client registration examples
DESCRIPTION
Client Registration Examples. Update 5/16/2011 Denis Pochuev. Summary of updates since last presentation. Summary of the proposal Introducing Pending Registration Examples of Entity Attributes based on Credential Changed Entity Identifier from an enumeration to a new attribute - PowerPoint PPT PresentationTRANSCRIPT
Insert Your Name
Insert Your Title
Insert Date
Client Registration Examples
Update 5/16/2011
Denis Pochuev
Summary of updates since last presentation
Summary of the proposal
Introducing Pending Registration Examples of Entity Attributes based on Credential Changed Entity Identifier from an enumeration to a
new attribute Clarified relationship between Owner and Object
sharing Future work
• Authentication header that can accommodate 1-to-N mapping between Credential and Entities and device authentication with a proxy
2
Summary of the proposal (what we’ve got so far)
Entity and Credential Objects are used to reflect client identities and authenticate clients to the server
Registration (implicit or explicit) creates an Entity and Credential Objects
Clients can register themselves (self-registration) or other clients using certificates or username/passwords
Authentication header includes Credential Object to authenticate the client during a general request
3
Summary of the proposal (contd.)
4
Previously proposed registration types• Implicit self-registration with cert• Explicit self-registration with cert• Explicit registration with cert• Explicit registration with username/password
New: Pending registration
• Can be done with cert or username/password• Can be self-registration or registration of another client• Has to be explicit
Summary of the proposal (contd.)
5
KMIP Client KMIP Server Auth Request+Create Entity +Create Object
Create Object
Entity UUID + Obj UUID
Create Object
Obj UUID Create Object
Authentication Credential Credential Type: Transport Certificate Credential Value: <empty>
Implicit self-registration with cert (+2 object creations)
KMIP Client KMIP Server
Auth Request+Create Entity
Register Entity
Entity UUID
Create Object
Obj UUID Create ObjectAuthentication Credential Credential Type: Transport Certificate Credential Value: <empty>
Explicit self-registration with cert (+1 object creation)Register Object Type=Entity Template-Attribute Attribute Attribute Name: “Credential” Attribute Value: Credential Type: Transport Certificate Credential Value: <empty>
“Normal” Create operation
Summary of the proposal (contd.)
6
Explicit registration with cert (+1 object creation)
KMIP Client KMIP Server
Auth Request+Create Entity
Register Entity
Entity UUID
Create Object
Obj UUID Create Object
Authentication Credential Credential Type: Transport Certificate Credential Value: <empty>
KMIP ClientRegister Object Type=Entity Template-Attribute Attribute Attribute Name: “Credential” Attribute Value: Credential Type: Transport Certificate Credential Value: Certificate Certificate Type: X.509 Certificate Value: <cert>
Summary of the proposal (contd.)
7
KMIP Client KMIP Server
Auth Request+Create Entity
Register Entity
Entity UUID
Create Object
Obj UUID Create Object
KMIP Client
Explicit registration with username/password (+1 object creation)
Authentication Credential Credential Type: Username and Password Credential Value: Username: “user1” Password: “password”
Register Object Type=Entity Template-Attribute Attribute Attribute Name: “Credential” Attribute Value: Credential Type: Username and Password Credential Value: Username: “user1” Password: “password”
Pending Registration
8
KMIP Server
Queue up the request
Register Entity
Status=pending; ACV=0353256
Poll; ACV=0353256
Obj UUID
Authorize requests
KMIP Client
Asynchronous registration, uses existing asynchronous request mechanism
Provides a way for the server admin to authorize requests off-line
Register Object Type=Entity Asynchronous Indicator=True Template-Attribute Attribute Attribute Name: “Credential” Attribute Value: Credential Type: Transport Certificate Credential Value: <empty>
Entity Attributes based on Credentials
Result of a registration is an Entity, by default it contains credential attribute
Register
Object Type=Entity
Template-Attribute
Attribute
Attribute Name: “Credential”
Attribute Value:
Credential Type: Transport Certificate
Credential Value: <empty>
Entity
UUID: ABCD-1234
Attribute
Attribute Name: “Credential”
Attribute Value:
…
9
Entity Attributes based on Credentials
…it may have other attributes in addition to Credential Register
Object Type=Entity
Template-Attribute
Attribute
Attribute Name: “Credential”
Attribute Value:
Credential Type: Transport Certificate
Credential Value: <empty>
Entity
UUID: ABCD-1234
Attribute
Attribute Name: “Credential”
Attribute Value:
…
Attribute
Attribute Name: “Name”
Attribute Value: user1
10
Entity Attributes based on Credentials (contd.)
Certificate Name: user1
Key Size: 2048
Start Date: Apr 20 18:30:41 2011 GMT
Expiration: Apr 17 18:30:41 2021 GMT
Issuer:
C/ST/L: US/CA/RWC
O: SafeNet-RWC
OU: SafeNet
CN: testCA
emailAddress: [email protected]
Subject:
C/ST/L: US/CA/RWC
O: SafeNet-RWC
OU: SafeNet
CN: user1
emailAddress: [email protected]
11
EntityUUID: ABCD-1234Attribute
Attribute Name: “Credential”Attribute Value:
…Attribute
Attribute Name: “Organization”
Attribute Value: SafeNet-RWCAttribute
Attribute Name: “Name”Attribute Value: user1
Entity registration may result in additional attributes being added to the Entity object
Exact procedure of derivation of the attributes from the Credential and/or certificate is at the server discretion
Entity Identifier
Before:• Part of Locate
• Entity Identifier, see 9.1.3.2.31
• A enumeration object used by the client to locate Entities with special properties
Locate
Entity Identifier = Self
After:• New attribute
Locate
Attribute
Attribute Name = Entity Identifier
Attribute Value = Self
12
Owner and Sharing
Owner is:• An attribute that holds the Unique Identifier of the Entity object that
owns the given object• By default an Entity is allowed to operate only with the objects
owned by it• Can be overridden by server policy
Owner is not:• At least in the current revision of the spec, a method to address
object sharing
13
Optional Entity in Authentication Header
14
Current assumption: 1-to-1 mapping between Credential and Entity (only one Entity corresponds to a given Credential)
Adding attributes to Entity registration + sending Entity UUID in Authentication header addresses that issue
KMIP Client KMIP Server
Auth Request+Create Entity
Register Entity
Entity UUID
Create Object
Obj UUID Create Object
Authentication Credential Credential Type: Transport Certificate Credential Value: <empty> Entity UUID=0x172b45a435890c9078243589de2309458
KMIP Client
Register Object Type=Entity Template-Attribute Attribute Attribute Name: “Credential” Attribute Value: Credential Type: Transport Certificate Credential Value: Certificate Certificate Type: X.509 Certificate Value: <cert> Attribute id=0xb34a32b23a43093d Attribute ip-addr=10.10.10.10 Attribute mac-addr=02:ba:d0:ca:fe:99