KMIP Entity Object and Client Registration Alan Frindell

KMIP Entity Object and Client Registration Alan Frindell Contributors: Robert Haas, Indra Fitzgerald Safe. Net, Inc 11/17/2010

What can you do with an entity? • Require subjects passed in TLS and/or Credential to be registered entities • Register or generate data that can be used during authentication, possibly to a third party system • Restrict operations that create objects, including other entities • Register Attributes that can be searched and retrieved • Possible policy relevant attributes like FIPS Level, hardware capabilities, server to client operation support • Register extended data that can be logged by the server • Supply connection details for Server to Client messages • Ask server to notify entity when one or more objects change

How are entities created? § Manually entered by server administrator § Imported from a third-party directory by a server administrator § Explicitly registered by a KMIP client with appropriate permissions § Some server implementations may require administrator approval before the entity is registered § May require asynchronous polling by clients to be effective § Implicitly registered by a KMIP client by sending a new Credential object in a request

Credential Redefinition (original proposal) Object Encoding Credential Structure REQUIRED Credential Type Enumeration Yes Authentication Information Type Enumeration No Structure Yes Object Encoding REQUIRED Credential Value Structure Credential Value Subject Authentication Information Varies according to Credential Type Yes Varies according to Authentication Information Type No § Username and Password Credential Value still supported for backwards compatibility

Credential Redefinition (new proposal) Object Encoding Credential Structure REQUIRED Subject Type Enumeration Yes Subject Value Varies according to Subject Type No Subject Authentication Enumeration Information Type Yes Subject Authentication Varies according to SAI Information Value type No § Much cleaner § Username and Password Credential Value no longer supported

Credential/Subject Types Credential/Subject Type Value Username and Password (KMIP v 1) 00000001 Username 00000002 Device 00000003 World Wide Name 00000004 Distinguished Name 00000005 SAML Subject 00000006 Open ID 00000007 Authentication Information Type Value Password 00000001 X. 509 Certificate 00000002 Kerberos Ticket 00000003 Extensions 8 XXXXXXX

Entity Definition Object Encoding Entity Structure Credential Structure REQUIRED Yes, May be repeated § Entity Attributes: § UUID, Name, Object Type, Operation Policy, Initial Date, Destroy Date, App Specific Info, Contact Info, Last Change Date, Custom Attributes § New: Up for discussion: Archive Date, Object Group, Entity Operation Policy § Entity Operations: § Register, Locate, Get Attributes, Get Attributes List, Add Attribute, Modify Attribute, Delete Attribute, Destroy

New: Default Operation Policy for Entity Objects (for operations on the Entity object) Operation Object Type Policy Locate Entity Allowed to all Get Entity Allowed to owner only Get Attribute Entity Allowed to all Get Attribute List Entity Allowed to all Add/Mod/Del Attribute Entity Allowed to owner only Destroy Entity Allowed to owner only Operation Policy = what operations are allowed on the Entity

Default Entity Operation Policy Operation Object Type Policy Create Symmetric Key Allowed to all Create Key Pair Public Key, Private Key Allowed to all Register All, except Entity Allowed to all Certify Public Key Allowed to all Re-certify Certificate Allowed to all Validate Certificate Allowed to all Query N/A Allowed to all Cancel N/A Allowed to all Poll N/A Allowed to all Entity Operation Policy = what operations the Entity is allowed to perform

Entity / Creator Relationship § KMIP v 1 loosely defines Creator as ‘identity of the client’ § With Entity, it is possible to define Creator explicitly as: § The UUID of the Entity who created the object § The Subject of the Entity who create the object § In this case, a given Entity will have access to different objects depending on how he authenticated § Creator of an Entity may be different than the Entity itself, which may be confusing § Can an Entity have more than one Credential/Subject of a given type? § Ex: More than one username?