1 / 10

KMIP Entity Object and Client Registration

KMIP Entity Object and Client Registration. Alan Frindell Contributors: Robert Haas, Indra Fitzgerald SafeNet, Inc 11/17/2010. What can you do with an entity?. Require subjects passed in TLS and/or Credential to be registered entities

emmett
Download Presentation

KMIP Entity Object and Client Registration

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. KMIP Entity Object and Client Registration Alan Frindell Contributors: Robert Haas, Indra Fitzgerald SafeNet, Inc 11/17/2010

  2. What can you do with an entity? • Require subjects passed in TLS and/or Credential to be registered entities • Register or generate data that can be used during authentication, possibly to a third party system • Restrict operations that create objects, including other entities • Register Attributes that can be searched and retrieved • Possible policy relevant attributes like FIPS Level, hardware capabilities, server to client operation support • Register extended data that can be logged by the server • Supply connection details for Server to Client messages • Ask server to notify entity when one or more objects change

  3. How are entities created? • Manually entered by server administrator • Imported from a third-party directory by a server administrator • Explicitly registered by a KMIP client with appropriate permissions • Some server implementations may require administrator approval before the entity is registered • May require asynchronous polling by clients to be effective • Implicitly registered by a KMIP client by sending a new Credential object in a request

  4. Credential Redefinition (original proposal) • Username and Password Credential Value still supported for backwards compatibility

  5. Credential Redefinition (new proposal) • Much cleaner • Username and Password Credential Value no longer supported

  6. Credential/Subject Types

  7. Entity Definition • Entity Attributes: • UUID, Name, Object Type, Operation Policy, Initial Date, Destroy Date, App Specific Info, Contact Info, Last Change Date, Custom Attributes • New: Up for discussion: Archive Date, Object Group, Entity Operation Policy • Entity Operations: • Register, Locate, Get, Get Attributes, Get Attributes List, Add Attribute, Modify Attribute, Delete Attribute, Destroy

  8. New: Default Operation Policy for Entity Objects (for operations on the Entity object) Operation Policy = what operations are allowed on the Entity

  9. Default Entity Operation Policy Entity Operation Policy = what operations the Entity is allowed to perform

  10. Entity / Creator Relationship • KMIP v1 loosely defines Creator as ‘identity of the client’ • With Entity, it is possible to define Creator explicitly as: • The UUID of the Entity who created the object • The Subject of the Entity who create the object • In this case, a given Entity will have access to different objects depending on how he authenticated • Creator of an Entity may be different than the Entity itself, which may be confusing • Can an Entity have more than one Credential/Subject of a given type? • Ex: More than one username?

More Related