Download presentation
Presentation is loading. Please wait.
1
Re-provision Credentials
John Leiseboer, Quintessence Labs Chuck White, Fornetix
2
Agenda Credential Scope Credential States Flow Chart Sample KMIP
Other Questions
3
Credential Scope Link Level Credentials Passwords
Both passwords and link level credentials can demonstrate expiration Scope can include temporary credentials for delegated authority
4
Credential States and Re-provisioning Options Expired Credential
Expired Credential - credential associated with a client has expired Create New Credential to Replace the Old Credential Pro – Keeps Instructions Simple, simply Provision the credential Con – What about managed objects? (Out of scope for KMIP?) Allow for Re-Provisioning Pro – Keeps records on current (expired) client current Con – What controls who is allowed to re-provision from an expired credential (Out of Scope for KMIP?)
5
Credential States and Re-provisioning Options Current Credential
Current Credential - credential associated with a client has NOT expired Replace the Old Credential with a new Credential Pro – Keeps Instructions Simple, simply provides a replacement credential to use in the next session. Con – Lack of flexibility in credential distribution. Allow for Active Credentials to Overlap Pro – Provides flexibility in Credential Distribution, parallels to key rotation schemes in comms systems. Con – Non repudiation, two credentials can represent the same client. Questions: How many credentials are authorized, what date ranges are applicable, can a new credential request another new credential?
6
Flow Chart Flow is consistent Sub steps for each function varies
Evaluation varies based on approach, point of evaluation does not
7
KMIP Reprovision Request (Default PKCS#12)
<RequestMessage> <RequestHeader> <ProtocolVersion> <ProtocolVersionMajor type="Integer" value="2"/> <ProtocolVersionMinor type="Integer" value="0"/> </ProtocolVersion> <BatchCount type="Integer" value="1"/> </RequestHeader> <BatchItem> <Operation type="Enumeration" value="Reprovision"/> </RequestPayload> </BatchItem> </RequestMessage>
8
KMIP Reprovision Response
<ResponseMessage> <ResponseHeader> <ProtocolVersion> <ProtocolVersionMajor type="Integer" value="2"/> <ProtocolVersionMinor type="Integer" value="0"/> </ProtocolVersion> <BatchCount type="Integer" value="1"/> </ResponseHeader> <BatchItem> <Operation type="Enumeration" value="Reprovision"/> <ResponsePayload> <Credential> <CredentialType type="Enumeration" value="PKCS#12"/> <CredentialValue> </CredentialValue> </Credential> </ResponsePayload> </BatchItem> </RequestMessage>
9
KMIP Reprovision Request (Password)
<RequestMessage> <RequestHeader> <ProtocolVersion> <ProtocolVersionMajor type="Integer" value="2"/> <ProtocolVersionMinor type="Integer" value="0"/> </ProtocolVersion> <BatchCount type="Integer" value="1"/> </RequestHeader> <BatchItem> <Operation type="Enumeration" value="Reprovision"/> <RequestPayload> <Credential> <CredentialType type="Enumeration" value="Password"/> <CredentialValue> <Password type="TextString" value="PasswordOld"/> <NewPassword type="TextString" value="PasswordNew"/> </CredentialValue> </Credential> </RequestPayload> </BatchItem> </RequestMessage>
10
KMIP Reprovision Response
<ResponseMessage> <ResponseHeader> <ProtocolVersion> <ProtocolVersionMajor type="Integer" value="2"/> <ProtocolVersionMinor type="Integer" value="0"/> </ProtocolVersion> <BatchCount type="Integer" value="1"/> </ResponseHeader> <BatchItem> <Operation type="Enumeration" value="Reprovision"/> <ResponsePayload> <Credential> <CredentialType type="Enumeration" value="PKCS#12"/> <CredentialValue> </CredentialValue> </Credential> </ResponsePayload> </BatchItem> </RequestMessage>
11
Questions? Are their limitations on the type of Credentials that this should be applied to? In a multi-active credential model, do we want to specify boundaries on timelines and active credentials. Could this be covered with Delegation Profile to match this behavior? If a credential has expired, how does a client issue a Re-provision Request? Is object ownership update/transfer in scope for KMIP? This is relevant to ask if re-provisioning of expired credentials is accomplished by simply issuing new, replacement credentials
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.