KMIP Server-to-server: use-cases and status

Slides:



Advertisements
Similar presentations
Chapter 10: Designing Databases
Advertisements

The CA MDB Revised May © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced.
ITIS 3110 Jason Watson. Replication methods o Primary/Backup o Master/Slave o Multi-master Load-balancing methods o DNS Round-Robin o Reverse Proxy.
Key Wrapping in KMIP Mark Joseph, P6R Inc 2/27/2015.
WCF RIA Services - Querying and Updating Data SILVERLIGHTSHOW.NET WEBINARS SERIES BRIAN NOYES, CHIEF ARCHITECT, IDESIGN INC 2 FEB 2011.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 7: Advanced File System Management.
Data Sharing in OSD Environment Dingshan He September 30, 2002.
Hands-On Microsoft Windows Server 2003 Networking Chapter 7 Windows Internet Naming Service.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 7: Advanced File System Management.
Inexpensive Scalable Information Access Many Internet applications need to access data for millions of concurrent users Relational DBMS technology cannot.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 7: Advanced File System Management.
Framework & Requirements for an Access Node Control Mechanism in Broadband Multi-Service Networks ANCP WG IETF 70 – Vancouver draft-ietf-ancp-framework-04.txt.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 7: Advanced File System Management.
Database Design – Lecture 16
Presenter: Dipesh Gautam.  Introduction  Why Data Grid?  High Level View  Design Considerations  Data Grid Services  Topology  Grids and Cloud.
© 2010 IBM Corporation 23 September 2015 KMIP Server-to-server: use-cases and status Marko Vukolic Robert Haas
KMIP - Hardware Security Modules Meta-Data-Only (MDO) Keys Saikat Saha & Denis Pochuev Feb 2012.
DNS Zones. DNS records kept in zones DNS server is authoritative for a domain if it hosts the zone for that domain Sub-domains can be kept in same zone.
© 2006 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice HP Library Encryption - LTO4 Key.
System Initialization 1)User starts application. 2)Client loads settings. 3)Client loads contact address book. 4)Client displays contact list. 5)Client.
Application code Registry 1 Alignment of R-GMA with developments in the Open Grid Services Architecture (OGSA) is advancing. The existing Servlets and.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network, Enhanced Chapter 11: Internet Authentication Service.
Title – NwHIN CAQH/CORE X12 support Discussion Date June
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Five Managing Addresses.
Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.
Get Random Proposal John Leiseboer 11 October 2012.
1 Chapter 13: RADIUS in Remote Access Designs Designs That Include RADIUS Essential RADIUS Design Concepts Data Protection in RADIUS Designs RADIUS Design.
KMIP - Hardware Security Modules Meta-Data-Only (MDO) Keys Saikat Saha & Denis Pochuev Feb 2012.
Enterprise Computing with Jini Technology Mark Stang and Stephen Whinston Jan / Feb 2001, IT Pro presented by Alex Kotchnev.
©2009 HP Confidential1 Proposal to OASIS KMIP TC Stan Feather and Indra Fitzgerald Hewlett-Packard Co. 26 October, 2010 Encoding Options for Key Wrap of.
AFS/OSD Project R.Belloni, L.Giammarino, A.Maslennikov, G.Palumbo, H.Reuter, R.Toebbicke.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 6: Planning, Configuring, And Troubleshooting WINS.
1 Information Retrieval and Use De-normalisation and Distributed database systems Geoff Leese September 2008, revised October 2009.
DICOMwebTM 2015 Conference & Hands-on Workshop University of Pennsylvania, Philadelphia, PA September 10-11, 2015 DICOMweb Workflow API (UPS-RS) Jonathan.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 7: Advanced File System Management.
Jonathan Rosenberg dynamicsoft
Session-Independent Policies draft-ietf-sipping-session-indep-policy-02 Volker Hilt Jonathan Rosenberg Gonzalo.
Scaling Network Load Balancing Clusters
REPLICATION & LOAD BALANCING
Training Objectives About D2F Download Installation Configuration
OGF PGI – EDGI Security Use Case and Requirements
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 6: Planning, Configuring, And Troubleshooting WINS.
IMPLEMENTING NAME RESOLUTION USING DNS
Active Directory and Group Policy
Use cases for names and EPRs
EMV® 3-D Secure - High Level Overview
Understand Networking Services
DHCP Lease Query DHC Working Group Kim Kinnear Cisco Systems
Client-Server Interaction
Distributed Mobility Management (DMM) WG DMM Work Item: Forwarding Path & Signaling Management (FPSM) draft-ietf-dmm-fpc-cpdp-01.txt IETF93, Prague.
EECS 498 Introduction to Distributed Systems Fall 2017
Ashish Pandit, Louis Zelus, Jonathan Whitman
An Introduction to Computer Networking
Access Control in KMIPv1.1/v2
KMIP Entity Object and Client Registration
Systems Analysis and Design
Distributed Systems Bina Ramamurthy 11/30/2018 B.Ramamurthy.
Chapter 6 – Architectural Design
RKL Remote key loading.
RAID Redundant Array of Inexpensive (Independent) Disks
Bina Ramamurthy Chapter 9
Jonathan Rosenberg dynamicsoft
Bina Ramamurthy Chapter 9
Bina Ramamurthy Chapter 9
Distributed Systems Bina Ramamurthy 4/22/2019 B.Ramamurthy.
Introducing Citilabs’ Scenario Based Master Network Data Model
File System Management
Overview Multimedia: The Role of WINS in the Network Infrastructure
Enterprise Use Cases and A-Level Attestation
Presentation transcript:

