Www.thales-esecurity.com Common Identifiers Providing Globally Unique Identifiers for UUID and Application IDs of keys and other objects.

Slides:



Advertisements
Similar presentations
Yunling Wang VoIP Security COMS 4995 Nov 24, 2008 XCAP The Extensible Markup Language (XML) Configuration Access Protocol (XCAP)
Advertisements

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
UDDI v3.0 (Universal Description, Discovery and Integration)
Building RESTful Interfaces
IPV6. Features of IPv6 New header format Large address space More efficient routing IPsec header support required Simple automatic configuration New protocol.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.
Chapter 4 Chapter 4: Planning the Active Directory and Security.
Introduction To Windows NT ® Server And Internet Information Server.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.
Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
(ITI310) SESSIONS : Active Directory By Eng. BASSEM ALSAID.
BZUPAGES.COM An Introduction to. BZUPAGES.COM Introduction Large corporations today face the following problems Finding a certain file. Seeing everything.
Requirements for DSML 2.0. Summary RFC 2251 fidelity Represent existing directory protocols with new transport syntax Backwards compatibility with DSML.
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
ENUM? “ Telephone Number Mapping (ENUM or Enum, from TElephone NUmber Mapping) is a suite of protocols to unify the telephone numbering system E.164 with.
XML Signature Prabath Siriwardena Director, Security Architecture.
GRID Centralized management of the Globus grid-mapfile Carlo Rocca INFN, Catania.
Secure Socket Layer (SSL)
September, 2005What IHE Delivers 1 G. Claeys, Agfa Healthcare Audit Trail and Node Authentication.
Designing Active Directory for Security
An XMPP (Extensible Message and Presence Protocol) based implementation for NHIN Direct 1.
What is XML?  XML stands for EXtensible Markup Language  XML is a markup language much like HTML  XML was designed to carry data, not to display data.
Bob: Hello and welcome to this webinar on the OASIS Key Management Interoperability Protocol., or KMIP. My name is Bob Griffin, Chief.
October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.
1 The OASIS KMIP Standard: Interoperability for the Cryptographic Ecosystem Jon Geater OASIS KMIP TC With thanks to Bob Griffin, co-chair,
September 18, 2002 Windows 2000 Server Active Directory By Jerry Haggard.
Chapter 8 Cookies And Security JavaScript, Third Edition.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
Group Kiran Thota, VMware Saikat Saha, Oracle. What is Group? Group can be defined as a logical collection or container of objects – Managed Objects –
Module 7 Active Directory and Account Management.
Introduction to Microsoft Management Console (MMC) MMC is a common console framework for management applications. MMC provides a common environment for.
I2RS draft-rfernando-yang-mods.txt I2RS Yang Extensions draft-rfernando-yang-data-mods R.Fernando, P.Chinnakannan, M.Madhayyan, A.Clemm.
Guide to MCSE , Second Edition, Enhanced1 The Windows XP Security Model User must logon with: Valid user ID Password User receives access token Access.
Draft-ietf-abfab-aaa-saml Josh Howlett IETF 90. Remaining issues (recap from IETF 89) SAML naming of AAA entities The focus of this presentation Alejandro.
Page 1 Active Directory and DNS Lecture 2 Hassan Shuja 09/14/2004.
1 Tutorial 14 Validating Documents with Schemas Exploring the XML Schema Vocabulary.
Tutorial 13 Validating Documents with Schemas
StarTeam URLs: Creating and Using Persistent Links to StarTeam Artifacts  Jim Wogulis  Principal Architect, Borland Software Corporation.
CORBA Common Object Request Broker Architecture. Basic Architecture A distributed objects architecture. Logically, an object client makes method calls.
Peering: A Minimalist Approach Rohan Mahy IETF 66 — Speermint WG.
1 NIST Key State Models SP Part 1SP (Draft)
Geography Markup Language (GML). What is GML? – Scope  The Geography Markup Language is  a modeling language for geographic information  an encoding.
Hands-On Microsoft Windows Server 2008 Chapter 4-Part 1 Introduction to Active Directory and Account Manager.
IEEE , Improvements for WD2, F. Farance, ©2000 Edutool.Com1 Simple Identifiers SID Improvements WD2  WD Frank Farance, +1.
Working with XML Schemas ©NIITeXtensible Markup Language/Lesson 3/Slide 1 of 36 Objectives In this lesson, you will learn to: * Declare attributes in an.
ICOS BOF EAP Applicability Bernard Aboba IETF 62, Minneapolis, MN.
Module 7: Implementing Security Using Group Policy.
Module 2: Introducing Windows 2000 Security. Overview Introducing Security Features in Active Directory Authenticating User Accounts Securing Access to.
Introduction to Active Directory
KMIP Compliance Redefining Server and Client requirements to claim compliance Presented by: Bob Lockhart.
Bob: Hello and welcome to this webinar on the OASIS Key Management Interoperability Protocol., or KMIP. My name is Bob Griffin, Chief.
Using DSDL plus annotations for Netconf (+) data modeling Rohan Mahy draft-mahy-canmod-dsdl-01.
Module 8 Implementing Security Using Group Policy.
Server to Server Group Requirements Simplifying key management between multiple vendor implementations.
XP 1 Charles Edeki AIU Live Chat for Unit 2 ITC0381.
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.
Directory Services CS5493/7493. Directory Services Directory services represent a technological breakthrough by integrating into a single management tool:
KMIP Compliance Redefining Server and Client requirements to claim compliance Presented by: Bob Lockhart.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
Planning an Active Directory Deployment Lesson 1.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
CollegeSource Security Application &
(ITI310) SESSIONS 6-7-8: Active Directory.
KMIP Client Registration Ideas for Discussion
Application layer Lecture 7.
KMIP Entity Object and Client Registration
Presentation transcript:

