Presentation is loading. Please wait.

Presentation is loading. Please wait.

Insert Your Name Insert Your Title Insert Date Client Registration Open Issues Update 5/27/2011 Denis Pochuev (original proposal by Alan Frindell)

Published byWesley Simon Modified over 9 years ago

Similar presentations

Presentation on theme: "Insert Your Name Insert Your Title Insert Date Client Registration Open Issues Update 5/27/2011 Denis Pochuev (original proposal by Alan Frindell)"— Presentation transcript:

1 Insert Your Name Insert Your Title Insert Date Client Registration Open Issues Update 5/27/2011 Denis Pochuev (original proposal by Alan Frindell)

2 List of the open issues  Username vs. Entity Name  Implicit Registration response  “Locate self” – parameter or attribute?  Which Locate operations should be allowed on Entities?  Device Credential  Proxy Registration/Authentication  CSR Credential 2

3 Username vs. Entity Name Entity UUID: ABCD-1234 Attribute Attribute Name: “Credential” Attribute Value: … Attribute Attribute Name: “Name” Attribute Value: user1 3 KMIP ClientKMIP Server Auth Request + Create Entity Register Entity Entity UUID Create Object Obj UUIDCreate Object KMIP Client Authentication Credential Credential Type: Username and Password Credential Value: Username: “user1” Password: “password” Register Object Type=Entity Template-Attribute Attribute Attribute Name: “Credential” Attribute Value: Credential Type: Username and Password Credential Value: Username: “user1” Password: “password”

4 Implicit Registration Response 4 KMIP ClientKMIP Server Auth Request + Create Entity + Create Object Entity UUID + Obj UUID Create Object Obj UUIDCreate Object Authentication Credential Credential Type: Transport Certificate Credential Value:  Implicit self-registration with cert (+2 object creations)  What if we did not return Entity UUID  No Error => Both Entity and Object were created  Use “Locate self” to get Entity UUID

5 Locate Self – parameter or attribute? 5  Alternative 1: Part of Locate Entity Identifier, see 9.1.3.2.31 A enumeration object used by the client to locate Entities with special properties Locate Entity Identifier = Self  Alternative 2: New attribute Locate Attribute Attribute Name = Entity Identifier Attribute Value = Self

6 What Locate operations should be allowed on Entities?  Find all Entities with Transport Certificate Credentials: Locate Credential Credential Type: Transport Certificate  Find an Entity by its transport certificate: Locate Credential Credential Type: Transport Certificate Credential Value: Certificate:  Find yourself: Locate Entity Identifier = Self  Find all objects owned by : Locate Owner = 6

7 Device Credential 7 Credential/Subject TypeValue Username and Password (KMIP v1) 00000001 Username00000002 Device00000003 World Wide Name00000004 Distinguished Name00000005 SAML Subject00000006 Open ID00000007 Authentication Information Type Value Password00000001 X.509 Certificate00000002 Kerberos Ticket00000003 Extensions8XXXXXXX  Part of an earlier proposal  Needs “secret” part to protect against entity impersonation

8 Proxy Registration/Authentication 8  Important use-case KMIP participants Single proxy is responsible for establishment and running of the TLS tunnel Multiple lightweight KMIP clients are connected through the proxy to the server  Should it be a part of the current proposal?  Support for devices that cannot save their own UUIDs

9 Optional Entity in Authentication Header 9  Current assumption: 1-to-1 mapping between Credential and Entity (only one Entity corresponds to a given Credential)  Adding attributes to Entity registration + sending Entity UUID in Authentication header addresses that issue KMIP ClientKMIP Server Auth Request + Create Entity Register Entity Entity UUID Create Object Obj UUIDCreate Object Authentication Credential Credential Type: Transport Certificate Credential Value: Entity UUID=0x172b45a435890c9078243589de2309458 KMIP Client Register Object Type=Entity Template-Attribute Attribute Attribute Name: “Credential” Attribute Value: Credential Type: Transport Certificate Credential Value: Certificate Certificate Type: X.509 Certificate Value: Attribute id=0xb34a32b23a43093d Attribute ip-addr=10.10.10.10 Attribute mac-addr=02:ba:d0:ca:fe:99

10 Register Object Type=Entity Template-Attribute Attribute Attribute Name: “Credential” Attribute Value: Credential Type: Certificate Request Credential Value: Certificate Certificate Type: X.509 Certificate Value: CSR Certificate Server Request Credential 10  Client wants to register an entity and receive a signed Transport Certificate KMIP Server Auth Request + Create Entity Register Entity Entity UUID Create Object Obj UUID Create Object KMIP Client using new certificate Authentication Credential Credential Type: Transport Certificate Credential Value: Get Certificate Obj UUID

Download ppt "Insert Your Name Insert Your Title Insert Date Client Registration Open Issues Update 5/27/2011 Denis Pochuev (original proposal by Alan Frindell)"

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
CS5204 – Operating Systems 1 A Private Key System KERBEROS.

CS5204 – Operating Systems 1 A Private Key System KERBEROS.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan.

CONFIDENTIAL © Copyright Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Draft-lemonade-imap-submit-01.txt “Forward without Download” Allow IMAP client to include previously- received message (or parts) in or as new message.

Draft-lemonade-imap-submit-01.txt “Forward without Download” Allow IMAP client to include previously- received message (or parts) in or as new message.
Modifying Managed Objects Alan Frindell 3/29/2011.

Modifying Managed Objects Alan Frindell 3/29/2011.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Introducing Windows Server 2012 R2 Work Folders:

Introducing Windows Server 2012 R2 Work Folders:
Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.

Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.

Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
 background and intro  client deployment  system Architecture and server deployment  behind the scenes  data protection and security  multi-server.

 background and intro  client deployment  system Architecture and server deployment  behind the scenes  data protection and security  multi-server.

Similar presentations

Ads by Google