KMIP Compliance Redefining Server and Client requirements to claim compliance Presented by: Bob Lockhart.

Slides:



Advertisements
Similar presentations
MPLS Multiple Topology Support draft-zhao-mpls-ldp-multiple-topology-01 draft-zhao-mpls-rsvp-te-multiple-topology-01 IETF 80 – Prague.
Advertisements

© Copyrights 1998 Algorithmic Research Ltd. All rights Reserved D a t a S e c u r i t y A c r o s s t h e E n t e r p r i s e Algorithmic Research a company.
Selecting the Right Network Access Protection (NAP) Architecture Infrastructure Planning and Design Published: June 2008 Updated: November 2011.
The Challenges of CORBA Security It is important to understand that [CORBAsecurity] is only a (powerful) security toolbox and not the solution to all security.
Common Identifiers Providing Globally Unique Identifiers for UUID and Application IDs of keys and other objects.
COM vs. CORBA.
E-Delivery Infrastructure and Access Points. e-Freight receives funding from the EC FP7 Sustainable Surface Transport Programme Connectivity Today … …
1 Features of IPv6 Larger Address Extended Address Hierarchy Flexible Header Format Improved Options Provision For Protocol Extension Support for Auto-configuration.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
What is EAP EAP stands for Extensible Authentication Protocol. Offers a basic framework for authentication. Many different authentication protocols can.
KMIP Vendor Extension Management KMIP supports ‘extensions’ but provides no mechanism for coordination of values between clients and servers or between.
TAC Vista Security. Target  TAC Vista & Security Integration  Key customer groups –Existing TAC Vista users Provide features and hardware for security.
Providing 802.1X Enforcement For Network Access Protection Mudit Goel Development Manager Windows Enterprise Networking Microsoft Corporation.
© Copyright Lumension Security Lumension Security PatchLink Enterprise Reporting™ 6.4 Overview and What’s New.
WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.
Homework #4 Solutions Brian A. LaMacchia Portions © , Brian A. LaMacchia. This material is provided without.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Key Management Interoperability Protocol By: Derrick Erickson.
Web Project Methodology Move It Up Marketing Web Project Methodology in six steps to ensure quality and efficient projects.
Windows Azure Networking & Active Directory Nasir (Muhammad Nasiruddin) Developer Evangelist - Azure Microsoft Corporation
Remedies Use of encrypted tunneling protocols (e.g. IPSec, Secure Shell) for secure data transmission over an insecure networktunneling protocolsIPSecSecure.
Bulk facility SAG INFOTECH PVT. LTD. Service begins here…
SNIA/SSIF KMIP Interoperability Proposal. What is the proposal? Host a KMIP interoperability program which includes: – Publishing a set of interoperability.
Metadata Harvesting The Hague, 13 & 14 January 2009 Julie Verleyen Scientific Coordinator, Europeana Office EuropeanaLocal Knowledge Sharing Workshop.
Interoperability Tests for IEC Scott Neumann November 12, 2009.
Endpoint Control. Module Objectives By the end of this module participants will be able to: Define application detection lists to monitor applications.
COM vs. CORBA Computer Science at Azusa Pacific University September 19, 2015 Azusa Pacific University, Azusa, CA 91702, Tel: (800) Department.
September, 2005What IHE Delivers 1 G. Claeys, Agfa Healthcare Audit Trail and Node Authentication.
KMIP - Hardware Security Modules Meta-Data-Only (MDO) Keys Saikat Saha & Denis Pochuev Feb 2012.
LXI Standard Evolution David Owen, Technical Committee Chair LXI Consortium Business Development Manager Pickering Interfaces
Private Key Algorithms RSA SSL
1 The OASIS KMIP Standard: Interoperability for the Cryptographic Ecosystem Jon Geater OASIS KMIP TC With thanks to Bob Griffin, co-chair,
FTP Server and FTP Commands By Nanda Ganesan, Ph.D. © Nanda Ganesan, All Rights Reserved.
Cloud Use Cases, Required Standards, and Roadmaps Excerpts From Cloud Computing Use Cases White Paper
Helsinki Institute of Physics (HIP) Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.
Doc.: IEEE ai Submission Paul Lambert, Marvell TGai Discovery Proposal Author: Abstract Short high-level proposal for discovery techniques.
KMIP Profiles version 1.3 A Method to Define Operations Access Control and Interaction Between a Client and Server Presented by: Kiran Kumar Thota & Bob.
July 16, Diameter EAP Application (draft-ietf-aaa-eap-02.txt) on behalf of...
1 IS-2000 Release A Sync Channel Problem Resolution MotorolaNokia.
Peering: A Minimalist Approach Rohan Mahy IETF 66 — Speermint WG.
1 NIST Key State Models SP Part 1SP (Draft)
S imple O bject A ccess P rotocol Karthikeyan Chandrasekaran & Nandakumar Padmanabhan.
Interoperability Testing. Work done so far WSDL subgroup Generated Web Service Description with aim for maximum interoperability between various SOAP.
The mandate of this working group is to facilitate effective service interoperability utilizing SIP in heterogeneous network environments as noted below.
IEEE SISWG P Sub-Committee Status Summary Walt Hubis 4/15/2009.
Reducing server sprawl and IT power/cooling costs Moving from reactive to proactive state Quickly troubleshooting PC and laptop issues Deploying new.
1 Active Directory Service in Windows 2000 Li Yang SID: November 2000.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter One Introduction to Exchange Server 2003.
Design Guidelines Thursday July 26, 2007 Bernard Aboba IETF 69 Chicago, IL.
SLAPP Dan Harkins Partha Narasimhan Subbu Ponnuswarmy.
© SafeNet Confidential and Proprietary KMIP Entity Object and Client Registration Alan Frindell Contributors: Robert Haas, Indra Fitzgerald SafeNet, Inc.
Netconf Event Notifications IETF 66 Sharon Chisholm Hector Trevino
Server to Server Group Requirements Simplifying key management between multiple vendor implementations.
KMIP Compliance Redefining Server and Client requirements to claim compliance Presented by: Bob Lockhart.
Securing Access to Data Using IPsec Josh Jones Cosc352.
8 Byte BGP Communities Finding a practical way forward.
The Fallacy Behind “There’s Nothing to Hide” Why End-to-End Encryption Is a Must in Today’s World.
Phare EIONET Centralised Training Session
August 2004 at IETF-60 Thoughts on RADIUS Data Model Issues and Some Possible New Approaches -- Including Diameter Compatibility.
Approach to finalize the TOSCA NFV profile
KMIP Key Management with Vormetric Data Security Manager
Enterprise Key Management with OASIS KMIP
KMIP Entity Object and Client Registration
Server Side Wrap Operations
Homework #4 Solutions Brian A. LaMacchia
How to upgrade your RSFORM!PRO forms for GDPR compliance
Standards and Interoperability Do they matter for ETPs?”
f- 433 MHz PHY and MAC for TG4f - Preliminary Proposal July 2009 Project: IEEE P Working Group for Wireless Personal.
Presentation transcript:

KMIP Compliance Redefining Server and Client requirements to claim compliance Presented by: Bob Lockhart

Feel the Pain The current standard does not require either the server or the client to support all aspects of either of the profiles defined – Requires point to point interoperability testing Each vendor must test with every other vendor At some point we get to product by product testing between two vendors that have multiple products using KMIP with no two product making use of the same set of operations, objects and attributes

Why fix it Due to the limited number of vendors with products currently the solution has been patched together so that interop went off fairly well at RSA – It should be noted the man behind the curtain was still apparent to some folks This does not scale in the long run To make life easier for other parts of the specification we should address it now versus later – Capability Advertisement/Negotiation will have to include every object, operation, attribute and feature supported by every server and client otherwise.

Solution The major problem is that there are vendors that only want to build a solution that works for their devices – Server with no full profile support – Client with only a portion of a given profile They are using KMIP so should be able to claim compliance

Two Servers, One Client To solve this last dilemma two server and one client definition can be created and interoperability ensured – Profile Compliant Server – Profile Compliant Client – Client Specific Server

KMIP Profile Compliant Server A server that provides all required and optional objects, operations, messaging and attributes of a specific profile – All objects – All operations – All optional attributes – Extended attributes using a pre-defined mechanism (TBD as part of 2.0?) – All defined wire protocols (TLS, SSL, IPSec, etc…) – All defined methods of authentication We need to keep it simple here and to one method if possible…

KMIP Profile Compliant Client A client that supports one or more defined objects, operations and/or functions of a given profile for which compliance is claimed – The profile can make all client functions optional so that only one has to be done to claim compliance or it can define the minimum required support for a given profile – In the case of a Client less is more – Extensions will need to be well defined so that vendors with clients can use existing profiles and add the objects and attributes they need (TBD as part of 2.0?) – Only one wire protocol must be supported – Only one of the defined authentication mechanisms must be supported

KMIP Client Specific Server A server that is built to support a specific set of clients – A set can be one client or various clients belonging to a device type or a client vendors product line In order to claim KMIP compliance the clients it supports must be Profile Compliant Clients – If the target client or clients do not support a defined profile then the server can not claim KMIP compliance as a KMIP Client Specific Server Extensions must be supported in a predefined manor (TBD as part of 2.0?) – Again since KMIP Profile Compliant Clients have to support extensions in a set way any extensions used by the server to the client must also comply with extension definitions as per KMIP v2.0

Conclusion A simplified interoperability specification – Creates ensured interoperability between client and server by setting specific requirements on each so that the server will always meet or exceed a clients requirements if they share a common profile Short and simple compatibility advertisement/negotiation for all future versions of KMIP – Potentially a 64 bit ID per profile supported by the server and client to figure out which to apply Allows vendors to build KMIP compliant servers that are specifically targeted at their own clients – While it may be possible to use a given vendor’s product to manage another vendor’s product where there is overlap, these managers won’t be customized to do that in most cases (think SNMP Managers) Allows third parties to more easily define KMIP profiles for interoperability purposes by having clearly defined guidelines for claiming compliance

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.