1 / 10

KMIP PKCS#12

KMIP PKCS#12. February 2014 Tim Hudson – tjh@cryptsoft.com. 1. Context. PKCS#12 is used as the general protected import/export of credentials (private key, certificate, certificate chains) all password protected.

judah
Download Presentation

KMIP PKCS#12

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. KMIP PKCS#12 February 2014 Tim Hudson – tjh@cryptsoft.com 1

  2. Context PKCS#12 is used as the general protected import/export of credentials (private key, certificate, certificate chains) all password protected. Supporting this usage within KMIP is desirable as many vendors use this as the primary format for loading in client credentials or for providing server generated client credentials. 2

  3. Challenges PKCS#12 • Complex format • Contains arbitrary buckets of keys and certificates • Simple usage is common – private key, certificate, CA certificates (with possible intermediate chain) 3

  4. Example PKCS#8 Register 4

  5. Map as Key Wrapping Format • Add PKCS12 as a Key Format Type (to match PKCS#1, PKCS#8 existing usage) is simple • Adding PKCS12 as a Key Wrapping approach is less straight forward • Where does the password/passphrase go? • Same issue for PKCS#8 as for PKCS#12 5

  6. Key Wrapping 6

  7. Key Wrapping 7

  8. Example Current Usage Key To-Be-Wrapped Wrapping Key 8

  9. Example Current Usage 9

  10. Map as Key Wrapping Format • If PKCS#12 (and PKCS#8) are allowed as Key Wrapping Format values then • Which managed objects get packaged? • Which managed objects can this be used against? • PKCS#12 is used for both protected private key transport and bucket-of-certificates transport (trust chains) • Follow the links? • Works for Private Key and Public Key to Certificate • Doesn’t work for the chain – unless we add in the links using the new link types … • Reference a Secret Data managed object for the passphrase? 10

More Related