Clarifications to KMIP v1.1 for Asymmetric Crypto and Certificates J. Furlong 29 September 2010.

Slides:

Advertisements

Similar presentations

United Nations Statistics Division

Advertisements

KMIP 1.3 SP Issues Joseph Brand / Chuck White / Tim Hudson December 12th,

PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.

INTERVIEWS. An interview is a powerful research instrument which can help understand… Perceptions Feelings Understandings.

©2009 HP Confidential1 Proposal to OASIS KMIP TC Stan Feather and Indra Fitzgerald Hewlett-Packard Co. 10 September, 2010 Encoding Options for Key Wrap.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

RSVP Cryptographic Authentication "...RSVP requires the ability to protect its messages against corruption and spoofing. This document defines a mechanism.

KMIP Vendor Extension Management KMIP supports ‘extensions’ but provides no mechanism for coordination of values between clients and servers or between.

Summer School Certificates Diego Romano & Gilda Team.

Chapter 8.3: Memory Management

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

CSCI 639 Topics in Software Engineering Assignment #4 Fall 2006.

KMIP Use Cases Update on the process. Agenda Goals Process Flow, Atomics, Batch, Composites, and Not KMIP Evaluating the Document in light of the Goals.

1 Message Authentication and Hash Functions Authentication Requirements Authentication Functions Message Authentication Codes Hash Functions Security of.

The Project AH Computing. Functional Requirements  What the product must do!  Examples attractive welcome screen all options available as clickable.

Lecture 9: Security via PGP CS 436/636/736 Spring 2012 Nitesh Saxena.

Digital Certificate Installation & User Guide For Class - 2 Certificates.

MT311 Java Application Development and Programming Languages Li Tak Sing ( 李德成 )

Chapter 10: Authentication Guide to Computer Network Security.

1 Update on draft-ietf-smime-cades Current Status Completed last call. Under review by IESG. Comments to be incorporated: –From Pavel Smirnov (during.

TLS 1.2 and NIST SP A Tim Polk November 10, 2006.

Numeral Systems Subjects: Numeral System Positional systems Decimal

Architectures. Many tasks involved in encoding, protecting and transmitting user application data as bit stream. Network Architecture is how tasks are.

KMIP - Hardware Security Modules Meta-Data-Only (MDO) Keys Saikat Saha & Denis Pochuev Feb 2012.

Programming Project (Last updated: August 31 st /2010) Updates: - All details of project given - Deadline: Part I: September 29 TH 2010 (in class) Part.

Security.  is one of the most widely used and regarded network services  currently message contents are not secure may be inspected either.

MASS / DKIM BOF IETF – Paris 4 Août 2005 dkim.org  mipassoc.org/mass IETF – Paris 4 Août 2005 dkim.org  mipassoc.org/mass MIPA.

Unit 1: Protection and Security for Grid Computing Part 2

Case Study Assignment MTT Certification Exam. Graded on four-point scale Purpose – extent to which response addresses the components of the assignment.

SE: CHAPTER 7 Writing The Program

Cryptography Team Presentation 2

KMIP 1.3 Deprecation February 20, Deprecation 5.1 KMIP Deprecation Rule Items in the normative KMIP Specification [KMIP-Spec] document can be marked.

240-Current Research Easily Extensible Systems, Octave, Input Formats, SOA.

Display Text SDD 1.1 Topic. Current Situation COSMOS team is implementing a CLI for user interaction Need the ability to specify strings for display to.

Data TypestMyn1 Data Types The type of a variable is not set by the programmer; rather, it is decided at runtime by PHP depending on the context in which.

Security PGP IT352 | Network Security |Najwa AlGhamdi 1.

Task Analysis Methods IST 331. March 16 th

XML Evidence Record Syntax

Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Encryption. Introduction The incredible growth of the Internet has excited businesses and consumers alike with its promise of changing the way we live.

Chapter One An Introduction to Programming and Visual Basic.

KMIP Support for PGP Things to take out Things to put in.

M1G Introduction to Programming 2 3. Creating Classes: Room and Item.

SonOf3039 Status Russ Housley Security Area Director.

KMIP v.Next PGP Support 1 Michael Allen Sr. Technical Director, Symantec.

KMIP - Hardware Security Modules Meta-Data-Only (MDO) Keys Saikat Saha & Denis Pochuev Feb 2012.

Design Guidelines Thursday July 26, 2007 Bernard Aboba IETF 69 Chicago, IL.

