SafeNet Confidential and Proprietary KMIP Entity Object and Client Registration Alan Frindell...
-
Upload
oswin-lawson -
Category
Documents
-
view
215 -
download
0
description
Transcript of SafeNet Confidential and Proprietary KMIP Entity Object and Client Registration Alan Frindell...
© SafeNet Confidential and Proprietary
KMIP Entity Object and Client Registration
Alan FrindellContributors: Robert Haas, Indra FitzgeraldSafeNet, Inc11/17/2010
2
© SafeNet Confidential and Proprietary
What can you do with an entity?
• Require subjects passed in TLS and/or Credential to be registered entities
• Register or generate data that can be used during authentication, possibly to a third party system
• Restrict operations that create objects, including other entities
• Register Attributes that can be searched and retrieved• Possible policy relevant attributes like FIPS Level, hardware capabilities, server
to client operation support
• Register extended data that can be logged by the server• Supply connection details for Server to Client messages• Ask server to notify entity when one or more objects
change
3
© SafeNet Confidential and Proprietary
How are entities created?
Manually entered by server administrator
Imported from a third-party directory by a server administrator
Explicitly registered by a KMIP client with appropriate permissions
Some server implementations may require administrator approval before the entity is registered
May require asynchronous polling by clients to be effective
Implicitly registered by a KMIP client by sending a new Credential object in a request
4
© SafeNet Confidential and Proprietary
Credential Redefinition (original proposal)
Username and Password Credential Value still supported for backwards compatibility
Object Encoding REQUIREDCredential Structure
Credential Type Enumeration Yes
Authentication Information Type
Enumeration No
Credential Value Structure Yes
Object Encoding REQUIREDCredential Value Structure
Subject Value Varies according to Credential Type
Yes
Subject Authentication Information
Varies according to Authentication Information Type
No
5
© SafeNet Confidential and Proprietary
Credential Redefinition (new proposal)
Much cleaner
Username and Password Credential Value no longer supported
Object Encoding REQUIREDCredential Structure
Subject Type Enumeration Yes
Subject Value Varies according to Subject Type
No
Subject Authentication Information Type
Enumeration Yes
Subject Authentication Information Value
Varies according to SAI type
No
6
© SafeNet Confidential and Proprietary
Credential/Subject TypesCredential/Subject Type ValueUsername and Password (KMIP v1) 00000001
Username 00000002
Device 00000003
World Wide Name 00000004
Distinguished Name 00000005
SAML Subject 00000006
Open ID 00000007
Authentication Information Type ValuePassword 00000001
X.509 Certificate 00000002
Kerberos Ticket 00000003
Extensions 8XXXXXXX
7
© SafeNet Confidential and Proprietary
Entity Definition
Entity Attributes:UUID, Name, Object Type, Operation Policy, Initial Date, Destroy Date, App Specific Info, Contact Info, Last Change Date, Custom Attributes
New: Up for discussion: Archive Date, Object Group, Entity Operation Policy
Entity Operations:Register, Locate, Get, Get Attributes, Get Attributes List, Add Attribute, Modify Attribute, Delete Attribute, Destroy
Object Encoding REQUIREDEntity Structure
Credential Structure Yes, May be repeated
8
© SafeNet Confidential and Proprietary
New: Default Operation Policy for Entity Objects (for operations on the Entity object)
Operation Object Type PolicyLocate Entity Allowed to all
Get Entity Allowed to owner only
Get Attribute Entity Allowed to all
Get Attribute List Entity Allowed to all
Add/Mod/Del Attribute Entity Allowed to owner only
Destroy Entity Allowed to owner only
Operation Policy = what operations are allowed on the Entity
9
© SafeNet Confidential and Proprietary
Default Entity Operation Policy
Operation Object Type PolicyCreate Symmetric Key Allowed to all
Create Key Pair Public Key, Private Key Allowed to all
Register All, except Entity Allowed to all
Certify Public Key Allowed to all
Re-certify Certificate Allowed to all
Validate Certificate Allowed to all
Query N/A Allowed to all
Cancel N/A Allowed to all
Poll N/A Allowed to all
Entity Operation Policy = what operations the Entity is allowed to perform
10
© SafeNet Confidential and Proprietary
Entity / Creator Relationship
KMIP v1 loosely defines Creator as ‘identity of the client’ With Entity, it is possible to define Creator explicitly as:
The UUID of the Entity who created the object
The Subject of the Entity who create the objectIn this case, a given Entity will have access to different objects depending on how he authenticated
Creator of an Entity may be different than the Entity itself, which may be confusing
Can an Entity have more than one Credential/Subject of a given type?
Ex: More than one username?