© SafeNet Confidential and Proprietary

KMIP Entity Object and Client Registration

Alan FrindellContributors: Robert Haas, Indra FitzgeraldSafeNet, Inc11/17/2010

2

© SafeNet Confidential and Proprietary

What can you do with an entity?

• Require subjects passed in TLS and/or Credential to be registered entities

• Register or generate data that can be used during authentication, possibly to a third party system

• Restrict operations that create objects, including other entities

• Register Attributes that can be searched and retrieved• Possible policy relevant attributes like FIPS Level, hardware capabilities, server

to client operation support

• Register extended data that can be logged by the server• Supply connection details for Server to Client messages• Ask server to notify entity when one or more objects

change

3

© SafeNet Confidential and Proprietary

How are entities created?

Manually entered by server administrator

Imported from a third-party directory by a server administrator

Explicitly registered by a KMIP client with appropriate permissions

Some server implementations may require administrator approval before the entity is registered

May require asynchronous polling by clients to be effective

Implicitly registered by a KMIP client by sending a new Credential object in a request

4

© SafeNet Confidential and Proprietary

Credential Redefinition (original proposal)

Username and Password Credential Value still supported for backwards compatibility

Object Encoding REQUIREDCredential Structure

Credential Type Enumeration Yes

Authentication Information Type

Enumeration No

Credential Value Structure Yes

Object Encoding REQUIREDCredential Value Structure

Subject Value Varies according to Credential Type

Yes

Subject Authentication Information

Varies according to Authentication Information Type

No

5

© SafeNet Confidential and Proprietary

Credential Redefinition (new proposal)

Much cleaner

Username and Password Credential Value no longer supported

Object Encoding REQUIREDCredential Structure

Subject Type Enumeration Yes

Subject Value Varies according to Subject Type

No

Subject Authentication Information Type

Enumeration Yes

Subject Authentication Information Value

Varies according to SAI type

No

6

© SafeNet Confidential and Proprietary

Credential/Subject TypesCredential/Subject Type ValueUsername and Password (KMIP v1) 00000001

Username 00000002

Device 00000003

World Wide Name 00000004

Distinguished Name 00000005

SAML Subject 00000006

Open ID 00000007

Authentication Information Type ValuePassword 00000001

X.509 Certificate 00000002

Kerberos Ticket 00000003

Extensions 8XXXXXXX

7

© SafeNet Confidential and Proprietary

Entity Definition

Entity Attributes:UUID, Name, Object Type, Operation Policy, Initial Date, Destroy Date, App Specific Info, Contact Info, Last Change Date, Custom Attributes

New: Up for discussion: Archive Date, Object Group, Entity Operation Policy

Entity Operations:Register, Locate, Get, Get Attributes, Get Attributes List, Add Attribute, Modify Attribute, Delete Attribute, Destroy

Object Encoding REQUIREDEntity Structure

Credential Structure Yes, May be repeated

8

© SafeNet Confidential and Proprietary

New: Default Operation Policy for Entity Objects (for operations on the Entity object)

Operation Object Type PolicyLocate Entity Allowed to all

Get Entity Allowed to owner only

Get Attribute Entity Allowed to all

Get Attribute List Entity Allowed to all

Add/Mod/Del Attribute Entity Allowed to owner only

Destroy Entity Allowed to owner only

Operation Policy = what operations are allowed on the Entity

9

© SafeNet Confidential and Proprietary

Default Entity Operation Policy

Operation Object Type PolicyCreate Symmetric Key Allowed to all

Create Key Pair Public Key, Private Key Allowed to all

Register All, except Entity Allowed to all

Certify Public Key Allowed to all

Re-certify Certificate Allowed to all

Validate Certificate Allowed to all

Query N/A Allowed to all

Cancel N/A Allowed to all

Poll N/A Allowed to all

Entity Operation Policy = what operations the Entity is allowed to perform

10

© SafeNet Confidential and Proprietary

Entity / Creator Relationship

KMIP v1 loosely defines Creator as ‘identity of the client’ With Entity, it is possible to define Creator explicitly as:

The UUID of the Entity who created the object

The Subject of the Entity who create the objectIn this case, a given Entity will have access to different objects depending on how he authenticated

Creator of an Entity may be different than the Entity itself, which may be confusing

Can an Entity have more than one Credential/Subject of a given type?

Ex: More than one username?