OASIS Key Management Interoperability Protocol (KMIP) TC

Additional clarity around KMIP object owner

  • 1.  Additional clarity around KMIP object owner

    Posted 10-14-2009 17:51

    Although we've clarified KMIP client/server authentication in the KMIP Profiles document, I think the concept of "owner of KMIP object" needs to be tied a bit more tightly to the authentication.

    I propose this language be added as section 3.1.4 in the Profiles doc:

    3.1.4        Object Ownership
    KMIP objects have an owner.  The KMIP server SHALL interpret the Credential object as the identity of the requestor if such a Credential is specified in the request.  If a Credential object is not specified, KMIP SHALL use the certificate passed in the channel binding (or some unique value derived from the certificate or its components) as the identity of the requestor.  For those KMIP requests that result in new managed objects this identity SHALL be used as the owner of the managed object.  For those operations that only access pre-existent managed objects, this identity SHALL be checked against the owner, and access SHALL be controlled as detailed in section 3.13 of [KMIP].


    Bruce A Rich
    brich at-sign us dot ibm dot com