KMIP Compliance Redefining Server and Client requirements to claim compliance Presented by: Bob Lockhart.

Slides:



Advertisements
Similar presentations
IPP Notification and Notification Services White Paper Hugo Parra; Novell, Inc. October 6, 1999 The intent of this paper is to supplement the discussions.
Advertisements

© Copyrights 1998 Algorithmic Research Ltd. All rights Reserved D a t a S e c u r i t y A c r o s s t h e E n t e r p r i s e Algorithmic Research a company.
Selecting the Right Network Access Protection (NAP) Architecture Infrastructure Planning and Design Published: June 2008 Updated: November 2011.
The Challenges of CORBA Security It is important to understand that [CORBAsecurity] is only a (powerful) security toolbox and not the solution to all security.
Common Identifiers Providing Globally Unique Identifiers for UUID and Application IDs of keys and other objects.
COM vs. CORBA.
E-Delivery Infrastructure and Access Points. e-Freight receives funding from the EC FP7 Sustainable Surface Transport Programme Connectivity Today … …
Remote Procedure Call (RPC)
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
Key Wrapping in KMIP Mark Joseph, P6R Inc 2/27/2015.
What is EAP EAP stands for Extensible Authentication Protocol. Offers a basic framework for authentication. Many different authentication protocols can.
KMIP Vendor Extension Management KMIP supports ‘extensions’ but provides no mechanism for coordination of values between clients and servers or between.
Providing 802.1X Enforcement For Network Access Protection Mudit Goel Development Manager Windows Enterprise Networking Microsoft Corporation.
Homework #4 Solutions Brian A. LaMacchia Portions © , Brian A. LaMacchia. This material is provided without.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Key Management Interoperability Protocol By: Derrick Erickson.
Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.
Web Project Methodology Move It Up Marketing Web Project Methodology in six steps to ensure quality and efficient projects.
Bulk facility SAG INFOTECH PVT. LTD. Service begins here…
SNIA/SSIF KMIP Interoperability Proposal. What is the proposal? Host a KMIP interoperability program which includes: – Publishing a set of interoperability.
Metadata Harvesting The Hague, 13 & 14 January 2009 Julie Verleyen Scientific Coordinator, Europeana Office EuropeanaLocal Knowledge Sharing Workshop.
Interoperability Tests for IEC Scott Neumann November 12, 2009.
14 Publishing a Web Site Section 14.1 Identify the technical needs of a Web server Evaluate Web hosts Compare and contrast internal and external Web hosting.
Endpoint Control. Module Objectives By the end of this module participants will be able to: Define application detection lists to monitor applications.
COM vs. CORBA Computer Science at Azusa Pacific University September 19, 2015 Azusa Pacific University, Azusa, CA 91702, Tel: (800) Department.
SUSE Linux Enterprise Desktop Administration Chapter 12 Administer Printing.
LXI Standard Evolution David Owen, Technical Committee Chair LXI Consortium Business Development Manager Pickering Interfaces
1 The OASIS KMIP Standard: Interoperability for the Cryptographic Ecosystem Jon Geater OASIS KMIP TC With thanks to Bob Griffin, co-chair,
FTP Server and FTP Commands By Nanda Ganesan, Ph.D. © Nanda Ganesan, All Rights Reserved.
Conformance Mark Skall Lynne S. Rosenthal National Institute of Standards and Technology
Cloud Use Cases, Required Standards, and Roadmaps Excerpts From Cloud Computing Use Cases White Paper
Helsinki Institute of Physics (HIP) Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
Multi-part Messages in KMIP John Leiseboer, QuintessenceLabs.
XML Registries Source: Java TM API for XML Registries Specification.
KMIP Profiles version 1.3 A Method to Define Operations Access Control and Interaction Between a Client and Server Presented by: Kiran Kumar Thota & Bob.
(Business) Process Centric Exchanges
ISetup – A Guide/Benefit for the Functional User! Mohan Iyer January 17 th, 2008.
Chapter 10 Intro to SOAP and WSDL. Objectives By study in the chapter, you will be able to: Describe what is SOAP Exam the rules for creating a SOAP document.
240-Current Research Easily Extensible Systems, Octave, Input Formats, SOA.
Security, NATs and Firewalls Ingate Systems. Basics of SIP Security.
1 NIST Key State Models SP Part 1SP (Draft)
S imple O bject A ccess P rotocol Karthikeyan Chandrasekaran & Nandakumar Padmanabhan.
Interoperability Testing. Work done so far WSDL subgroup Generated Web Service Description with aim for maximum interoperability between various SOAP.
The mandate of this working group is to facilitate effective service interoperability utilizing SIP in heterogeneous network environments as noted below.
IEEE SISWG P Sub-Committee Status Summary Walt Hubis 4/15/2009.
1 Naming Service. 2 Naming service The CORBA COS (Common Object Services) Naming Service provides a tree- like directory for object references –It is.
SAM-101 Standards and Evaluation. SAM-102 On security evaluations Users of secure systems need assurance that products they use are secure Users can:
IETF66 DIME WG John Loughney, Hannes Tschofenig and Victor Fajardo 3588-bis: Current Issues.
KMIP Compliance Redefining Server and Client requirements to claim compliance Presented by: Bob Lockhart.
1 Active Directory Service in Windows 2000 Li Yang SID: November 2000.
SLAPP Dan Harkins Partha Narasimhan Subbu Ponnuswarmy.
Server to Server Group Requirements Simplifying key management between multiple vendor implementations.
Locate By Value Anthony Berglas. Basic Idea To extend Locate so that it queries managed object’s values (KeyBlock) in the same way that it can now be.
Securing Access to Data Using IPsec Josh Jones Cosc352.
APACHE Apache is generally recognized as the world's most popular Web server (HTTP server). Originally designed for Unix servers, the Apache Web server.
SIP connection tracking
Virtual Private Network Access for Remote Networks
Phare EIONET Centralised Training Session
Instructor & Todd Lammle
Approach to finalize the TOSCA NFV profile
KMIP Client Registration Ideas for Discussion
KMIP Key Management with Vormetric Data Security Manager
OWAMP One-Way Active Measurement Protocol (Sample Implementation)
KMIP Entity Object and Client Registration
HHCApp Auditors.
Server Side Wrap Operations
Homework #4 Solutions Brian A. LaMacchia
How to upgrade your RSFORM!PRO forms for GDPR compliance
Presentation transcript:

