Proposal to Update KMIP State Model Addition of Suspended, Revoked and Shredded key states.

Slides:

Advertisements

Similar presentations

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,

Advertisements

Modifying Managed Objects Alan Frindell 3/29/2011.

Monday, 08 June 2015Dr. Mohamed Osman1 What is Database Administration A high level function (technical Function) that is responsible for ► physical DB.

Additional Budget Process/Salary Planner Information Central Unfunded Index (A06728) Can still be used during budget process -- but is only a temporary.

Keys Chapter 8 Database Design for Mere Mortals. Why Keys Are Important They ensure that each record in a table can be properly identified. They help.

Systems Analysis I Data Flow Diagrams

Key Management Guidelines. 1. Introduction 2. Glossary of Terms and Acronyms 3. Cryptographic Algorithms, Keys and Other Keying Material 4. Key Management.

© Copyright 2013 TONE SOFTWARE CORPORATION. Confidential and Proprietary. All rights reserved. ® Basic Administrator Training – Release Adding Users.

Key Management Lifecycle. Cryptographic key management encompasses the entire lifecycle of cryptographic keys and other keying material. Basic key management.

SMART Agency Tipsheet Staff List This document focuses on setting up and maintaining program staff. Total Pages: 14 Staff Profile Staff Address Staff Assignment.

1 Transactions BUAD/American University Transactions.

Digital Object Architecture

General Key Management Guidance. Key Management Policy  Governs the lifecycle for the keying material  Hope to minimize additional required documentation.

Group Kiran Thota, VMware Saikat Saha, Oracle. What is Group? Group can be defined as a logical collection or container of objects – Managed Objects –

Module 7 Active Directory and Account Management.

KMIP Profiles version 1.3 A Method to Define Operations Access Control and Interaction Between a Client and Server Presented by: Kiran Kumar Thota & Bob.

1 The Relational Database Model. 2 Learning Objectives Terminology of relational model. How tables are used to represent data. Connection between mathematical.

Lemonade Requirements for Server to Client Notifications draft-ietf-lemonade-server-to-client-notifications-00.txt S. H. Maes C. Wilson Lemonade Intermediate.

Revocation in MICS §4.4 May 11-13, 2009 Zürich, Switzerland.

9/7/2012ISC329 Isabelle Bichindaritz1 The Relational Database Model.

Insert Your Name Insert Your Title Insert Date Client Registration Open Issues Update 5/27/2011 Denis Pochuev (original proposal by Alan Frindell)

Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.

1 NIST Key State Models SP Part 1SP (Draft)

KMIP and NIST KMIP and NIST– what matches and what does not.

Staff Module and Summary of Changes 1. Icon Changes: Page 3 Signing In and Password/Pin Changes: Page 4 Logging Out: Page 8 Staff Module Changes: Page.

KMIP Compliance Redefining Server and Client requirements to claim compliance Presented by: Bob Lockhart.

Doc.: IEEE /106-Draft 1 Submission May 2000 Vic Hayes, Lucent TechnologiesSlide 1 Copyright, 1996 © Dale Carnegie & Associates, Inc. IEEE 's.

© SafeNet Confidential and Proprietary KMIP Entity Object and Client Registration Alan Frindell Contributors: Robert Haas, Indra Fitzgerald SafeNet, Inc.

Processes 2 Introduction to Operating Systems: Module 4.

Decentralized User Authentication in a Global File System CS294-4 Presentation Nikita Borisov October 6, 2003.

KMIP Compliance Redefining Server and Client requirements to claim compliance Presented by: Bob Lockhart.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI CSIRT Procedure for Compromised Certificates and Central Security Emergency.

HIPAA Training. What information is considered PHI (Protected Health Information)  Dates- Birthdays, Dates of Admission and Discharge, Date of Death.

Database System Implementation CSE 507

Key management issues in PGP

Administrating a Database

Timeline – Standards & Requirements

Issues need harmonization

Project Management: Messages

System Operator Certification Program

Chapter 14: Protection Modified by Dr. Neerja Mhaskar for CS 3SH3.

Chapter 14: System Protection

Service Point 5 ReportWriter

Energy Control (Lockout/Tagout)

Using E-Business Suite Attachments

Timeline - ATIS Involvement

(Winter 2017) Instructor: Craig Duckett

Software Quality Assurance Software Quality Factor

Service Point 5 ReportWriter

Business Risks of Insecure Networks

Timeline - ATIS Involvement

KMIP Client Registration Ideas for Discussion

The Relational Database Model

Draft ETSI TS Annex C Presented by Michał Tabor for PSD2 Workshop

Chapter 4 The Relational Model Pearson Education © 2009.

