Presentation is loading. Please wait.

Presentation is loading. Please wait.

Re-provision Credentials

Similar presentations


Presentation on theme: "Re-provision Credentials"— Presentation transcript:

1 Re-provision Credentials
John Leiseboer, Quintessence Labs Chuck White, Fornetix

2 Agenda Credential Scope Credential States Flow Chart Sample KMIP
Other Questions

3 Credential Scope Link Level Credentials Passwords
Both passwords and link level credentials can demonstrate expiration Scope can include temporary credentials for delegated authority

4 Credential States and Re-provisioning Options Expired Credential
Expired Credential - credential associated with a client has expired Create New Credential to Replace the Old Credential Pro – Keeps Instructions Simple, simply Provision the credential Con – What about managed objects? (Out of scope for KMIP?) Allow for Re-Provisioning Pro – Keeps records on current (expired) client current Con – What controls who is allowed to re-provision from an expired credential (Out of Scope for KMIP?)

5 Credential States and Re-provisioning Options Current Credential
Current Credential - credential associated with a client has NOT expired Replace the Old Credential with a new Credential Pro – Keeps Instructions Simple, simply provides a replacement credential to use in the next session. Con – Lack of flexibility in credential distribution. Allow for Active Credentials to Overlap Pro – Provides flexibility in Credential Distribution, parallels to key rotation schemes in comms systems. Con – Non repudiation, two credentials can represent the same client. Questions: How many credentials are authorized, what date ranges are applicable, can a new credential request another new credential?

6 Flow Chart Flow is consistent Sub steps for each function varies
Evaluation varies based on approach, point of evaluation does not

7 KMIP Reprovision Request (Default PKCS#12)
<RequestMessage> <RequestHeader> <ProtocolVersion> <ProtocolVersionMajor type="Integer" value="2"/> <ProtocolVersionMinor type="Integer" value="0"/> </ProtocolVersion> <BatchCount type="Integer" value="1"/> </RequestHeader> <BatchItem> <Operation type="Enumeration" value="Reprovision"/> </RequestPayload> </BatchItem> </RequestMessage>

8 KMIP Reprovision Response
<ResponseMessage> <ResponseHeader> <ProtocolVersion> <ProtocolVersionMajor type="Integer" value="2"/> <ProtocolVersionMinor type="Integer" value="0"/> </ProtocolVersion> <BatchCount type="Integer" value="1"/> </ResponseHeader> <BatchItem> <Operation type="Enumeration" value="Reprovision"/> <ResponsePayload> <Credential> <CredentialType type="Enumeration" value="PKCS#12"/> <CredentialValue> </CredentialValue> </Credential> </ResponsePayload> </BatchItem> </RequestMessage>

9 KMIP Reprovision Request (Password)
<RequestMessage> <RequestHeader> <ProtocolVersion> <ProtocolVersionMajor type="Integer" value="2"/> <ProtocolVersionMinor type="Integer" value="0"/> </ProtocolVersion> <BatchCount type="Integer" value="1"/> </RequestHeader> <BatchItem> <Operation type="Enumeration" value="Reprovision"/> <RequestPayload> <Credential> <CredentialType type="Enumeration" value="Password"/> <CredentialValue> <Password type="TextString" value="PasswordOld"/> <NewPassword type="TextString" value="PasswordNew"/> </CredentialValue> </Credential> </RequestPayload> </BatchItem> </RequestMessage>

10 KMIP Reprovision Response
<ResponseMessage> <ResponseHeader> <ProtocolVersion> <ProtocolVersionMajor type="Integer" value="2"/> <ProtocolVersionMinor type="Integer" value="0"/> </ProtocolVersion> <BatchCount type="Integer" value="1"/> </ResponseHeader> <BatchItem> <Operation type="Enumeration" value="Reprovision"/> <ResponsePayload> <Credential> <CredentialType type="Enumeration" value="PKCS#12"/> <CredentialValue> </CredentialValue> </Credential> </ResponsePayload> </BatchItem> </RequestMessage>

11 Questions? Are their limitations on the type of Credentials that this should be applied to? In a multi-active credential model, do we want to specify boundaries on timelines and active credentials. Could this be covered with Delegation Profile to match this behavior? If a credential has expired, how does a client issue a Re-provision Request? Is object ownership update/transfer in scope for KMIP? This is relevant to ask if re-provisioning of expired credentials is accomplished by simply issuing new, replacement credentials


Download ppt "Re-provision Credentials"

Similar presentations


Ads by Google