OASIS Key Management Interoperability Protocol (KMIP) TC

  • 1.  Fw: [kmip] Additional clarity around KMIP object owner

    Posted 10-15-2009 01:03

    It's been pointed out that the spec uses the term "creator" rather than "owner" (thanks, Steve and Marko), so better text might be:

    3.1.4        Relationship between credential and object creator
    KMIP objects have a creator.  The KMIP server SHALL interpret the Credential object as the identity of the requestor if such a Credential is specified in the request.  If a Credential object is not specified, KMIP SHALL use the certificate passed in the channel binding (or some unique value derived from the certificate or its components) as the identity of the requestor.  For those KMIP requests that result in new managed objects this identity SHALL be used as the creator of the managed object.  For those operations that only access pre-existent managed objects, this identity SHALL be checked against the creator, and access SHALL be controlled as detailed in section 3.13 of [KMIP].


    And I'll refrain from talking the "creator endowed with certain unalienable rights...", but I really wanted to slip that in there somewhere.


    Bruce A Rich
    brich at-sign us dot ibm dot com

    ----- Forwarded by Bruce Rich/Austin/IBM on 10/14/2009 07:52 PM -----
    From: Bruce Rich/Austin/IBM@IBMUS
    To: kmip@lists.oasis-open.org
    Date: 10/14/2009 12:51 PM
    Subject: [kmip] Additional clarity around KMIP object owner






    Although we've clarified KMIP client/server authentication in the KMIP Profiles document, I think the concept of "owner of KMIP object" needs to be tied a bit more tightly to the authentication.


    I propose this language be added as section 3.1.4 in the Profiles doc:


    3.1.4        Object Ownership

    KMIP objects have an owner.  The KMIP server SHALL interpret the Credential object as the identity of the requestor if such a Credential is specified in the request.  If a Credential object is not specified, KMIP SHALL use the certificate passed in the channel binding (or some unique value derived from the certificate or its components) as the identity of the requestor.  For those KMIP requests that result in new managed objects this identity SHALL be used as the owner of the managed object.  For those operations that only access pre-existent managed objects, this identity SHALL be checked against the owner, and access SHALL be controlled as detailed in section 3.13 of [KMIP].



    Bruce A Rich
    brich at-sign us dot ibm dot com



  • 2.  RE: [kmip] Additional clarity around KMIP object owner

    Posted 10-15-2009 21:12
    
    
    
    
    

    Bruce and all,

    In the Usage Guide, we currently address the case where clients may include the Credential attribute as additional identification information. We explicitly point out that if the Credential attribute is not part of the chosen authentication suite, the Credential attribute cannot be used to assert that an identity has been authenticated.

    Similarly, the profiles spec explicitly points out that the Credential object may be used to pass additional identification information. This should not, however, be used as an alternative authentication mechanism.

    Bruce's proposal allows the Credential object to be used to interpret the identity of the requestor. If a Credential object is not specified the certificate shall be used as the identity of the requestor.

    There appears to be a disconnect. We cannot use the Credential object as the primary source for interpreting the identity of the requestor, if the Credential object is not part of the authentication suite. The authentication process will determine and authenticate the identity of the requestor. Decoupling the authentication and identity interpretation process could potentially weaken the security of the authentication process and restrict certain use-cases. For example, clients may provide the username inside the certificate and provide additional identification information inside the credential object. According to Bruce's proposal, the identity specified inside the certificate will not be acknowledged if the credential object contains a different username.

    To resolve this, we need to explicitly allow the Credential object to be used during the authentication of the requestor. Depending on the server's configuration, this may or may not be required by the server. If both the certificate and Credential object contain the identity of the requestor, the server shall verify that they are the same. If they differ, the authentication fails and the server shall return an error.

    We also need to update the KMIP docs (i.e. the profiles spec and Usage Guide) to make sure that they are consistent.

    Regards,

    Indra


    From: Bruce Rich [mailto:brich@us.ibm.com]
    Sent: Wednesday, October 14, 2009 6:02 PM
    To: kmip@lists.oasis-open.org
    Subject: Fw: [kmip] Additional clarity around KMIP object owner


    It's been pointed out that the spec uses the term "creator" rather than "owner" (thanks, Steve and Marko), so better text might be:

    3.1.4        Relationship between credential and object creator
    KMIP objects have a creator.  The KMIP server SHALL interpret the Credential object as the identity of the requestor if such a Credential is specified in the request.  If a Credential object is not specified, KMIP SHALL use the certificate passed in the channel binding (or some unique value derived from the certificate or its components) as the identity of the requestor.  For those KMIP requests that result in new managed objects this identity SHALL be used as the creator of the managed object.  For those operations that only access pre-existent managed objects, this identity SHALL be checked against the creator, and access SHALL be controlled as detailed in section 3.13 of [KMIP].


    And I'll refrain from talking the "creator endowed with certain unalienable rights...", but I really wanted to slip that in there somewhere.


    Bruce A Rich
    brich at-sign us dot ibm dot com

    ----- Forwarded by Bruce Rich/Austin/IBM on 10/14/2009 07:52 PM -----
    From: Bruce Rich/Austin/IBM@IBMUS
    To: kmip@lists.oasis-open.org
    Date: 10/14/2009 12:51 PM
    Subject: [kmip] Additional clarity around KMIP object owner






    Although we've clarified KMIP client/server authentication in the KMIP Profiles document, I think the concept of "owner of KMIP object" needs to be tied a bit more tightly to the authentication.


    I propose this language be added as section 3.1.4 in the Profiles doc:


    3.1.4        Object Ownership

    KMIP objects have an owner.  The KMIP server SHALL interpret the Credential object as the identity of the requestor if such a Credential is specified in the request.  If a Credential object is not specified, KMIP SHALL use the certificate passed in the channel binding (or some unique value derived from the certificate or its components) as the identity of the requestor.  For those KMIP requests that result in new managed objects this identity SHALL be used as the owner of the managed object.  For those operations that only access pre-existent managed objects, this identity SHALL be checked against the owner, and access SHALL be controlled as detailed in section 3.13 of [KMIP].