KMIP Server-to-server: use-cases and status Marko Vukolic mvu@zurich.ibm.com, Robert Haas rha@zurich.ibm.com 13 November 2018 KMIP Server-to-server: use-cases and status

Server to server (s2s): Focal use cases Propagating key material closer to endpoints, e.g., Example 1 (retail store) A retail store operation with each store relying on encrypted storage Network connectivity with the central key management server (CKMS) not reliable Small subset of the keys needed to be served locally, but the management is at CKMS Keys at local key-management servers could be read-only, with pre-allocated usage or lease time The local server needs to communicate with the CKMS Example 2 (e-commerce websites) Multiple e-commerce websites centrally managed (CKMS) Some keys need to be pushed down from CKMS (readable locally), i.e., with CKMS exporting the keys Propagating key material updates towards the central key manager A large multinational bank needs the information about cryptographic material from Location B in central Location A (but not vice versa) Business-partner data exchange Propagation of keys between KMIP servers to facilitate business partner data exchange Partitioning A KMIP server needs to be partitioned into more servers KMIP server acting as the gateway/proxy A less capable KMIP server may need to proxy client’s request to the more capable KMIP server (e.g., to interact with a PKI) 13 November 2018

Server to server (s2s): Deferred and excluded use cases Deferred use cases: Replication (fault-tolerance) Exchange of different server policies and their enforcement M&A A company acquires another and cryptographic objects from different KMIP servers need to be merged Excluded use cases (to be handled via mechansims outside KMIP): Backup, Data Loss Prevention Load balancing/Delegation 13 November 2018

KMIP Implications of s2s: Summary Useful operations are optional (Notify, Put) KMIPv2: make Notify and Put mandatory for a s2s compliant KMIP server KMIPv2: More attributes are needed e.g., Master, Slaves Other issues (KMIPv2) UUID, Name collisions across different servers. Locate does not return an indication to the client whether there are more objects matching the query, nor the means to “resume” such a Locate (KMIPv2) Bulk export/import can be only partially emulated (using batched operations) support for “Get All Attributes” (fixed in KMIPv1.0) The behavior of Put when Replaced Unique Identifier ruuid is specified, but the object with ruuid does not exist on the remote end needs to be specified (fixed in KMIPv1.0) Notify does not support notification about deleted attributes (fixed in KMIPv1.0) Other issues (fixed in KMIPv1.0) Cannot Locate all Locate supports wildcards only for Name and Object group 13 November 2018

Next steps summary Write up detailed scenarios around focal use-cases Address server representation/registration (cf. client registration) “Entity” to represent servers as well, incl. contact info (IP address) to facilitate communication Define additional attributes Master/Slave Interact with AC (e.g., Slave permissions). Can a Slave perform read-only, or pre-allocated usage, or … Say something about UUID, Name collisions across servers Provide means to continue/resume a Locate 13 November 2018

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.