Although we've clarified KMIP client/server
authentication in the KMIP Profiles document, I think the concept of "owner
of KMIP object" needs to be tied a bit more tightly to the authentication.
I propose this language be added as
section 3.1.4 in the Profiles doc:
3.1.4 Object
Ownership
KMIP objects have an owner. The
KMIP server SHALL interpret the Credential object as the identity of the
requestor if such a Credential is specified in the request. If a
Credential object is not specified, KMIP SHALL use the certificate passed
in the channel binding (or some unique value derived from the certificate
or its components) as the identity of the requestor. For those KMIP
requests that result in new managed objects this identity SHALL be used
as the owner of the managed object. For those operations that only
access pre-existent managed objects, this identity SHALL be checked against
the owner, and access SHALL be controlled as detailed in section 3.13 of
[KMIP].
Bruce A Rich
brich at-sign us dot ibm dot com