    Bruce A Rich
    brich at-sign us dot ibm dot com



  • 3.  RE: [kmip] Additional clarity around KMIP object owner

    Posted 10-16-2009 10:46

    Indra,

    I believe that specifying the protection that KMIP servers will offer their users is important enough to specify in normative text.  That said, the focus of KMIP v1 is mainly on the protocol for information exchange, not the set of allowable mechanisms for protecting such information in transit, nor the identity proof mechanisms between endpoints.  The challenge is to find a mechanism for protection and proof that offers adequate safeguards, yet leaves some maneuvering room to allow multiple possible usecases.  The troika of mutual channel authentication via SSL/TLS, a Credential structure in the request header and an operational policy name promise made by the server is the set of things that must work together to codify the protection that KMIP servers will offer their users.  I think that in the absence of a Credential structure in the request (and the concomitant  usage of the peer certificate from the channel binding), if the KMIP server says that the OperationalPolicyName for an object that it created/registered is "default", then the KMIP user has a decent understanding of the protections that will be provided.  The rub comes when the KMIP user chooses to also pass a Credential structure on the request.  As you point out, the Usage Guide would suggest a relationship between the certificate on the binding to the credential on the request somehow, perhaps to further constrain the certificate usage.  I believe the presence of a credential in the request should open up a new set of usecases, not further constrain things (just as an OperationalPolicyName other than "default" opens up new possibilities).  My change was to clearly define a mechanism to allow the KMIP user to constrain KMIP server behavior (by omitting the Credential).  The language used had the effect of also loosening it on the other hand (if the KMIP user chooses a credential not related to that supplied on channel binding).  My main focus was on getting normative protection for KMIP users.  At the time I proposed the text, I did not realize that the Usage Guide had language that spoke so clearly in the opposite direction, so now we will have to work this out.  Unfortunately, I will only be intermittently connected over the next week and a half, so I will not be able to be very responsive.

    Bruce A Rich
    brich at-sign us dot ibm dot com



    From: "Fitzgerald, Indra" <indra.fitzgerald@hp.com>
    To: Bruce Rich/Austin/IBM@IBMUS, "kmip@lists.oasis-open.org" <kmip@lists.oasis-open.org>
    Date: 10/15/2009 04:15 PM
    Subject: RE: [kmip] Additional clarity around KMIP object owner





    Bruce and all,

    In the Usage Guide, we currently address the case where clients may include the Credential attribute as additional identification information. We explicitly point out that if the Credential attribute is not part of the chosen authentication suite, the Credential attribute cannot be used to assert that an identity has been authenticated.

    Similarly, the profiles spec explicitly points out that the Credential object may be used to pass additional identification information. This should not, however, be used as an alternative authentication mechanism.

    Bruce's proposal allows the Credential object to be used to interpret the identity of the requestor. If a Credential object is not specified the certificate shall be used as the identity of the requestor.

    There appears to be a disconnect. We cannot use the Credential object as the primary source for interpreting the identity of the requestor, if the Credential object is not part of the authentication suite. The authentication process will determine and authenticate the identity of the requestor. Decoupling the authentication and identity interpretation process could potentially weaken the security of the authentication process and restrict certain use-cases. For example, clients may provide the username inside the certificate and provide additional identification information inside the credential object. According to Bruce's proposal, the identity specified inside the certificate will not be acknowledged if the credential object contains a different username.

    To resolve this, we need to explicitly allow the Credential object to be used during the authentication of the requestor. Depending on the server's configuration, this may or may not be required by the server. If both the certificate and Credential object contain the identity of the requestor, the server shall verify that they are the same. If they differ, the authentication fails and the server shall return an error.

    We also need to update the KMIP docs (i.e. the profiles spec and Usage Guide) to make sure that they are consistent.

    Regards,

    Indra


    From: Bruce Rich [mailto:brich@us.ibm.com]
    Sent:
    Wednesday, October 14, 2009 6:02 PM
    To:
    kmip@lists.oasis-open.org
    Subject:
    Fw: [kmip] Additional clarity around KMIP object owner



    It's been pointed out that the spec uses the term "creator" rather than "owner" (thanks, Steve and Marko), so better text might be:


    3.1.4        Relationship between credential and object creator

    KMIP objects have a creator.  The KMIP server SHALL interpret the Credential object as the identity of the requestor if such a Credential is specified in the request.  If a Credential object is not specified, KMIP SHALL use the certificate passed in the channel binding (or some unique value derived from the certificate or its components) as the identity of the requestor.  For those KMIP requests that result in new managed objects this identity SHALL be used as the creator of the managed object.  For those operations that only access pre-existent managed objects, this identity SHALL be checked against the creator, and access SHALL be controlled as detailed in section 3.13 of [KMIP].


    And I'll refrain from talking the "creator endowed with certain unalienable rights...", but I really wanted to slip that in there somewhere.


    Bruce A Rich
    brich at-sign us dot ibm dot com


    ----- Forwarded by Bruce Rich/Austin/IBM on 10/14/2009 07:52 PM -----
    From: Bruce Rich/Austin/IBM@IBMUS
    To: kmip@lists.oasis-open.org
    Date: 10/14/2009 12:51 PM
    Subject: [kmip] Additional clarity around KMIP object owner







    Although we've clarified KMIP client/server authentication in the KMIP Profiles document, I think the concept of "owner of KMIP object" needs to be tied a bit more tightly to the authentication.


    I propose this language be added as section 3.1.4 in the Profiles doc:


    3.1.4        Object Ownership

    KMIP objects have an owner.  The KMIP server SHALL interpret the Credential object as the identity of the requestor if such a Credential is specified in the request.  If a Credential object is not specified, KMIP SHALL use the certificate passed in the channel binding (or some unique value derived from the certificate or its components) as the identity of the requestor.  For those KMIP requests that result in new managed objects this identity SHALL be used as the owner of the managed object.  For those operations that only access pre-existent managed objects, this identity SHALL be checked against the owner, and access SHALL be controlled as detailed in section 3.13 of [KMIP].



    Bruce A Rich
    brich at-sign us dot ibm dot com




  • 4.  RE: [kmip] Additional clarity around KMIP object owner

    Posted 10-17-2009 00:27
    
    
    
    
    

    Hi Bruce,

    I agree that it is essential to get normative protection for KMIP users. I am not suggesting for us to exclude the Credential structure. I just want to make sure that we fully understand the implication of including your proposed text and realize that this approach differs from what we previously agreed on. I also want to make sure that the documents are consistent.

    Please see below for the changes I am proposing to the Client Authenticity section (3.1.3) in the Profiles spec, your proposed text, and the Authentication section in the Usage Guide (3.1). If anyone disagrees or would like to rewrite this, please chime in.

    Regards,

    Indra

    Profiles spec:

    3.1 3     Client Authenticity

    Client authenticity is proven by the use of channel (SSL/TLS) level mutual authentication. Vendors MAY use the Credential object for passing additional identification information. This SHOULD NOT, however, be used as an alternative authentication mechanism to the chosen authentication set. If the Credential object is specified in the request and the identity of the requestor is provided in both the Credential object and during the channel level authentication, the KMIP server SHALL verify that the identities are the same. If they differ, the authentication fails and the server SHALL return an error. The actual mechanics of how the server ensures client authenticity is beyond the scope of this version of the specification.

