170 likes | 412 Views
KMIP v.Next PGP Support. Michael Allen. Sr. Technical Director, Symantec. Agenda. Trust Establishment. 1. Current KMIP Situation. Proposed Enhancements. 2. 2. Trust Establishment - Email. Trust Establishment – External Directory. Where Are We Now. Note About Notation.
E N D
KMIP v.Next PGP Support Michael Allen Sr. Technical Director, Symantec KMIP v.Next PGP Support
Agenda Trust Establishment 1 Current KMIP Situation Proposed Enhancements 2 2 KMIP v.Next PGP Support
Trust Establishment - Email KMIP v.Next PGP Support
Trust Establishment – External Directory KMIP v.Next PGP Support
Where Are We Now KMIP v.Next PGP Support
Note About Notation KMIP v.Next PGP Support
How Do We Fit This Into That? KMIP v.Next PGP Support
What’s Missing from KMIP? Multiple User IDs Top Key / Sub Key Structures 2 1 • Each PGP key have multiple user IDs (usually email addresses, can be images as well) • Searches for other PGP keys usually use these user IDs • KMIP has certificate identifier but doesn’t have the right bits in that attribute • User IDs can be signed just as keys can be signed • A PGP key consists of a unifying key and multiple purpose-specific sub keys • Keys are tied together via signatures between each other • KMIP doesn’t have a link notion between sets of public / private key pairs Arbitrary Signature Sets 3 Additional Decryption Key 4 • Anyone’s PGP key can sign another key • These signatures may play a role in arbitrary trust calculations • PGP-specific feature where the key ID of another PGP key rides along with one’s own PGP key • Anything encrypted with one’s PGP key also gets encrypted to the ADK • Searches for ADK occur via its key ID KMIP v.Next PGP Support
PGP Certificate Type Re-Examined KMIP v.Next PGP Support
Top Key and Sub Key Link Objects KMIP v.Next PGP Support
Top Key and Sub Key Link Objects KMIP v.Next PGP Support
New Link Types Table 9.1.3.2.20: Link Type Enumeration KMIP v.Next PGP Support
New PGP Key ID Attribute Section 3.XX KMIP v.Next PGP Support
New PGP User ID Attribute Section 3.XX KMIP v.Next PGP Support
New PGP ADK Attribute Section 3.XX KMIP v.Next PGP Support
New PGP Signature Attribute Section 3.XX KMIP v.Next PGP Support
Michael Allen mike_allen@symantec.com 650-527-0716