Presentation is loading. Please wait.

Presentation is loading. Please wait.

Proposal to Update KMIP State Model Addition of Suspended, Revoked and Shredded key states.

Published byCassandra Lucas Modified over 8 years ago

Similar presentations

Presentation on theme: "Proposal to Update KMIP State Model Addition of Suspended, Revoked and Shredded key states."— Presentation transcript:

1 Proposal to Update KMIP State Model Addition of Suspended, Revoked and Shredded key states

2 Notes on the State Model A device is not required to support the full state model Clients need to conform and honor a minimum of two states Active and destroyed or shredded Servers should support a full model to ensure interoperability Based on individual use cases it may be required to document which states a profile will make use of if the full model is not supported Not all objects stored in a KMIP server will make use of states and profiles should define at least three states (active and destroyed or shredded) State models should be defined in profiles if they do not require the entire model for support

3 17 18 Shredded 19 1415 16 Revoked 1 2 3 4 5 6 7 8 9 10 Pre-ActivationActiveDeactivatedDestroyed 1112 Suspended Compromised Destroyed Compromised Updated State Model 13 SP800-57 Part 1 New State

4 New State Definitions Suspended1 The use of a key may be suspended for a period of time. Individual modules may locally suspend the use of a key without reporting the suspension beyond the users of the module. A suspended key may be restored to an active state at a later time. A suspended key is suspended for all use unless re-activated. Eventually the suspended key is either activated or deactivated. Revoked1 A revoked key is permanently taken out of service and will eventually be de-activated. If the integrity or secrecy of the key is suspect, the compromised key may be revoked. Revoked keys are reported in a certificate revocation list or by some equivalent mechanism. Revoked keys are typically revoked for all use. A revoked key can only transition to the deactivated state. Destroyed The key is destroyed so that it cannot be recovered. Even though the key no longer exists in this state, certain key attributes (e.g., key identifier, type, transition times and cryptoperiod) are retained. Unique attributes that may still exist (e.g. Name) may be reused. Shredded A Shredded key is completely removed including all key attributes such that no remnants of the key exist except in logged information. This releases globally unique attributes (e.g., UUID back into a re-usable condition. 1 Definitions taken from or based in part on state model in NIST Draft SP800-130 dated June 15, 2010 (provided by Elaine Barker)

5 New Transitions and Descriptions TransitionStates From – ToDescription 1 11Active to Suspended An active key may transition to the suspended state if, for some reason, it is to be temporarily taken out of use. In this state the key is not used to protect or process data. 12Suspended to Active A suspended key may transition to an active key when the reason for the suspension no longer exists. 13Suspended to Deactivated A suspended key may also transition to the deactivated state if that key is no longer to be used to process data. All appropriate users should be notified that the key has been deactivated. 14Active to Revoked An active key may transition to the revoked state if it is determined that the key should no longer be used and all possible users should be notified of the revocation. This transition occurs with keys that are shared among entities. 15Revoked to Deactivated A revoked key may transition to the deactivated state. This transition may occur immediately upon revocation. 16Revoked to Compromised A revoked object may transition to the compromised state when the integrity or the confidentiality of a key requiring protection becomes suspect. 17Destroyed to Shredded A destroyed object may transition to the shredded state in order to remove any remaining attributes from the system. Information on the objects lifecycle and attributes may remain in logged form. 18Destroyed Compromised to Shredded A destroyed compromised object may transition to the shredded state in order to remove any remaining attributes from the system. Information on the objects lifecycle and attributes may remain in logged form. 19Pre-activated to Shredded A key that has never been used may transition from the pre-activation state directly to the shredded state. In this case, the integrity of a key or the confidentiality of a key requiring confidentiality protection is considered trustworthy, but it has been determined that the key will not be needed in the future. 1 Definitions wholly or based in part on state model in NIST Draft SP800-130 dated June 15, 2010 (provided by Elaine Barker)

6 9.1.3.2.18 State Enumeration Table (update) State NameValue Pre-Active00000001 Active00000002 Deactivated00000003 Compromised00000004 Destroyed00000005 Destroyed Compromised00000006 Suspended00000007 Revoked / Disabled00000008 Shredded00000009 Extensions8XXXXXXX (80000000 through FFFFFFFF)

7 To Be Done A State Definition Profile that expands on the existing NIST SP800-57 Part 1 (current release) document Existing states may need to be updated (e.g. Destroyed) Define all transitions (existing and new) Update specification with new enumerations Update profiles as required

Download ppt "Proposal to Update KMIP State Model Addition of Suspended, Revoked and Shredded key states."