    The text proposed by Bruce (slightly modified): 

    3.1.4        Relationship between credential and object creator
    KMIP objects have a creator.  The KMIP server SHALL interpret determine the identity of the requestor from the cCredentials object as the identity of the requestor if such a Credential is specified in the requestspecified during the authentication process. The authentication mechanism SHALL be one of the chosen authentication suites as specified in this Profiles specification.  If a Credential object is not specified, KMIP SHALL use the certificate passed in the channel binding (or some unique value derived from the certificate or its components) as the identity of the requestor.  For those KMIP requests that result in new managed objects this identity SHALL be used as the creator of the managed object.  For those operations that only access pre-existent managed objects, this identity SHALL be checked against the creator, and access SHALL be controlled as detailed in section 3.13 of [KMIP].

    Paragraph from Section 3.1 of the Usage Guide

    KMIP implementations that use other vendor-specific mechanisms for authentication may use the Credential attribute to include additional identification information. For example, in addition to performing mutual authentication during SSL/TLS, the client passes the Credential object in the request. If the client provides the username of the requestor in both the client certificate and the Credential object, the server verifies that the usernames are the same. If they differ, the authentication fails and the server returns an error. If the username is only specified in the Credential object, the server interprets the identity of the requestor from the Credential object. However, if this authentication option is not part of the chosen KMIP authentication suite, it should not be used to assert that an identity has been authenticated or be used as an alternative to the chosen KMIP authentication suite.



    From: Bruce Rich [mailto:brich@us.ibm.com]
    Sent: Friday, October 16, 2009 3:45 AM
    To: Fitzgerald, Indra
    Cc: kmip@lists.oasis-open.org
    Subject: RE: [kmip] Additional clarity around KMIP object owner


    Indra,

    I believe that specifying the protection that KMIP servers will offer their users is important enough to specify in normative text.  That said, the focus of KMIP v1 is mainly on the protocol for information exchange, not the set of allowable mechanisms for protecting such information in transit, nor the identity proof mechanisms between endpoints.  The challenge is to find a mechanism for protection and proof that offers adequate safeguards, yet leaves some maneuvering room to allow multiple possible usecases.  The troika of mutual channel authentication via SSL/TLS, a Credential structure in the request header and an operational policy name promise made by the server is the set of things that must work together to codify the protection that KMIP servers will offer their users.  I think that in the absence of a Credential structure in the request (and the concomitant  usage of the peer certificate from the channel binding), if the KMIP server says that the OperationalPolicyName for an object that it created/registered is "default", then the KMIP user has a decent understanding of the protections that will be provided.  The rub comes when the KMIP user chooses to also pass a Credential structure on the request.  As you point out, the Usage Guide would suggest a relationship between the certificate on the binding to the credential on the request somehow, perhaps to further constrain the certificate usage.  I believe the presence of a credential in the request should open up a new set of usecases, not further constrain things (just as an OperationalPolicyName other than "default" opens up new possibilities).  My change was to clearly define a mechanism to allow the KMIP user to constrain KMIP server behavior (by omitting the Credential).  The language used had the effect of also loosening it on the other hand (if the KMIP user chooses a credential not related to that supplied on channel binding).  My main focus was on getting normative protection for KMIP users.  At the time I proposed the text, I did not realize that the Usage Guide had language that spoke so clearly in the opposite direction, so now we will have to work this out.  Unfortunately, I will only be intermittently connected over the next week and a half, so I will not be able to be very responsive.

    Bruce A Rich
    brich at-sign us dot ibm dot com



    From: "Fitzgerald, Indra" <indra.fitzgerald@hp.com>
    To: Bruce Rich/Austin/IBM@IBMUS, "kmip@lists.oasis-open.org" <kmip@lists.oasis-open.org>
    Date: 10/15/2009 04:15 PM
    Subject: RE: [kmip] Additional clarity around KMIP object owner





    Bruce and all,

    In the Usage Guide, we currently address the case where clients may include the Credential attribute as additional identification information. We explicitly point out that if the Credential attribute is not part of the chosen authentication suite, the Credential attribute cannot be used to assert that an identity has been authenticated.

    Similarly, the profiles spec explicitly points out that the Credential object may be used to pass additional identification information. This should not, however, be used as an alternative authentication mechanism.

    Bruce's proposal allows the Credential object to be used to interpret the identity of the requestor. If a Credential object is not specified the certificate shall be used as the identity of the requestor.

    There appears to be a disconnect. We cannot use the Credential object as the primary source for interpreting the identity of the requestor, if the Credential object is not part of the authentication suite. The authentication process will determine and authenticate the identity of the requestor. Decoupling the authentication and identity interpretation process could potentially weaken the security of the authentication process and restrict certain use-cases. For example, clients may provide the username inside the certificate and provide additional identification information inside the credential object. According to Bruce's proposal, the identity specified inside the certificate will not be acknowledged if the credential object contains a different username.

    To resolve this, we need to explicitly allow the Credential object to be used during the authentication of the requestor. Depending on the server's configuration, this may or may not be required by the server. If both the certificate and Credential object contain the identity of the requestor, the server shall verify that they are the same. If they differ, the authentication fails and the server shall return an error.

    We also need to update the KMIP docs (i.e. the profiles spec and Usage Guide) to make sure that they are consistent.

    Regards,

    Indra


    From: Bruce Rich [mailto:brich@us.ibm.com]
    Sent:
    Wednesday, October 14, 2009 6:02 PM
    To:
    kmip@lists.oasis-open.org
    Subject:
    Fw: [kmip] Additional clarity around KMIP object owner



    It's been pointed out that the spec uses the term "creator" rather than "owner" (thanks, Steve and Marko), so better text might be:


    3.1.4        Relationship between credential and object creator

    KMIP objects have a creator.  The KMIP server SHALL interpret the Credential object as the identity of the requestor if such a Credential is specified in the request.  If a Credential object is not specified, KMIP SHALL use the certificate passed in the channel binding (or some unique value derived from the certificate or its components) as the identity of the requestor.  For those KMIP requests that result in new managed objects this identity SHALL be used as the creator of the managed object.  For those operations that only access pre-existent managed objects, this identity SHALL be checked against the creator, and access SHALL be controlled as detailed in section 3.13 of [KMIP].


    And I'll refrain from talking the "creator endowed with certain unalienable rights...", but I really wanted to slip that in there somewhere.


    Bruce A Rich
    brich at-sign us dot ibm dot com


    ----- Forwarded by Bruce Rich/Austin/IBM on 10/14/2009 07:52 PM -----
    From: Bruce Rich/Austin/IBM@IBMUS
    To: kmip@lists.oasis-open.org
    Date: 10/14/2009 12:51 PM
    Subject: [kmip] Additional clarity around KMIP object owner







    Although we've clarified KMIP client/server authentication in the KMIP Profiles document, I think the concept of "owner of KMIP object" needs to be tied a bit more tightly to the authentication.