©2009 HP Confidential1 Proposal to OASIS KMIP TC Stan Feather and Indra Fitzgerald Hewlett-Packard Co. 23 September, 2010 Encoding Options for Key Wrap.

Higher-Level Thinking. What is Higher-Level Thinking Bloom’s Taxonomy –Remember: Recognizing, Recalling –Understand: Interpreting, exemplifying, classifying,

Data transfer and type conversion One of the common tasks of the web application domain was moving and converting data from string-based HTTP to the various.

©2009 HP Confidential1 Proposal to OASIS KMIP TC Stan Feather and Indra Fitzgerald Hewlett-Packard Co. 26 October, 2010 Encoding Options for Key Wrap of.

Security  is one of the most widely used and regarded network services  currently message contents are not secure may be inspected either.

Keyprov PSKC spec Philip Hoyer 71-st IETF, Philadelphia.

Meta-Data-Only (MDO) Keys KMIP 1.2 Proposal Oct Denis Pochuev, SafeNet John Leiseboer, QuintessenceLabs.

Draft-ietf-eman-energy-aware-mib-01 Energy-Aware Networks and Devices MIB draft-ietf-eman-energy-aware-mib-01 Benoit Claise, John Parello.

Physics IA Spring 2015 It is important to remember that the formulation of the research question is the student’s responsibility and is assessed within.

World of Wokcraft The very best in Single pan cooking themed fantasy gaming!

SDP draft-ietf-mmusic-sdp-new-21.txt Colin Perkins.

Authenticated Identity

ASP.NET Caching.

KMIP Client Registration Ideas for Discussion

Structure of the Code – Phase 2 TF Comments and Proposals

Writing the Methods Section

Writing the Results Section

James Arnold/ Jean Petty 27 September 2007

إستراتيجيات ونماذج التقويم

Java Programming Language

BPSec: AD Review Comments and Responses

People’s Choice… When not just any CA will do

Presentation transcript:

Clarifications to KMIP v1.1 for Asymmetric Crypto and Certificates J. Furlong 29 September 2010

Topic 1: Cryptographic Length of Asymmetric Keys Disposition No change to KMIP Specification Add text to the KMIP Usage Guide to address the ‘fuzziness’ of asymmetric key lengths For PublicKey and PrivateKey objects: 1) How do we represent the CryptographicLengths of these objects? The actual lengths of the cryptographic material may vary, depending on input parameters, but users thinking they have a 1024-bit key pair will be quite dismayed if our length calculator reports anything other than what was input to the generation process. This becomes more problematic for keys that arrive via Register, rather than CreateKeyPair. Would propose that the lengths should be what the keypair generator would require as input, rather than a mechanical evaluation of the key itself. This may require some "fuzzy logic"...it's 1024-bitish...the spec should clearly instruct the server implementers what to do and what the limits might be on their flexibility.

Topic 2: Signature Algorithms in Certificate Objects Disposition Need to add signature algorithm to KMIP Specification Open question as to how to represent the signature algorithm as an enumerated attribute or as a composite attribute (like crypto parameters) For Certificate objects: 1) Do all Certificates have a CryptographicAlgorithm? If so, what is it? None of the current algorithms seem to relate to the actual signature on the certificate. Would propose that the algorithm of the Certificate is the algorithm of the enclosed public key.

Topic 3: Certificate Length Disposition Need to add certificate length to the KMP Specification Open question as to what value should be used as the certificate length either the encoded length of the certificate or the length of the public key included in the certificate 2) Do all Certificates have a CryptographicLength? If so, what is it? I do not believe that the bitlength of the encoded certificate is very interesting... Would propose that the length of the Certificate is the length of the enclosed public key (as interpreted above).

Topic 4: ASN.1 to String Conversion Disposition Need to add guidance to KMIP Specification as how to translate different name formats form ASN.1 to the string format used in KMIP Open question as to details of this guidance May also require changes to KMIP Usage Guide and KMIP Use Cases 3) The CertificateSubject is a structure with the distinguished name of the subject, along with alternate names. Both of these are simply listed as text strings, but no mechanism is suggested for producing these strings from the underlying ASN.1 in the certificate. We may luck out on producing the former, but the latter is the road less travelled, and may produce more mismatches. (Not to mention that one may loses some context in knowing what kind of alternate name this was, if I remember correctly. Simply rendering as a text string may lose the fact that this alternate name was the DNS Name, for example). Would propose that a TC member might take this one as a work item, if we are addressing only in 1.1. (And I suspect a production rule is really needed even for the dn.) 4) Similar comments regarding CertificateIssuer.