Access Control in KMIPv1.1/v2

KMIP Entity Object and Client Registration

Teaching slides Chapter 8.

Digital Certificates and X.509

Process Description and Control

KMIP and NIST KMIP and NIST– what matches and what does not

Chapter 14: Protection.

Greta Mameniskyte IV course 3rd group

HQ Expectations of DOE Site IRBs

Administrating a Database

Review of Week 3 Relation Transforming ERD into Relations

Coffee chat with child care

Dr Linda Cornwall STFC/RAL EGI OMB 27th September 2013

National Trust Platform

Presentation transcript:

Proposal to Update KMIP State Model Addition of Suspended, Revoked and Shredded key states

Notes on the State Model A device is not required to support the full state model Clients need to conform and honor a minimum of two states Active and destroyed or shredded Servers should support a full model to ensure interoperability Based on individual use cases it may be required to document which states a profile will make use of if the full model is not supported Not all objects stored in a KMIP server will make use of states and profiles should define at least three states (active and destroyed or shredded) State models should be defined in profiles if they do not require the entire model for support

17 18 Shredded Revoked Pre-ActivationActiveDeactivatedDestroyed 1112 Suspended Compromised Destroyed Compromised Updated State Model 13 SP Part 1 New State

New State Definitions Suspended1 The use of a key may be suspended for a period of time. Individual modules may locally suspend the use of a key without reporting the suspension beyond the users of the module. A suspended key may be restored to an active state at a later time. A suspended key is suspended for all use unless re-activated. Eventually the suspended key is either activated or deactivated. Revoked1 A revoked key is permanently taken out of service and will eventually be de-activated. If the integrity or secrecy of the key is suspect, the compromised key may be revoked. Revoked keys are reported in a certificate revocation list or by some equivalent mechanism. Revoked keys are typically revoked for all use. A revoked key can only transition to the deactivated state. Destroyed The key is destroyed so that it cannot be recovered. Even though the key no longer exists in this state, certain key attributes (e.g., key identifier, type, transition times and cryptoperiod) are retained. Unique attributes that may still exist (e.g. Name) may be reused. Shredded A Shredded key is completely removed including all key attributes such that no remnants of the key exist except in logged information. This releases globally unique attributes (e.g., UUID back into a re-usable condition. 1 Definitions taken from or based in part on state model in NIST Draft SP dated June 15, 2010 (provided by Elaine Barker)

New Transitions and Descriptions TransitionStates From – ToDescription 1 11Active to Suspended An active key may transition to the suspended state if, for some reason, it is to be temporarily taken out of use. In this state the key is not used to protect or process data. 12Suspended to Active A suspended key may transition to an active key when the reason for the suspension no longer exists. 13Suspended to Deactivated A suspended key may also transition to the deactivated state if that key is no longer to be used to process data. All appropriate users should be notified that the key has been deactivated. 14Active to Revoked An active key may transition to the revoked state if it is determined that the key should no longer be used and all possible users should be notified of the revocation. This transition occurs with keys that are shared among entities. 15Revoked to Deactivated A revoked key may transition to the deactivated state. This transition may occur immediately upon revocation. 16Revoked to Compromised A revoked object may transition to the compromised state when the integrity or the confidentiality of a key requiring protection becomes suspect. 17Destroyed to Shredded A destroyed object may transition to the shredded state in order to remove any remaining attributes from the system. Information on the objects lifecycle and attributes may remain in logged form. 18Destroyed Compromised to Shredded A destroyed compromised object may transition to the shredded state in order to remove any remaining attributes from the system. Information on the objects lifecycle and attributes may remain in logged form. 19Pre-activated to Shredded A key that has never been used may transition from the pre-activation state directly to the shredded state. In this case, the integrity of a key or the confidentiality of a key requiring confidentiality protection is considered trustworthy, but it has been determined that the key will not be needed in the future. 1 Definitions wholly or based in part on state model in NIST Draft SP dated June 15, 2010 (provided by Elaine Barker)

State Enumeration Table (update) State NameValue Pre-Active Active Deactivated Compromised Destroyed Destroyed Compromised Suspended Revoked / Disabled Shredded Extensions8XXXXXXX ( through FFFFFFFF)

To Be Done A State Definition Profile that expands on the existing NIST SP Part 1 (current release) document Existing states may need to be updated (e.g. Destroyed) Define all transitions (existing and new) Update specification with new enumerations Update profiles as required