    I propose this language be added as section 3.1.4 in the Profiles doc:


    3.1.4        Object Ownership

    KMIP objects have an owner.  The KMIP server SHALL interpret the Credential object as the identity of the requestor if such a Credential is specified in the request.  If a Credential object is not specified, KMIP SHALL use the certificate passed in the channel binding (or some unique value derived from the certificate or its components) as the identity of the requestor.  For those KMIP requests that result in new managed objects this identity SHALL be used as the owner of the managed object.  For those operations that only access pre-existent managed objects, this identity SHALL be checked against the owner, and access SHALL be controlled as detailed in section 3.13 of [KMIP].



    Bruce A Rich
    brich at-sign us dot ibm dot com




  • 5.  RE: [kmip] Additional clarity around KMIP object owner

    Posted 10-21-2009 17:47

    Indra,

    Since the Usage Guide is illustrative and not normative, it is OK if it illustrates some and not all of the possible usage patterns.  Therefore it is not necessary that all the usages one has in mind are illustrated in the Usage Guide.  My lack of disagreement with the use case that you presented in the Usage Guide should be interpreted in those terms; I do not disagree with a userid and password that relate to the client-provided certificate.  I would disagree with credentials that MUST be so related.

    Therefore I do object to the changes that you propose to sections 3.1.3 and 3.1.4 of the Profiles document.  Forcing the Credential into such a tight relationship with the client certificate is a mistake.  The existence of channel authentication greatly simplifies the issues of privacy, integrity and authentication, and is wonderful for version 1.  Those KMIP servers who want to enforce a tight relationship between the Credential and the client certificate should be allowed to do so.  Those who want to enable a richer authentication/authorization fabric on a v1 base should also be allowed to do so.  Your language would overly constrain such adopters.

    Bruce A Rich
    brich at-sign us dot ibm dot com



    From: "Fitzgerald, Indra" <indra.fitzgerald@hp.com>
    To: Bruce Rich/Austin/IBM@IBMUS, "kmip@lists.oasis-open.org" <kmip@lists.oasis-open.org>
    Date: 10/16/2009 08:27 PM
    Subject: RE: [kmip] Additional clarity around KMIP object owner





    Hi Bruce,

    I agree that it is essential to get normative protection for KMIP users. I am not suggesting for us to exclude the Credential structure. I just want to make sure that we fully understand the implication of including your proposed text and realize that this approach differs from what we previously agreed on. I also want to make sure that the documents are consistent.

    Please see below for the changes I am proposing to the Client Authenticity section (3.1.3) in the Profiles spec, your proposed text, and the Authentication section in the Usage Guide (3.1). If anyone disagrees or would like to rewrite this, please chime in.

    Regards,

    Indra
    Profiles spec:
    3.1 3     Client Authenticity
    Client authenticity is proven by the use of channel (SSL/TLS) level mutual authentication. Vendors MAY use the Credential object for passing additional identification information. This SHOULD NOT, however, be used as an alternative authentication mechanism to the chosen authentication set. If the Credential object is specified in the request and the identity of the requestor is provided in both the Credential object and during the channel level authentication, the KMIP server SHALL verify that the identities are the same. If they differ, the authentication fails and the server SHALL return an error. The actual mechanics of how the server ensures client authenticity is beyond the scope of this version of the specification.
     
    The text proposed by Bruce (slightly modified):
    3.1.4        Relationship between credential and object creator
    KMIP objects have a creator.  The KMIP server SHALL
    interpret determine the identity of the requestor from the cCredentials object as the identity of the requestor if such a Credential is specified in the requestspecified during the authentication process. The authentication mechanism SHALL be one of the chosen authentication suites as specified in this Profiles specification.  If a Credential object is not specified, KMIP SHALL use the certificate passed in the channel binding (or some unique value derived from the certificate or its components) as the identity of the requestor.  For those KMIP requests that result in new managed objects this identity SHALL be used as the creator of the managed object.  For those operations that only access pre-existent managed objects, this identity SHALL be checked against the creator, and access SHALL be controlled as detailed in section 3.13 of [KMIP].
     
    Paragraph from Section 3.1 of the Usage Guide
    KMIP implementations that use other vendor-specific mechanisms for authentication may use the Credential attribute to include additional identification information. For example, in addition to performing mutual authentication during SSL/TLS, the client passes the Credential object in the request. If the client provides the username of the requestor in both the client certificate and the Credential object, the server verifies that the usernames are the same. If they differ, the authentication fails and the server returns an error. If the username is only specified in the Credential object, the server interprets the identity of the requestor from the Credential object. However, if this authentication option is not part of the chosen KMIP authentication suite, it should not be used to assert that an identity has been authenticated or be used as an alternative to the chosen KMIP authentication suite.
     



    From: Bruce Rich [mailto:brich@us.ibm.com]
    Sent:
    Friday, October 16, 2009 3:45 AM
    To:
    Fitzgerald, Indra
    Cc:
    kmip@lists.oasis-open.org
    Subject:
    RE: [kmip] Additional clarity around KMIP object owner



    Indra,


    I believe that specifying the protection that KMIP servers will offer their users is important enough to specify in normative text.  That said, the focus of KMIP v1 is mainly on the protocol for information exchange, not the set of allowable mechanisms for protecting such information in transit, nor the identity proof mechanisms between endpoints.  The challenge is to find a mechanism for protection and proof that offers adequate safeguards, yet leaves some maneuvering room to allow multiple possible usecases.  The troika of mutual channel authentication via SSL/TLS, a Credential structure in the request header and an operational policy name promise made by the server is the set of things that must work together to codify the protection that KMIP servers will offer their users.  I think that in the absence of a Credential structure in the request (and the concomitant  usage of the peer certificate from the channel binding), if the KMIP server says that the OperationalPolicyName for an object that it created/registered is "default", then the KMIP user has a decent understanding of the protections that will be provided.  The rub comes when the KMIP user chooses to also pass a Credential structure on the request.  As you point out, the Usage Guide would suggest a relationship between the certificate on the binding to the credential on the request somehow, perhaps to further constrain the certificate usage.  I believe the presence of a credential in the request should open up a new set of usecases, not further constrain things (just as an OperationalPolicyName other than "default" opens up new possibilities).  My change was to clearly define a mechanism to allow the KMIP user to constrain KMIP server behavior (by omitting the Credential).  The language used had the effect of also loosening it on the other hand (if the KMIP user chooses a credential not related to that supplied on channel binding).  My main focus was on getting normative protection for KMIP users.  At the time I proposed the text, I did not realize that the Usage Guide had language that spoke so clearly in the opposite direction, so now we will have to work this out.  Unfortunately, I will only be intermittently connected over the next week and a half, so I will not be able to be very responsive.


    Bruce A Rich
    brich at-sign us dot ibm dot com



    From: "Fitzgerald, Indra" <indra.fitzgerald@hp.com>
    To: Bruce Rich/Austin/IBM@IBMUS, "kmip@lists.oasis-open.org" <kmip@lists.oasis-open.org>
    Date: 10/15/2009 04:15 PM
    Subject: RE: [kmip] Additional clarity around KMIP object owner






    Bruce and all,

    In the Usage Guide, we currently address the case where clients may include the Credential attribute as additional identification information. We explicitly point out that if the Credential attribute is not part of the chosen authentication suite, the Credential attribute cannot be used to assert that an identity has been authenticated.

