OASIS Key Management Interoperability Protocol (KMIP) TC

 View Only
  • 1.  KMIP as a TTLV message format only...

    Posted 07-22-2011 01:09
    All, I was looking through the Profiles v1.1 draft 02 and realized we were still requiring IP and TLS. I was hoping we could start to remove them as an requirement unless using TCP/IP as the transport and network layer protocols respectively. This is something that concerns T11 which may not have TCP/IP available to the end point and X9 who do not use TLS for their link encryption (I don't think they support AES yet either but are still using 3DES for most symmetric operations). While most servers will sit on IP networks the clients may not and by keeping the normative to only the TTLV messaging portions with TLS as a requirement for when using TCP/IP, we allow other organizations better control of their own datalink, network and tranport (layer 2, 3 & 4) protocols. Is there some way to consider this for 1.1 so as to allow for potentially more outside profile development for KMIP 1.1 and later? It may be opening a can of worms but if we can make recommendations versus SHALL statements for this I think it will ease adoption. Comments are greatly appreciated but please keep the caliber of the bullets to small bore if possible. Bob L. Robert A. (Bob) Lockhart Senior Solutions Architect THALES Information Systems Security


  • 2.  RE: KMIP as a TTLV message format only...

    Posted 07-22-2011 08:37
    There are other applications too: I know of several Government applications where KMIP is interesting but is currently blocked specifically because of this TLS property. As I (and Landon, and others) said at the time it was baked in at the face to face all that time ago it was a good pragmatic shortcut at the time but we need to be able to do away with it eventually and support other transport security options as well as inherently secure keyblocks. I thought we had mentioned this and excluded it from 1.1 but we need to keep the awareness up. So by all means shot Bob but make sure they're only tranquilizer darts because this is going to come up again. Jon