Presentation is loading. Please wait.

Presentation is loading. Please wait.

Www.thales-esecurity.com Common Identifiers Providing Globally Unique Identifiers for UUID and Application IDs of keys and other objects.

Published byLola Huckins Modified over 10 years ago

Similar presentations

Presentation on theme: "Www.thales-esecurity.com Common Identifiers Providing Globally Unique Identifiers for UUID and Application IDs of keys and other objects."— Presentation transcript:

1 www.thales-esecurity.com Common Identifiers Providing Globally Unique Identifiers for UUID and Application IDs of keys and other objects

2 2 UUID and Application ID Defined as Text Strings UUID is set by Server Application ID is set by Client If not set by client can be defined by server No definition for how they are formed No minimum No maximum No restrictions other than Text String Binary Coded HexHex? POSIX Characters? How do You Find Objects if They are not on Local Server? Which is easier to find? Waldo km://lookherefirst.org/0/Sol/3/Switzerland/Zurich/BobGsPlace/Waldo What if there is more than one Waldo? How many Bobs are there? How many

3 3 Globally Unique Common Identifier Formatting Existing Well Known Identifiers Domain Everyone has them - unique Internet name Customers can create sub-domains to suit their needs Establish a zone of KMS Administrative Authority (realm) Directory Able to separate conflicting key ID namespaces Customers can organize their key space to suit their needs Applications can build a hierarchy to meet requirements Hierarchies are a well understood concept (e.g. file trees) Current ID Formats Can be any value API can convert ID to the encoding required by the protocol

4 4 Defining a Common Format for Identifiers using Profiles Globally Unique Common Scheme (e.g. URI) km:// May want to define a full IETF URI scheme Using RFC 1034 and RFC 1035 Domain Naming Convention Traditional Domains: example.com Sub-domain Support: traders.bigbank.com and analyst.bigbank.com Object Type /0 = key, /1 = certificate, /2 = policy, /3 = group, /4 = ???, etc… Providing additional Separation using Directories /Sol/3/Switzerland/Zurich/BobGsPlace/ Starts with / ends with / Identifier Waldo Text, Hex, Binary, etc… All current naming schemes should be supportable under a common format Using Profiles Allows for more than One Naming Convention

5 5 Additional Considerations Setting Limits to Create Common Formats Size & Scope Minimum and maximum lengths Short and Long forms of an identifier Text representation (POSIX Characters, Hex Characters, etc…) km://example.com/0/group/dir2/dir3/01001001010010010010010001 km://domhash/0/0/1/2/3/4/5/6/0123456789ABCDEF km://analyst.bigbank.com/1/CertCommonName km://example.com/2/group1/AZ-az-09.POSIX-Character-Identifier-policy Backwards Compatibility Client should only be required to know Identifier while using symbolic links or search filters for externally stored keys (Todays identifiers can be mapped into a larger naming convention 0123 = km://example.org/0/0123 Using Symbolic Links or preferred domain search Still requires access control which is not part of the naming scheme but the identifier scheme can be used for access control though!

6 www.thales-esecurity.com KMIP Profiles Creating Requirements Guidelines for Creating Profiles

7 7 KMIP Profiles Purpose is to define what any implementation of the specification must adhere to in order to claim conformance Define the use of KMIP objects, attributes, operations, message elements and authentication methods within specific contexts of KMIP server and client interaction Define a set of normative constraints for employing KMIP within a particular environment or context of use Optionally, require the use of specific KMIP functionality or in other respects define the processing rules to be followed by profile actors (e.g. Server & Client) Defined OASIS Profiles Profiles are further qualified by an authentication suite TLS V1.0 / V1.1 / V1.2 or similar External Profile in development – (Not OASIS developed) INCITS T10 profile – Fibre Channel Security Protocol v2.0 (FCSP2)

8 8 Defining a Full Profile for Real World Use Server requirements (required) Includes all objects, operations and attributes that a client can access Defined down to all required components of those objects, operations and attributes Even if optional in KMIP specification, it can be required in a profile Definition of any extensions and how they are to be used Client requirements (optional) What are the bare minimum requirements for a Client to claim conformance e.g. Must support get of a symmetric key using unique identifier Can be a single statement Basically states that support of any operation, object and attributes that are supported by the server and you can be conformant Protocol requirements (recommended) Wire protocol KMIP messaging uses (e.g. SSL 3.0, TLS v1.2, FCSP, etc…) Authentication requirements (recommended) Certificates, user ID/password, mutual authentication, DH-CHAP, etc… Interoperability Requirements (recommended) How to prove conformance either as part of the profile or as a separate Test Case guide Use Cases (recommended) How objects, operations and attributes are to be used with message examples

Download ppt "Www.thales-esecurity.com Common Identifiers Providing Globally Unique Identifiers for UUID and Application IDs of keys and other objects."

Similar presentations

Yunling Wang VoIP Security COMS 4995 Nov 24, 2008 XCAP The Extensible Markup Language (XML) Configuration Access Protocol (XCAP)

Yunling Wang VoIP Security COMS 4995 Nov 24, 2008 XCAP The Extensible Markup Language (XML) Configuration Access Protocol (XCAP)
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
UDDI v3.0 (Universal Description, Discovery and Integration)

UDDI v3.0 (Universal Description, Discovery and Integration)
Building RESTful Interfaces

Building RESTful Interfaces
IPV6. Features of IPv6 New header format Large address space More efficient routing IPsec header support required Simple automatic configuration New protocol.

IPV6. Features of IPv6 New header format Large address space More efficient routing IPsec header support required Simple automatic configuration New protocol.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.

LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.
Chapter 4 Chapter 4: Planning the Active Directory and Security.

Chapter 4 Chapter 4: Planning the Active Directory and Security.
Introduction To Windows NT ® Server And Internet Information Server.

Introduction To Windows NT ® Server And Internet Information Server.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
14 May 2002© 2000-02 TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.

14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.
Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.

Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
(ITI310) SESSIONS 9-10-11-12: Active Directory By Eng. BASSEM ALSAID.

(ITI310) SESSIONS : Active Directory By Eng. BASSEM ALSAID.
BZUPAGES.COM An Introduction to. BZUPAGES.COM Introduction Large corporations today face the following problems Finding a certain file. Seeing everything.

BZUPAGES.COM An Introduction to. BZUPAGES.COM Introduction Large corporations today face the following problems Finding a certain file. Seeing everything.
Requirements for DSML 2.0. Summary RFC 2251 fidelity Represent existing directory protocols with new transport syntax Backwards compatibility with DSML.

Requirements for DSML 2.0. Summary RFC 2251 fidelity Represent existing directory protocols with new transport syntax Backwards compatibility with DSML.
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.

Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
ENUM? “ Telephone Number Mapping (ENUM or Enum, from TElephone NUmber Mapping) is a suite of protocols to unify the telephone numbering system E.164 with.

ENUM? “ Telephone Number Mapping (ENUM or Enum, from TElephone NUmber Mapping) is a suite of protocols to unify the telephone numbering system E.164 with.
XML Signature Prabath Siriwardena Director, Security Architecture.

XML Signature Prabath Siriwardena Director, Security Architecture.
GRID Centralized management of the Globus grid-mapfile Carlo Rocca INFN, Catania.

GRID Centralized management of the Globus grid-mapfile Carlo Rocca INFN, Catania.

Similar presentations

Ads by Google