    Similarly, the profiles spec explicitly points out that the Credential object may be used to pass additional identification information. This should not, however, be used as an alternative authentication mechanism.

    Bruce's proposal allows the Credential object to be used to interpret the identity of the requestor. If a Credential object is not specified the certificate shall be used as the identity of the requestor.

    There appears to be a disconnect. We cannot use the Credential object as the primary source for interpreting the identity of the requestor, if the Credential object is not part of the authentication suite. The authentication process will determine and authenticate the identity of the requestor. Decoupling the authentication and identity interpretation process could potentially weaken the security of the authentication process and restrict certain use-cases. For example, clients may provide the username inside the certificate and provide additional identification information inside the credential object. According to Bruce's proposal, the identity specified inside the certificate will not be acknowledged if the credential object contains a different username.

    To resolve this, we need to explicitly allow the Credential object to be used during the authentication of the requestor. Depending on the server's configuration, this may or may not be required by the server. If both the certificate and Credential object contain the identity of the requestor, the server shall verify that they are the same. If they differ, the authentication fails and the server shall return an error.

    We also need to update the KMIP docs (i.e. the profiles spec and Usage Guide) to make sure that they are consistent.

    Regards,

    Indra


    From: Bruce Rich [mailto:brich@us.ibm.com]
    Sent:
    Wednesday, October 14, 2009 6:02 PM
    To:
    kmip@lists.oasis-open.org
    Subject:
    Fw: [kmip] Additional clarity around KMIP object owner



    It's been pointed out that the spec uses the term "creator" rather than "owner" (thanks, Steve and Marko), so better text might be:


    3.1.4        Relationship between credential and object creator

    KMIP objects have a creator.  The KMIP server SHALL interpret the Credential object as the identity of the requestor if such a Credential is specified in the request.  If a Credential object is not specified, KMIP SHALL use the certificate passed in the channel binding (or some unique value derived from the certificate or its components) as the identity of the requestor.  For those KMIP requests that result in new managed objects this identity SHALL be used as the creator of the managed object.  For those operations that only access pre-existent managed objects, this identity SHALL be checked against the creator, and access SHALL be controlled as detailed in section 3.13 of [KMIP].


    And I'll refrain from talking the "creator endowed with certain unalienable rights...", but I really wanted to slip that in there somewhere.


    Bruce A Rich
    brich at-sign us dot ibm dot com


    ----- Forwarded by Bruce Rich/Austin/IBM on 10/14/2009 07:52 PM -----
    From: Bruce Rich/Austin/IBM@IBMUS
    To: kmip@lists.oasis-open.org
    Date: 10/14/2009 12:51 PM
    Subject: [kmip] Additional clarity around KMIP object owner








    Although we've clarified KMIP client/server authentication in the KMIP Profiles document, I think the concept of "owner of KMIP object" needs to be tied a bit more tightly to the authentication.


    I propose this language be added as section 3.1.4 in the Profiles doc:


    3.1.4        Object Ownership

    KMIP objects have an owner.  The KMIP server SHALL interpret the Credential object as the identity of the requestor if such a Credential is specified in the request.  If a Credential object is not specified, KMIP SHALL use the certificate passed in the channel binding (or some unique value derived from the certificate or its components) as the identity of the requestor.  For those KMIP requests that result in new managed objects this identity SHALL be used as the owner of the managed object.  For those operations that only access pre-existent managed objects, this identity SHALL be checked against the owner, and access SHALL be controlled as detailed in section 3.13 of [KMIP].


    Bruce A Rich
    brich at-sign us dot ibm dot com





  • 6.  RE: [kmip] Additional clarity around KMIP object owner

    Posted 10-22-2009 00:27
    
    
    
    
    
    Hi Bruce,
     
    The changes I proposed to the Profiles document were supposed to provide additional clarification and replace your original restrictive statements with more general ones. Your proposed text (3.1.4) introduces the notion of interpreting the Credential object, if provided, as the identity of the requestor and explicitly discusses the Credential object and client certificate relationship. Note that the Profiles document does not actually refer to client certificates and only refers to channel level authentication. This was one of the things I removed from your proposed text, referring to certificates only in the examples I added to the Usage Guide.
    If we allow servers to determine the identity of the requestor using mechanisms that are outside the channel level authentication, then we should explicitly point this out in the Profiles document. As previously mentioned, it is essential that the identity of the requestor is determined during the authentication process; including this in the Profiles document will avoid confusion and potentially avoid insecure implementations.
     
    Regards,
    Indra
     


    From: Bruce Rich [mailto:brich@us.ibm.com]
    Sent: Wednesday, October 21, 2009 10:46 AM
    To: Fitzgerald, Indra
    Cc: kmip@lists.oasis-open.org
    Subject: RE: [kmip] Additional clarity around KMIP object owner


    Indra,

    Since the Usage Guide is illustrative and not normative, it is OK if it illustrates some and not all of the possible usage patterns.  Therefore it is not necessary that all the usages one has in mind are illustrated in the Usage Guide.  My lack of disagreement with the use case that you presented in the Usage Guide should be interpreted in those terms; I do not disagree with a userid and password that relate to the client-provided certificate.  I would disagree with credentials that MUST be so related.

    Therefore I do object to the changes that you propose to sections 3.1.3 and 3.1.4 of the Profiles document.  Forcing the Credential into such a tight relationship with the client certificate is a mistake.  The existence of channel authentication greatly simplifies the issues of privacy, integrity and authentication, and is wonderful for version 1.  Those KMIP servers who want to enforce a tight relationship between the Credential and the client certificate should be allowed to do so.  Those who want to enable a richer authentication/authorization fabric on a v1 base should also be allowed to do so.  Your language would overly constrain such adopters.

    Bruce A Rich
    brich at-sign us dot ibm dot com



    From: "Fitzgerald, Indra" <indra.fitzgerald@hp.com>
    To: Bruce Rich/Austin/IBM@IBMUS, "kmip@lists.oasis-open.org" <kmip@lists.oasis-open.org>
    Date: 10/16/2009 08:27 PM
    Subject: RE: [kmip] Additional clarity around KMIP object owner





    Hi Bruce,

    I agree that it is essential to get normative protection for KMIP users. I am not suggesting for us to exclude the Credential structure. I just want to make sure that we fully understand the implication of including your proposed text and realize that this approach differs from what we previously agreed on. I also want to make sure that the documents are consistent.

    Please see below for the changes I am proposing to the Client Authenticity section (3.1.3) in the Profiles spec, your proposed text, and the Authentication section in the Usage Guide (3.1). If anyone disagrees or would like to rewrite this, please chime in.