Similar presentations

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct, 17 2012.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
Modifying Managed Objects Alan Frindell 3/29/2011.

Modifying Managed Objects Alan Frindell 3/29/2011.
Monday, 08 June 2015Dr. Mohamed Osman1 What is Database Administration A high level function (technical Function) that is responsible for ► physical DB.

Monday, 08 June 2015Dr. Mohamed Osman1 What is Database Administration A high level function (technical Function) that is responsible for ► physical DB.
Additional Budget Process/Salary Planner Information Central Unfunded Index (A06728) Can still be used during budget process -- but is only a temporary.

Additional Budget Process/Salary Planner Information Central Unfunded Index (A06728) Can still be used during budget process -- but is only a temporary.
Keys Chapter 8 Database Design for Mere Mortals. Why Keys Are Important They ensure that each record in a table can be properly identified. They help.

Keys Chapter 8 Database Design for Mere Mortals. Why Keys Are Important They ensure that each record in a table can be properly identified. They help.
Systems Analysis I Data Flow Diagrams

Systems Analysis I Data Flow Diagrams
Key Management Guidelines. 1. Introduction 2. Glossary of Terms and Acronyms 3. Cryptographic Algorithms, Keys and Other Keying Material 4. Key Management.

Key Management Guidelines. 1. Introduction 2. Glossary of Terms and Acronyms 3. Cryptographic Algorithms, Keys and Other Keying Material 4. Key Management.
© Copyright 2013 TONE SOFTWARE CORPORATION. Confidential and Proprietary. All rights reserved. ® Basic Administrator Training – Release 4.1.1 Adding Users.

© Copyright 2013 TONE SOFTWARE CORPORATION. Confidential and Proprietary. All rights reserved. ® Basic Administrator Training – Release Adding Users.
Key Management Lifecycle. Cryptographic key management encompasses the entire lifecycle of cryptographic keys and other keying material. Basic key management.

Key Management Lifecycle. Cryptographic key management encompasses the entire lifecycle of cryptographic keys and other keying material. Basic key management.
SMART Agency Tipsheet Staff List This document focuses on setting up and maintaining program staff. Total Pages: 14 Staff Profile Staff Address Staff Assignment.

SMART Agency Tipsheet Staff List This document focuses on setting up and maintaining program staff. Total Pages: 14 Staff Profile Staff Address Staff Assignment.
1 Transactions BUAD/American University Transactions.

1 Transactions BUAD/American University Transactions.
Digital Object Architecture

Digital Object Architecture
General Key Management Guidance. Key Management Policy  Governs the lifecycle for the keying material  Hope to minimize additional required documentation.

General Key Management Guidance. Key Management Policy  Governs the lifecycle for the keying material  Hope to minimize additional required documentation.
Group Kiran Thota, VMware Saikat Saha, Oracle. What is Group? Group can be defined as a logical collection or container of objects – Managed Objects –

Group Kiran Thota, VMware Saikat Saha, Oracle. What is Group? Group can be defined as a logical collection or container of objects – Managed Objects –
Module 7 Active Directory and Account Management.

Module 7 Active Directory and Account Management.
KMIP Profiles version 1.3 A Method to Define Operations Access Control and Interaction Between a Client and Server Presented by: Kiran Kumar Thota & Bob.

KMIP Profiles version 1.3 A Method to Define Operations Access Control and Interaction Between a Client and Server Presented by: Kiran Kumar Thota & Bob.
1 The Relational Database Model. 2 Learning Objectives Terminology of relational model. How tables are used to represent data. Connection between mathematical.

1 The Relational Database Model. 2 Learning Objectives Terminology of relational model. How tables are used to represent data. Connection between mathematical.
Lemonade Requirements for Server to Client Notifications draft-ietf-lemonade-server-to-client-notifications-00.txt S. H. Maes C. Wilson Lemonade Intermediate.

Lemonade Requirements for Server to Client Notifications draft-ietf-lemonade-server-to-client-notifications-00.txt S. H. Maes C. Wilson Lemonade Intermediate.
Revocation in MICS §4.4 May 11-13, 2009 Zürich, Switzerland.

Revocation in MICS §4.4 May 11-13, 2009 Zürich, Switzerland.
9/7/2012ISC329 Isabelle Bichindaritz1 The Relational Database Model.

9/7/2012ISC329 Isabelle Bichindaritz1 The Relational Database Model.

Similar presentations

Ads by Google