1 / 14

Client Registration Examples

Client Registration Examples. Update 5/16/2011 Denis Pochuev. Summary of updates since last presentation. Summary of the proposal Introducing Pending Registration Examples of Entity Attributes based on Credential Changed Entity Identifier from an enumeration to a new attribute

felcia
Download Presentation

Client Registration Examples

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Client Registration Examples Update 5/16/2011 Denis Pochuev

  2. Summary of updates since last presentation • Summary of the proposal • Introducing Pending Registration • Examples of Entity Attributes based on Credential • Changed Entity Identifier from an enumeration to a new attribute • Clarified relationship between Owner and Object sharing • Future work • Authentication header that can accommodate 1-to-N mapping between Credential and Entities and device authentication with a proxy

  3. Summary of the proposal (what we’ve got so far) • Entity and Credential Objects are used to reflect client identities and authenticate clients to the server • Registration (implicit or explicit) creates an Entity and Credential Objects • Clients can register themselves (self-registration) or other clients using certificates or username/passwords • Authentication header includes Credential Object to authenticate the client during a general request

  4. Summary of the proposal (contd.) • Previously proposed registration types • Implicit self-registration with cert • Explicit self-registration with cert • Explicit registration with cert • Explicit registration with username/password New: • Pending registration • Can be done with cert or username/password • Can be self-registration or registration of another client • Has to be explicit

  5. Summary of the proposal (contd.) • Implicit self-registration with cert (+2 object creations) “Normal” Create operation Authentication Credential Credential Type: Transport Certificate Credential Value: <empty> Authentication Credential Credential Type: Transport Certificate Credential Value: <empty> • Explicit self-registration with cert (+1 object creation) Register Object Type=Entity Template-Attribute Attribute Attribute Name: “Credential” Attribute Value: Credential Type: Transport Certificate Credential Value: <empty> KMIP Server KMIP Server KMIP Client KMIP Client Auth Request + Create Entity + Create Object Register Entity Create Object Auth Request + Create Entity Entity UUID + Obj UUID Entity UUID Create Object Create Object Obj UUID Obj UUID Create Object Create Object

  6. Summary of the proposal (contd.) • Explicit registration with cert (+1 object creation) KMIP Client Register Object Type=Entity Template-Attribute Attribute Attribute Name: “Credential” Attribute Value: Credential Type: Transport Certificate Credential Value: Certificate Certificate Type: X.509 Certificate Value: <cert> Authentication Credential Credential Type: Transport Certificate Credential Value: <empty> KMIP Client KMIP Server Register Entity Auth Request + Create Entity Entity UUID Create Object Obj UUID Create Object

  7. Summary of the proposal (contd.) • Explicit registration with username/password (+1 object creation) KMIP Client Register Object Type=Entity Template-Attribute Attribute Attribute Name: “Credential” Attribute Value: Credential Type: Username and Password Credential Value: Username: “user1” Password: “password” Authentication Credential Credential Type: Username and Password Credential Value: Username: “user1” Password: “password” KMIP Client KMIP Server Register Entity Auth Request + Create Entity Entity UUID Create Object Obj UUID Create Object

  8. Pending Registration • Asynchronous registration, uses existing asynchronous request mechanism • Provides a way for the server admin to authorize requests off-line KMIP Client Register Object Type=Entity Asynchronous Indicator=True Template-Attribute Attribute Attribute Name: “Credential” Attribute Value: Credential Type: Transport Certificate Credential Value: <empty> KMIP Server Register Entity Queue up the request Status=pending; ACV=0353256 Authorize requests Poll; ACV=0353256 Obj UUID

  9. Entity Attributes based on Credentials • Result of a registration is an Entity, by default it contains credential attribute Register Object Type=Entity Template-Attribute Attribute Attribute Name: “Credential” Attribute Value: Credential Type: Transport Certificate Credential Value: <empty> Entity UUID: ABCD-1234 Attribute Attribute Name: “Credential” Attribute Value: …

  10. Entity Attributes based on Credentials • …it may have other attributes in addition to Credential Register Object Type=Entity Template-Attribute Attribute Attribute Name: “Credential” Attribute Value: Credential Type: Transport Certificate Credential Value: <empty> Entity UUID: ABCD-1234 Attribute Attribute Name: “Credential” Attribute Value: … Attribute Attribute Name: “Name” Attribute Value: user1

  11. Entity Attributes based on Credentials (contd.) Entity UUID: ABCD-1234 • Attribute • Attribute Name: “Credential” • Attribute Value: … • Attribute • Attribute Name: “Organization” • Attribute Value: SafeNet-RWC • Attribute • Attribute Name: “Name” • Attribute Value: user1 Certificate Name: user1 Key Size: 2048 Start Date: Apr 20 18:30:41 2011 GMT Expiration: Apr 17 18:30:41 2021 GMT Issuer: C/ST/L: US/CA/RWC O: SafeNet-RWC OU: SafeNet CN: testCA emailAddress: testCA@safenet-inc.com Subject: C/ST/L: US/CA/RWC O: SafeNet-RWC OU: SafeNet CN: user1 emailAddress: user1@safenet-inc.com • Entity registration may result in additional attributes being added to the Entity object • Exact procedure of derivation of the attributes from the Credential and/or certificate is at the server discretion

  12. Entity Identifier • Before: • Part of Locate • Entity Identifier, see 9.1.3.2.31 • A enumeration object used by the client to locate Entities with special properties Locate Entity Identifier = Self • After: • New attribute Locate Attribute Attribute Name = Entity Identifier Attribute Value = Self

  13. Owner and Sharing • Owner is: • An attribute that holds the Unique Identifier of the Entity object that owns the given object • By default an Entity is allowed to operate only with the objects owned by it • Can be overridden by server policy • Owner is not: • At least in the current revision of the spec, a method to address object sharing

  14. Optional Entity in Authentication Header • Current assumption: 1-to-1 mapping between Credential and Entity (only one Entity corresponds to a given Credential) • Adding attributes to Entity registration + sending Entity UUID in Authentication header addresses that issue KMIP Client Register Object Type=Entity Template-Attribute Attribute Attribute Name: “Credential” Attribute Value: Credential Type: Transport Certificate Credential Value: Certificate Certificate Type: X.509 Certificate Value: <cert> Attribute id=0xb34a32b23a43093d Attribute ip-addr=10.10.10.10 Attribute mac-addr=02:ba:d0:ca:fe:99 Authentication Credential Credential Type: Transport Certificate Credential Value: <empty> Entity UUID=0x172b45a435890c9078243589de2309458 KMIP Client KMIP Server Register Entity Auth Request + Create Entity Entity UUID Create Object Obj UUID Create Object

More Related