    Regards,

    Indra
    Profiles spec:
    3.1 3     Client Authenticity
    Client authenticity is proven by the use of channel (SSL/TLS) level mutual authentication. Vendors MAY use the Credential object for passing additional identification information. This SHOULD NOT, however, be used as an alternative authentication mechanism to the chosen authentication set. If the Credential object is specified in the request and the identity of the requestor is provided in both the Credential object and during the channel level authentication, the KMIP server SHALL verify that the identities are the same. If they differ, the authentication fails and the server SHALL return an error. The actual mechanics of how the server ensures client authenticity is beyond the scope of this version of the specification.
     
    The text proposed by Bruce (slightly modified):
    3.1.4        Relationship between credential and object creator
    KMIP objects have a creator.  The KMIP server SHALL
    interpret determine the identity of the requestor from the cCredentials object as the identity of the requestor if such a Credential is specified in the requestspecified during the authentication process. The authentication mechanism SHALL be one of the chosen authentication suites as specified in this Profiles specification.  If a Credential object is not specified, KMIP SHALL use the certificate passed in the channel binding (or some unique value derived from the certificate or its components) as the identity of the requestor.  For those KMIP requests that result in new managed objects this identity SHALL be used as the creator of the managed object.  For those operations that only access pre-existent managed objects, this identity SHALL be checked against the creator, and access SHALL be controlled as detailed in section 3.13 of [KMIP].
     
    Paragraph from Section 3.1 of the Usage Guide
    KMIP implementations that use other vendor-specific mechanisms for authentication may use the Credential attribute to include additional identification information. For example, in addition to performing mutual authentication during SSL/TLS, the client passes the Credential object in the request. If the client provides the username of the requestor in both the client certificate and the Credential object, the server verifies that the usernames are the same. If they differ, the authentication fails and the server returns an error. If the username is only specified in the Credential object, the server interprets the identity of the requestor from the Credential object. However, if this authentication option is not part of the chosen KMIP authentication suite, it should not be used to assert that an identity has been authenticated or be used as an alternative to the chosen KMIP authentication suite.
     



    From: Bruce Rich [mailto:brich@us.ibm.com]
    Sent:
    Friday, October 16, 2009 3:45 AM
    To:
    Fitzgerald, Indra
    Cc:
    kmip@lists.oasis-open.org
    Subject:
    RE: [kmip] Additional clarity around KMIP object owner



    Indra,


    I believe that specifying the protection that KMIP servers will offer their users is important enough to specify in normative text.  That said, the focus of KMIP v1 is mainly on the protocol for information exchange, not the set of allowable mechanisms for protecting such information in transit, nor the identity proof mechanisms between endpoints.  The challenge is to find a mechanism for protection and proof that offers adequate safeguards, yet leaves some maneuvering room to allow multiple possible usecases.  The troika of mutual channel authentication via SSL/TLS, a Credential structure in the request header and an operational policy name promise made by the server is the set of things that must work together to codify the protection that KMIP servers will offer their users.  I think that in the absence of a Credential structure in the request (and the concomitant  usage of the peer certificate from the channel binding), if the KMIP server says that the OperationalPolicyName for an object that it created/registered is "default", then the KMIP user has a decent understanding of the protections that will be provided.  The rub comes when the KMIP user chooses to also pass a Credential structure on the request.  As you point out, the Usage Guide would suggest a relationship between the certificate on the binding to the credential on the request somehow, perhaps to further constrain the certificate usage.  I believe the presence of a credential in the request should open up a new set of usecases, not further constrain things (just as an OperationalPolicyName other than "default" opens up new possibilities).  My change was to clearly define a mechanism to allow the KMIP user to constrain KMIP server behavior (by omitting the Credential).  The language used had the effect of also loosening it on the other hand (if the KMIP user chooses a credential not related to that supplied on channel binding).  My main focus was on getting normative protection for KMIP users.  At the time I proposed the text, I did not realize that the Usage Guide had language that spoke so clearly in the opposite direction, so now we will have to work this out.  Unfortunately, I will only be intermittently connected over the next week and a half, so I will not be able to be very responsive.


    Bruce A Rich
    brich at-sign us dot ibm dot com



    From: "Fitzgerald, Indra" <indra.fitzgerald@hp.com>
    To: Bruce Rich/Austin/IBM@IBMUS, "kmip@lists.oasis-open.org" <kmip@lists.oasis-open.org>
    Date: 10/15/2009 04:15 PM
    Subject: RE: [kmip] Additional clarity around KMIP object owner






    Bruce and all,

    In the Usage Guide, we currently address the case where clients may include the Credential attribute as additional identification information. We explicitly point out that if the Credential attribute is not part of the chosen authentication suite, the Credential attribute cannot be used to assert that an identity has been authenticated.

    Similarly, the profiles spec explicitly points out that the Credential object may be used to pass additional identification information. This should not, however, be used as an alternative authentication mechanism.

    Bruce's proposal allows the Credential object to be used to interpret the identity of the requestor. If a Credential object is not specified the certificate shall be used as the identity of the requestor.

    There appears to be a disconnect. We cannot use the Credential object as the primary source for interpreting the identity of the requestor, if the Credential object is not part of the authentication suite. The authentication process will determine and authenticate the identity of the requestor. Decoupling the authentication and identity interpretation process could potentially weaken the security of the authentication process and restrict certain use-cases. For example, clients may provide the username inside the certificate and provide additional identification information inside the credential object. According to Bruce's proposal, the identity specified inside the certificate will not be acknowledged if the credential object contains a different username.

    To resolve this, we need to explicitly allow the Credential object to be used during the authentication of the requestor. Depending on the server's configuration, this may or may not be required by the server. If both the certificate and Credential object contain the identity of the requestor, the server shall verify that they are the same. If they differ, the authentication fails and the server shall return an error.

    We also need to update the KMIP docs (i.e. the profiles spec and Usage Guide) to make sure that they are consistent.

    Regards,

    Indra


    From: Bruce Rich [mailto:brich@us.ibm.com]
    Sent:
    Wednesday, October 14, 2009 6:02 PM
    To:
    kmip@lists.oasis-open.org
    Subject:
    Fw: [kmip] Additional clarity around KMIP object owner



    It's been pointed out that the spec uses the term "creator" rather than "owner" (thanks, Steve and Marko), so better text might be:


    3.1.4        Relationship between credential and object creator

    KMIP objects have a creator.  The KMIP server SHALL interpret the Credential object as the identity of the requestor if such a Credential is specified in the request.  If a Credential object is not specified, KMIP SHALL use the certificate passed in the channel binding (or some unique value derived from the certificate or its components) as the identity of the requestor.  For those KMIP requests that result in new managed objects this identity SHALL be used as the creator of the managed object.  For those operations that only access pre-existent managed objects, this identity SHALL be checked against the creator, and access SHALL be controlled as detailed in section 3.13 of [KMIP].


