60 likes | 146 Views
KMIP Template Discussion. Bruce Rich Sept 12, 2012. Original Observation. GET of TEMPLATE seems underspecified The current implementations return different results…not useful Useful result would be that a conformant GET of a TEMPLATE would only return specified results.
E N D
KMIP Template Discussion Bruce Rich Sept 12, 2012
Original Observation • GET of TEMPLATE seems underspecified • The current implementations return different results…not useful • Useful result would be that a conformant GET of a TEMPLATE would only return specified results
Different views of TEMPLATEs • “Bag of ATTRIBUTEs” view • “Immutable body” view
“Bag of ATTRIBUTEs” view • Managed Objects have ATTRIBUTEs • And nothing else • The only content are the ATTRIBUTEs mentioned in section • Some are client-settable, others are server-managed • Lifecycle is that of Managed Object • Can edit (post-registration) via AddAttribute, ModifyAttribute, DeleteAttribute • So GET should return a specified subset of its ATTRIBUTEs?
“Immutable body” view • Blob at end of Register operation is the body • It’s immutable • Can AddAttribute, ModifyAttribute, DeleteAttributeother Attributes, but not “body” • So seems to have a different lifecycle • Once REGISTERed, cannot modify “body”, have to REGISTER different object to get different “body” • So GET should return the “body”?
Additional observations • Register need not have any content in blob at end • Error? • Change spec? • Feature? • Two use cases supported • Register a key for management without disclosing key material to server…HSM… • Template composition, either in concert with just other templates, or in combination with inline attributes • Document use cases?