Insert Your Name Insert Your Title Insert Date Client Registration Open Issues Update 5/27/2011 Denis Pochuev (original proposal by Alan Frindell)
List of the open issues Username vs. Entity Name Implicit Registration response “Locate self” – parameter or attribute? Which Locate operations should be allowed on Entities? Device Credential Proxy Registration/Authentication CSR Credential 2
Username vs. Entity Name Entity UUID: ABCD-1234 Attribute Attribute Name: “Credential” Attribute Value: … Attribute Attribute Name: “Name” Attribute Value: user1 3 KMIP ClientKMIP Server Auth Request + Create Entity Register Entity Entity UUID Create Object Obj UUIDCreate Object KMIP Client Authentication Credential Credential Type: Username and Password Credential Value: Username: “user1” Password: “password” Register Object Type=Entity Template-Attribute Attribute Attribute Name: “Credential” Attribute Value: Credential Type: Username and Password Credential Value: Username: “user1” Password: “password”
Implicit Registration Response 4 KMIP ClientKMIP Server Auth Request + Create Entity + Create Object Entity UUID + Obj UUID Create Object Obj UUIDCreate Object Authentication Credential Credential Type: Transport Certificate Credential Value: Implicit self-registration with cert (+2 object creations) What if we did not return Entity UUID No Error => Both Entity and Object were created Use “Locate self” to get Entity UUID
Locate Self – parameter or attribute? 5 Alternative 1: Part of Locate Entity Identifier, see A enumeration object used by the client to locate Entities with special properties Locate Entity Identifier = Self Alternative 2: New attribute Locate Attribute Attribute Name = Entity Identifier Attribute Value = Self
What Locate operations should be allowed on Entities? Find all Entities with Transport Certificate Credentials: Locate Credential Credential Type: Transport Certificate Find an Entity by its transport certificate: Locate Credential Credential Type: Transport Certificate Credential Value: Certificate: Find yourself: Locate Entity Identifier = Self Find all objects owned by : Locate Owner = 6
Device Credential 7 Credential/Subject TypeValue Username and Password (KMIP v1) Username Device World Wide Name Distinguished Name SAML Subject Open ID Authentication Information Type Value Password X.509 Certificate Kerberos Ticket Extensions8XXXXXXX Part of an earlier proposal Needs “secret” part to protect against entity impersonation
Proxy Registration/Authentication 8 Important use-case KMIP participants Single proxy is responsible for establishment and running of the TLS tunnel Multiple lightweight KMIP clients are connected through the proxy to the server Should it be a part of the current proposal? Support for devices that cannot save their own UUIDs
Optional Entity in Authentication Header 9 Current assumption: 1-to-1 mapping between Credential and Entity (only one Entity corresponds to a given Credential) Adding attributes to Entity registration + sending Entity UUID in Authentication header addresses that issue KMIP ClientKMIP Server Auth Request + Create Entity Register Entity Entity UUID Create Object Obj UUIDCreate Object Authentication Credential Credential Type: Transport Certificate Credential Value: Entity UUID=0x172b45a435890c de KMIP Client Register Object Type=Entity Template-Attribute Attribute Attribute Name: “Credential” Attribute Value: Credential Type: Transport Certificate Credential Value: Certificate Certificate Type: X.509 Certificate Value: Attribute id=0xb34a32b23a43093d Attribute ip-addr= Attribute mac-addr=02:ba:d0:ca:fe:99
Register Object Type=Entity Template-Attribute Attribute Attribute Name: “Credential” Attribute Value: Credential Type: Certificate Request Credential Value: Certificate Certificate Type: X.509 Certificate Value: CSR Certificate Server Request Credential 10 Client wants to register an entity and receive a signed Transport Certificate KMIP Server Auth Request + Create Entity Register Entity Entity UUID Create Object Obj UUID Create Object KMIP Client using new certificate Authentication Credential Credential Type: Transport Certificate Credential Value: Get Certificate Obj UUID