    And I'll refrain from talking the "creator endowed with certain unalienable rights...", but I really wanted to slip that in there somewhere.


    Bruce A Rich
    brich at-sign us dot ibm dot com


    ----- Forwarded by Bruce Rich/Austin/IBM on 10/14/2009 07:52 PM -----
    From: Bruce Rich/Austin/IBM@IBMUS
    To: kmip@lists.oasis-open.org
    Date: 10/14/2009 12:51 PM
    Subject: [kmip] Additional clarity around KMIP object owner








    Although we've clarified KMIP client/server authentication in the KMIP Profiles document, I think the concept of "owner of KMIP object" needs to be tied a bit more tightly to the authentication.


    I propose this language be added as section 3.1.4 in the Profiles doc:


    3.1.4        Object Ownership

    KMIP objects have an owner.  The KMIP server SHALL interpret the Credential object as the identity of the requestor if such a Credential is specified in the request.  If a Credential object is not specified, KMIP SHALL use the certificate passed in the channel binding (or some unique value derived from the certificate or its components) as the identity of the requestor.  For those KMIP requests that result in new managed objects this identity SHALL be used as the owner of the managed object.  For those operations that only access pre-existent managed objects, this identity SHALL be checked against the owner, and access SHALL be controlled as detailed in section 3.13 of [KMIP].


    Bruce A Rich
    brich at-sign us dot ibm dot com





  • 7.  RE: [kmip] Additional clarity around KMIP object owner

    Posted 10-22-2009 15:03

    Hi Indra,

    I'm not sure that replacing "certificate" with "credentials specified during the authentication process" is an improvement.  Since only SSL/TLS mutual authentication is permissible (according to Profile section 3.1.3), that would imply that the only possible credential is a certificate, according to my reading of the appropriate RFCs (TLS 1.2 adds that it could be a PGP cert, otherwise it's got to be X509v3).  Having thus narrowed the channel authentication, it seems appropriate to speak of the only possible credential type, which is a certificate.  I'd rather not force the reader to read all of the documents to be able to understand any of them.

    Bruce A Rich
    brich at-sign us dot ibm dot com



    From: "Fitzgerald, Indra" <indra.fitzgerald@hp.com>
    To: Bruce Rich/Austin/IBM@IBMUS
    Cc: "kmip@lists.oasis-open.org" <kmip@lists.oasis-open.org>
    Date: 10/21/2009 08:27 PM
    Subject: RE: [kmip] Additional clarity around KMIP object owner





    Hi Bruce,
     
    The changes I proposed to the Profiles document were supposed to provide additional clarification and replace your original restrictive statements with more general ones. Your proposed text (3.1.4) introduces the notion of interpreting the Credential object, if provided, as the identity of the requestor and explicitly discusses the Credential object and client certificate relationship. Note that the Profiles document does not actually refer to client certificates and only refers to channel level authentication. This was one of the things I removed from your proposed text, referring to certificates only in the examples I added to the Usage Guide.
    If we allow servers to determine the identity of the requestor using mechanisms that are outside the channel level authentication, then we should explicitly point this out in the Profiles document. As previously mentioned, it is essential that the identity of the requestor is determined during the authentication process; including this in the Profiles document will avoid confusion and potentially avoid insecure implementations.
     
    Regards,
    Indra
     


    From: Bruce Rich [mailto:brich@us.ibm.com]
    Sent:
    Wednesday, October 21, 2009 10:46 AM
    To:
    Fitzgerald, Indra
    Cc:
    kmip@lists.oasis-open.org
    Subject:
    RE: [kmip] Additional clarity around KMIP object owner



    Indra,


    Since the Usage Guide is illustrative and not normative, it is OK if it illustrates some and not all of the possible usage patterns.  Therefore it is not necessary that all the usages one has in mind are illustrated in the Usage Guide.  My lack of disagreement with the use case that you presented in the Usage Guide should be interpreted in those terms; I do not disagree with a userid and password that relate to the client-provided certificate.  I would disagree with credentials that MUST be so related.


    Therefore I do object to the changes that you propose to sections 3.1.3 and 3.1.4 of the Profiles document.  Forcing the Credential into such a tight relationship with the client certificate is a mistake.  The existence of channel authentication greatly simplifies the issues of privacy, integrity and authentication, and is wonderful for version 1.  Those KMIP servers who want to enforce a tight relationship between the Credential and the client certificate should be allowed to do so.  Those who want to enable a richer authentication/authorization fabric on a v1 base should also be allowed to do so.  Your language would overly constrain such adopters.


    Bruce A Rich
    brich at-sign us dot ibm dot com



    From: "Fitzgerald, Indra" <indra.fitzgerald@hp.com>
    To: Bruce Rich/Austin/IBM@IBMUS, "kmip@lists.oasis-open.org" <kmip@lists.oasis-open.org>
    Date: 10/16/2009 08:27 PM
    Subject: RE: [kmip] Additional clarity around KMIP object owner






    Hi Bruce,

    I agree that it is essential to get normative protection for KMIP users. I am not suggesting for us to exclude the Credential structure. I just want to make sure that we fully understand the implication of including your proposed text and realize that this approach differs from what we previously agreed on. I also want to make sure that the documents are consistent.

    Please see below for the changes I am proposing to the Client Authenticity section (3.1.3) in the Profiles spec, your proposed text, and the Authentication section in the Usage Guide (3.1). If anyone disagrees or would like to rewrite this, please chime in.

    Regards,

    Indra
    Profiles spec:

    3.1 3     Client Authenticity

    Client authenticity is proven by the use of channel (SSL/TLS) level mutual authentication. Vendors MAY use the Credential object for passing additional identification information. This SHOULD NOT, however, be used as an alternative authentication mechanism to the chosen authentication set.
    If the Credential object is specified in the request and the identity of the requestor is provided in both the Credential object and during the channel level authentication, the KMIP server SHALL verify that the identities are the same. If they differ, the authentication fails and the server SHALL return an error. The actual mechanics of how the server ensures client authenticity is beyond the scope of this version of the specification.
     
    The text proposed by Bruce (slightly modified):
    3.1.4        Relationship between credential and object creator
    KMIP objects have a creator.  The KMIP server SHALL
    interpret determine the identity of the requestor from the cCredentials object as the identity of the requestor if such a Credential is specified in the requestspecified during the authentication process. The authentication mechanism SHALL be one of the chosen authentication suites as specified in this Profiles specification.  If a Credential object is not specified, KMIP SHALL use the certificate passed in the channel binding (or some unique value derived from the certificate or its components) as the identity of the requestor.  For those KMIP requests that result in new managed objects this identity SHALL be used as the creator of the managed object.  For those operations that only access pre-existent managed objects, this identity SHALL be checked against the creator, and access SHALL be controlled as detailed in section 3.13 of [KMIP].
     
