1. Locate By Value Anthony Berglas

2. Basic Idea To extend Locate so that it queries managed object’s values (KeyBlock) in the same way that it can now be used with Attribute Values.

3. Customer Requirements To be able to locate a managed object given that only (part of) its Key Block is known – Its unique identifier is unknown To be able to verify that a key is or is not already stored in a KMIP server – And thus enforce policy To be able to identify cases where multiple managed objects have similar value – (This can be valid in some circumstances)

4. Examples Locate all private keys with modulus = 1234… Locate the symmetric key(s) with KeyMaterial = … Locate any Split Keys with ObjectGroup = “Secure” And only two Splits – Combine selection criteria in the normal manner Locate all the keys wrapped with UUID=… – Or Wrapping Cryptographic Algorithm = “SKIPJACK”

5. Locate by value Just allow managed object value to be included in the body of a Locate operation Normal semantics, namely to conjoin with any other clauses in the Locate Seems a natural extension to Locate Could specify directly or as pseudo attribute – Two alternative message formats

6. Example Direct Locate by value … <KeyMaterial type="ByteString" value="7367578051012a6d134a855e25c8cd5e4ca131455729d3c8"/>

7. Example Direct Locate by value ctd... <UniqueIdentifier type="TextString" value="ABCDE-FHGIJ-KLMN"/>

8. Alternative – Value Attribute … <KeyMaterial type="ByteString" value="7367578051012a6d134a855e25c8cd5e4ca131455729d3c8"/>

9. Conclusion A simple and natural extension to Locate Should really have been there from the beginning