KMIP Compliance Redefining Server and Client requirements to claim compliance Presented by: Bob Lockhart

Feel the Pain The current standard does not require either the server or the client to support all aspects of either of the profiles defined – Requires point to point interoperability testing Each vendor must test with every other vendor At some point we get to product by product testing between two vendors that have multiple products using KMIP with no two product making use of the same set of operations, objects and attributes

Why fix it Due to the limited number of vendors with products currently the solution has been patched together so that interop went off fairly well at RSA – It should be noted the man behind the curtain was still apparent to some folks based on feedback from end users This does not scale in the long run To make life easier for other parts of the specification we should address it now versus later – Capability Advertisement/Negotiation will have to include every object, operation, attribute and feature supported by every server and client otherwise.

Solution The major problem is that there are vendors that only want to build a solution that works for their devices – Server with no full profile support – Client with only a portion of a given profile They are using KMIP so should be able to claim compliance

Two Servers, One Client To solve the “non-public profile” client/server dilemma two server and one client definition can be created and interoperability ensured – Profile Compliant Server – Profile Compliant Client – Client Specific Server

KMIP Profile Compliant Server A server that provides all required and optional objects, operations, messaging and attributes of a specific profile – All objects unless specified as not required in the profile – All operations unless specified as not required in the profile – All optional attributes unless specified as not required in the profile – Extended attributes using a pre-defined mechanism (TBD as part of 2.0?) – All defined wire protocols (TLS, SSL, IPSec, etc…) – All defined methods of authentication We need to keep it simple here and to one method if possible…

KMIP Profile Compliant Client A client that supports one or more defined objects, operations and/or functions of a given profile for which compliance is claimed – The profile can make all client functions optional so that only one has to be done to claim compliance or it can define the minimum required support for a given profile – In the case of a Client less is more – Extensions will need to be well defined so that vendors with clients can use extensions existing in profiles and add the objects and attributes they need (TBD as part of 2.0?) This will be the toughest on how to store and return unknown extensions – Only one wire protocol must be supported – Only one of the defined authentication mechanisms must be supported by the client

KMIP Client Specific Server A server that is built to support a specific set of clients – A set can be one client or various clients belonging to a device type or a client vendors product line In order to claim KMIP compliance the clients it supports must be Profile Compliant Clients – If the target client or clients do not support a defined profile then the server can not claim compliance as a KMIP Client Specific Server Extensions must be supported in a predefined manner (TBD as part of 2.0?) – Again since KMIP Profile Compliant Clients have to support extensions in a set way any extensions used by the server to the client must also comply with extension definitions as per KMIP v2.0

Creating Public Profiles Any vendor or organization (other standards bodies) should be able to create a profile and publish it – The profile would have to be publicly available and would need to be registered with KMIP profile registry (TBD if this is even an option) – This would allow a vendor to claim to be KMIP Profile Compliant Server as long as they clearly defined all aspects of the profile including: Objects, Operations, Messaging, Error Messages & Extensions Wrapping mechanisms Protocols and associated service ports Authentication mechanisms Others?

Conclusion A simplified interoperability specification – Creates ensured interoperability between client and server by setting specific requirements on each so that the server will always meet or exceed a clients requirements if they share a common profile Short and simple compatibility advertisement/negotiation for all future versions of KMIP – Potentially a 64 bit ID per profile supported by the server and client to figure out which to apply Allows vendors to build KMIP compliant servers that are specifically targeted at their own clients – While it may be possible to use a given vendor’s product to manage another vendor’s product where there is overlap, these managers won’t be customized to do that in most cases (think SNMP Managers) Allows third parties to more easily define KMIP profiles for interoperability purposes by having clearly defined guidelines for claiming compliance