KMIP Vendor Extension Management-v1.2

advertisement
KMIP Vendor Extension Management
• KMIP supports ‘extensions’ but provides no
mechanism for coordination of values
between clients and servers or between
vendors
– Items – starting with 0x54 rather than 0x42
– Enumerations – using 0x8XXXXXXX (except for
Masks which are different)
– Message Extension
1
Tim Hudson – tjh@cryptsoft.com
KMIP Vendor Extension Management
• A Vendor extension can be added as:
i.
Attribute with Name and simple Item Type
•
e.g. the x-AttributeName
ii. Attribute with Name and Structure containing
items of simple Item Type
iii. Re-purposing existing KMIP Object
•
e.g. Adding new enumeration into CREDENTIALS and
interpreting the value field differently
iv. Using Message Extension
2
Tim Hudson – tjh@cryptsoft.com
KMIP Vendor Extension Management
• Objectives
a) Client can determine if server supports a given
vendor extension
b) Server can display meaningful values for vendor
extensions
c) Extensions from multiple vendors should not
clash
i.e. Universal clients and universal servers should be
technically possible to produce.
3
Tim Hudson – tjh@cryptsoft.com
KMIP Vendor Extension Management
TTLV encoding provides a mechanism for
meaningful communication of structured
information. Vendor extensions should not
degenerate into (unmanageable) opaque blobs.
Different contexts of usage will require different
information to be passed between client and server.
Vendor extensions should not degenerate into
requiring point-to-point testing against each server.
4
Tim Hudson – tjh@cryptsoft.com
KMIP Vendor Extension Management
• Attributes are queried by Name but encoded
by Tag Value – the mapping needs to be
known
• Tag Values selected by Vendors need to not
clash
5
Tim Hudson – tjh@cryptsoft.com
KMIP Vendor Extension Management
• Solutions - Summary
1. Require registration of vendor extensions
2. Allow allocation of ranges for extensions to
vendors
3. Separate extension range into “private” and
“public” extensions
4. Extend QUERY operation to provide more server
behaviour details
5. Add new OPERATION to return ‘schema’
information
6
Tim Hudson – tjh@cryptsoft.com
KMIP Vendor Extension Management
• Solutions
1. Require registration of vendor extensions
•
•
•
•
Would prevent clashing usage of Tag Values
KMIP TC handles initial registry of values
Single registry or separate documents per vendor
Include in profile documents
2. Allow allocation of ranges for extensions to vendors
•
•
7
Would prevent clashing usage of Tag Values
Does not allow for interoperability – still requires vendorto-vendor coordination
Tim Hudson – tjh@cryptsoft.com
KMIP Vendor Extension Management
• Solutions
3. Separate extension range into “private” and “public”
extensions
•
Make it clear when extensions are not meant to be
interoperable
4. Extend QUERY operation to provide more server
behaviour details
•
•
•
Return list of supported vendor extensions
Return mapping from Name to Tag Value
Return implementation limits such as maximum length of bytearrays and text strings, maximum number of attribute instances
for multi-instance attributes, etc
Can be handled as additional QUERY_FUNCTION values and fits
within existing 1.0 handling.
8
Tim Hudson – tjh@cryptsoft.com
KMIP Vendor Extension Management
• Solutions
5. Add new OPERATION to return ‘schema’
information
•
•
•
9
Requires definition of what a ‘schema’ contains
Not a simple solution
Potential v2.0 or later item
Tim Hudson – tjh@cryptsoft.com
KMIP Vendor Extension Management
• Other items
6. Need to define what “uniquely identifies the
vendor” means
•
DNS name? URI?
Vendor Identification in QUERY response payload (SPEC 4.24, line 1419)
Vendor Identification in MESSAGE_EXTENSION payload (SPEC 6.16, line 1637)
7. Need to add new Use Cases
•
10
to match current or proposed vendor usage
Tim Hudson – tjh@cryptsoft.com
KMIP Vendor Extension Management
• Recommended Solution
– KMIP TC maintains registry of vendor extensions
– QUERY operation extended to support returning
list of extensions supported (including Tag Value
to Attribute Name mapping)
– Define Vendor Identification as a URI
– Add use cases to match current vendor usage
11
Tim Hudson – tjh@cryptsoft.com
Download