Common Identifiers Providing Globally Unique Identifiers for UUID and Application IDs of keys and other objects

2 UUID and Application ID Defined as Text Strings UUID is set by Server Application ID is set by Client If not set by client can be defined by server No definition for how they are formed No minimum No maximum No restrictions other than Text String Binary Coded HexHex? POSIX Characters? How do You Find Objects if They are not on Local Server? Which is easier to find? Waldo km://lookherefirst.org/0/Sol/3/Switzerland/Zurich/BobGsPlace/Waldo What if there is more than one Waldo? How many Bobs are there? How many

3 Globally Unique Common Identifier Formatting Existing Well Known Identifiers Domain Everyone has them - unique Internet name Customers can create sub-domains to suit their needs Establish a zone of KMS Administrative Authority (realm) Directory Able to separate conflicting key ID namespaces Customers can organize their key space to suit their needs Applications can build a hierarchy to meet requirements Hierarchies are a well understood concept (e.g. file trees) Current ID Formats Can be any value API can convert ID to the encoding required by the protocol

4 Defining a Common Format for Identifiers using Profiles Globally Unique Common Scheme (e.g. URI) km:// May want to define a full IETF URI scheme Using RFC 1034 and RFC 1035 Domain Naming Convention Traditional Domains: example.com Sub-domain Support: traders.bigbank.com and analyst.bigbank.com Object Type /0 = key, /1 = certificate, /2 = policy, /3 = group, /4 = ???, etc… Providing additional Separation using Directories /Sol/3/Switzerland/Zurich/BobGsPlace/ Starts with / ends with / Identifier Waldo Text, Hex, Binary, etc… All current naming schemes should be supportable under a common format Using Profiles Allows for more than One Naming Convention

5 Additional Considerations Setting Limits to Create Common Formats Size & Scope Minimum and maximum lengths Short and Long forms of an identifier Text representation (POSIX Characters, Hex Characters, etc…) km://example.com/0/group/dir2/dir3/ km://domhash/0/0/1/2/3/4/5/6/ ABCDEF km://analyst.bigbank.com/1/CertCommonName km://example.com/2/group1/AZ-az-09.POSIX-Character-Identifier-policy Backwards Compatibility Client should only be required to know Identifier while using symbolic links or search filters for externally stored keys (Todays identifiers can be mapped into a larger naming convention 0123 = km://example.org/0/0123 Using Symbolic Links or preferred domain search Still requires access control which is not part of the naming scheme but the identifier scheme can be used for access control though!

KMIP Profiles Creating Requirements Guidelines for Creating Profiles

7 KMIP Profiles Purpose is to define what any implementation of the specification must adhere to in order to claim conformance Define the use of KMIP objects, attributes, operations, message elements and authentication methods within specific contexts of KMIP server and client interaction Define a set of normative constraints for employing KMIP within a particular environment or context of use Optionally, require the use of specific KMIP functionality or in other respects define the processing rules to be followed by profile actors (e.g. Server & Client) Defined OASIS Profiles Profiles are further qualified by an authentication suite TLS V1.0 / V1.1 / V1.2 or similar External Profile in development – (Not OASIS developed) INCITS T10 profile – Fibre Channel Security Protocol v2.0 (FCSP2)

8 Defining a Full Profile for Real World Use Server requirements (required) Includes all objects, operations and attributes that a client can access Defined down to all required components of those objects, operations and attributes Even if optional in KMIP specification, it can be required in a profile Definition of any extensions and how they are to be used Client requirements (optional) What are the bare minimum requirements for a Client to claim conformance e.g. Must support get of a symmetric key using unique identifier Can be a single statement Basically states that support of any operation, object and attributes that are supported by the server and you can be conformant Protocol requirements (recommended) Wire protocol KMIP messaging uses (e.g. SSL 3.0, TLS v1.2, FCSP, etc…) Authentication requirements (recommended) Certificates, user ID/password, mutual authentication, DH-CHAP, etc… Interoperability Requirements (recommended) How to prove conformance either as part of the profile or as a separate Test Case guide Use Cases (recommended) How objects, operations and attributes are to be used with message examples

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.