100 likes | 283 Views
KMIP Entity Object and Client Registration. Alan Frindell Contributors: Robert Haas, Indra Fitzgerald SafeNet, Inc 11/17/2010. What can you do with an entity?. Require subjects passed in TLS and/or Credential to be registered entities
E N D
KMIP Entity Object and Client Registration Alan Frindell Contributors: Robert Haas, Indra Fitzgerald SafeNet, Inc 11/17/2010
What can you do with an entity? • Require subjects passed in TLS and/or Credential to be registered entities • Register or generate data that can be used during authentication, possibly to a third party system • Restrict operations that create objects, including other entities • Register Attributes that can be searched and retrieved • Possible policy relevant attributes like FIPS Level, hardware capabilities, server to client operation support • Register extended data that can be logged by the server • Supply connection details for Server to Client messages • Ask server to notify entity when one or more objects change
How are entities created? • Manually entered by server administrator • Imported from a third-party directory by a server administrator • Explicitly registered by a KMIP client with appropriate permissions • Some server implementations may require administrator approval before the entity is registered • May require asynchronous polling by clients to be effective • Implicitly registered by a KMIP client by sending a new Credential object in a request
Credential Redefinition (original proposal) • Username and Password Credential Value still supported for backwards compatibility
Credential Redefinition (new proposal) • Much cleaner • Username and Password Credential Value no longer supported
Entity Definition • Entity Attributes: • UUID, Name, Object Type, Operation Policy, Initial Date, Destroy Date, App Specific Info, Contact Info, Last Change Date, Custom Attributes • New: Up for discussion: Archive Date, Object Group, Entity Operation Policy • Entity Operations: • Register, Locate, Get, Get Attributes, Get Attributes List, Add Attribute, Modify Attribute, Delete Attribute, Destroy
New: Default Operation Policy for Entity Objects (for operations on the Entity object) Operation Policy = what operations are allowed on the Entity
Default Entity Operation Policy Entity Operation Policy = what operations the Entity is allowed to perform
Entity / Creator Relationship • KMIP v1 loosely defines Creator as ‘identity of the client’ • With Entity, it is possible to define Creator explicitly as: • The UUID of the Entity who created the object • The Subject of the Entity who create the object • In this case, a given Entity will have access to different objects depending on how he authenticated • Creator of an Entity may be different than the Entity itself, which may be confusing • Can an Entity have more than one Credential/Subject of a given type? • Ex: More than one username?