    Paragraph from Section 3.1 of the Usage Guide

    KMIP implementations that use other vendor-specific mechanisms for authentication may use the Credential attribute to include additional identification information.
    For example, in addition to performing mutual authentication during SSL/TLS, the client passes the Credential object in the request. If the client provides the username of the requestor in both the client certificate and the Credential object, the server verifies that the usernames are the same. If they differ, the authentication fails and the server returns an error. If the username is only specified in the Credential object, the server interprets the identity of the requestor from the Credential object. However, if this authentication option is not part of the chosen KMIP authentication suite, it should not be used to assert that an identity has been authenticated or be used as an alternative to the chosen KMIP authentication suite.
     



    From: Bruce Rich [mailto:brich@us.ibm.com]
    Sent:
    Friday, October 16, 2009 3:45 AM
    To:
    Fitzgerald, Indra
    Cc:
    kmip@lists.oasis-open.org
    Subject:
    RE: [kmip] Additional clarity around KMIP object owner



    Indra,


    I believe that specifying the protection that KMIP servers will offer their users is important enough to specify in normative text.  That said, the focus of KMIP v1 is mainly on the protocol for information exchange, not the set of allowable mechanisms for protecting such information in transit, nor the identity proof mechanisms between endpoints.  The challenge is to find a mechanism for protection and proof that offers adequate safeguards, yet leaves some maneuvering room to allow multiple possible usecases.  The troika of mutual channel authentication via SSL/TLS, a Credential structure in the request header and an operational policy name promise made by the server is the set of things that must work together to codify the protection that KMIP servers will offer their users.  I think that in the absence of a Credential structure in the request (and the concomitant  usage of the peer certificate from the channel binding), if the KMIP server says that the OperationalPolicyName for an object that it created/registered is "default", then the KMIP user has a decent understanding of the protections that will be provided.  The rub comes when the KMIP user chooses to also pass a Credential structure on the request.  As you point out, the Usage Guide would suggest a relationship between the certificate on the binding to the credential on the request somehow, perhaps to further constrain the certificate usage.  I believe the presence of a credential in the request should open up a new set of usecases, not further constrain things (just as an OperationalPolicyName other than "default" opens up new possibilities).  My change was to clearly define a mechanism to allow the KMIP user to constrain KMIP server behavior (by omitting the Credential).  The language used had the effect of also loosening it on the other hand (if the KMIP user chooses a credential not related to that supplied on channel binding).  My main focus was on getting normative protection for KMIP users.  At the time I proposed the text, I did not realize that the Usage Guide had language that spoke so clearly in the opposite direction, so now we will have to work this out.  Unfortunately, I will only be intermittently connected over the next week and a half, so I will not be able to be very responsive.


    Bruce A Rich
    brich at-sign us dot ibm dot com


    From: "Fitzgerald, Indra" <indra.fitzgerald@hp.com>
    To: Bruce Rich/Austin/IBM@IBMUS, "kmip@lists.oasis-open.org" <kmip@lists.oasis-open.org>
    Date: 10/15/2009 04:15 PM
    Subject: RE: [kmip] Additional clarity around KMIP object owner







    Bruce and all,

    In the Usage Guide, we currently address the case where clients may include the Credential attribute as additional identification information. We explicitly point out that if the Credential attribute is not part of the chosen authentication suite, the Credential attribute cannot be used to assert that an identity has been authenticated.

    Similarly, the profiles spec explicitly points out that the Credential object may be used to pass additional identification information. This should not, however, be used as an alternative authentication mechanism.

    Bruce's proposal allows the Credential object to be used to interpret the identity of the requestor. If a Credential object is not specified the certificate shall be used as the identity of the requestor.

    There appears to be a disconnect. We cannot use the Credential object as the primary source for interpreting the identity of the requestor, if the Credential object is not part of the authentication suite. The authentication process will determine and authenticate the identity of the requestor. Decoupling the authentication and identity interpretation process could potentially weaken the security of the authentication process and restrict certain use-cases. For example, clients may provide the username inside the certificate and provide additional identification information inside the credential object. According to Bruce's proposal, the identity specified inside the certificate will not be acknowledged if the credential object contains a different username.

    To resolve this, we need to explicitly allow the Credential object to be used during the authentication of the requestor. Depending on the server's configuration, this may or may not be required by the server. If both the certificate and Credential object contain the identity of the requestor, the server shall verify that they are the same. If they differ, the authentication fails and the server shall return an error.

    We also need to update the KMIP docs (i.e. the profiles spec and Usage Guide) to make sure that they are consistent.

    Regards,

    Indra


    From: Bruce Rich [mailto:brich@us.ibm.com]
    Sent:
    Wednesday, October 14, 2009 6:02 PM
    To:
    kmip@lists.oasis-open.org
    Subject:
    Fw: [kmip] Additional clarity around KMIP object owner



    It's been pointed out that the spec uses the term "creator" rather than "owner" (thanks, Steve and Marko), so better text might be:


    3.1.4        Relationship between credential and object creator

    KMIP objects have a creator.  The KMIP server SHALL interpret the Credential object as the identity of the requestor if such a Credential is specified in the request.  If a Credential object is not specified, KMIP SHALL use the certificate passed in the channel binding (or some unique value derived from the certificate or its components) as the identity of the requestor.  For those KMIP requests that result in new managed objects this identity SHALL be used as the creator of the managed object.  For those operations that only access pre-existent managed objects, this identity SHALL be checked against the creator, and access SHALL be controlled as detailed in section 3.13 of [KMIP].


    And I'll refrain from talking the "creator endowed with certain unalienable rights...", but I really wanted to slip that in there somewhere.


    Bruce A Rich
    brich at-sign us dot ibm dot com


    ----- Forwarded by Bruce Rich/Austin/IBM on 10/14/2009 07:52 PM -----
    From: Bruce Rich/Austin/IBM@IBMUS
    To: kmip@lists.oasis-open.org
    Date: 10/14/2009 12:51 PM
    Subject: [kmip] Additional clarity around KMIP object owner









    Although we've clarified KMIP client/server authentication in the KMIP Profiles document, I think the concept of "owner of KMIP object" needs to be tied a bit more tightly to the authentication.


    I propose this language be added as section 3.1.4 in the Profiles doc:


    3.1.4        Object Ownership

    KMIP objects have an owner.  The KMIP server SHALL interpret the Credential object as the identity of the requestor if such a Credential is specified in the request.  If a Credential object is not specified, KMIP SHALL use the certificate passed in the channel binding (or some unique value derived from the certificate or its components) as the identity of the requestor.  For those KMIP requests that result in new managed objects this identity SHALL be used as the owner of the managed object.  For those operations that only access pre-existent managed objects, this identity SHALL be checked against the owner, and access SHALL be controlled as detailed in section 3.13 of [KMIP].


    Bruce A Rich
    brich at-sign us dot ibm dot com