. I included 3DES 112 (2 key) but I know that is being or has been deprecated so can be removed if people want. These are the first set of tests I would like to include in next week’s interoperability tests for RSA again as optional tests for those who want to give it a go. I am looking for feedback on these test cases as some of the test cases included apply to existing profiles in 1.1 and thus 1.2 as well as some of the newer proposed or discussed profiles. If I get a chance to ship one additional by tomorrow I will do so as it relates to opaque objects ranging in size from a few bytes to potentially megabytes as discussed on the call today (John Leiseboer, if you have something already I am wide open to it as time is very limited for me over the next week or two). Bob L. Robert A. (Bob) Lockhart Chief Solutions Architect – Key Management Thales e-Security, Inc. [attachment "kmip-test-v1.2-sym-key-foundry-FIPS140-wd01.doc" deleted by Bruce Rich/Austin/IBM] --------------------------------------------------------------------- To unsubscribe, e-mail: kmip-interop-tech-unsubscribe@lists.oasis-open.org For additional commands, e-mail: kmip-interop-tech-help@lists.oasis-open.org Attachment: kmip-test-v1.2-sym-key-foundry-FIPS140-wd02.doc Description: kmip-test-v1.2-sym-key-foundry-FIPS140-wd02.doc