Meeting Minutes for February 28, 2019 (F2F Day Two) - oasis-tcs/kmip GitHub Wiki

Meeting Commenced at 9:01 AM PST

Roll Call (Tony C)

  • Quorum achieved

Day Two Agenda Review (Tony C)

Motion to approve F2F Day Two Agenda

  • Greg S moves, Tim H seconds, No objections, abstentions, or comments. Agenda approved

Asynchronous

Process Async Requests (Anthony B)

Process Asynch Requests Proposal

  • Anthony presented his proposal to the TC.

  • This proposal specifies a new operation Process that will allow a client to ask the server to process the request now (‘do it now’)

  • Gerry S asked what would happened if this was used in a multiple step batch request.

 

  • Anthony stated that you would not use this new operation in the middle of a batch request.

  • Tim H pointed out that correlation value is on a per item

  • It will depend upon the order of a batch

  • This Process operation would bring a specific request to the forefront. It will not overwrite any ordering in the batch

Motion to proceed with the Process Async Requests proposal for KMIP 2.1

  • Gerry S moves, Tim H seconds. No objections, abstentions, or comments. Motion approved.

Query Asynchronous Requests (Bruce R)

Query Async Requests Proposal

  • Problem: We don’t have a way to query outstanding Async requests, which is a function that a client is likely to need.

  • Solution: Introduce a new Query Asynchronous Requests operation.

  • Gerry S asked what is the granularity of this operation?

 

  • While not formally scoped, it would be in the purview of the client to specify.

  • Could be a delegated login context

  • Scope will be covered in formal proposal

  • Sue G asked if creation date was required?

    • It was added as useful information

    • Will look to see if this could be treated as optional content

  • Operation will only return outstanding Async requests. Completed requests would not be returned.

  • Gerry S asked if there is a way for the client to query if a request is still in process or is complete and awaiting poll from the client

  • Async Status will be added to the proposal to address this.

  • Tony C asked how this operation will this work in a flow control environment where you flip a client to server

  • Bruce will look at this as part of the proposal

Motion to proceed with the Query Asynchronous Requests proposal for KMIP 2.1

  • Gerry S moves, Tim H seconds. No objections, abstentions, or comments. Motion approved.

Break

Multi-Master Asynchronous Replication (Anthony B)

Multi-Master Replication

  • Problem Async replication in a multi-master server configuration can generate conflicts where clients contact different master and modify the same object. So conflict resolution happens after clients thought they were successful

  • Eventually synchronous replication model followed by some server implementation is a potentially dangerous design methodology for critical data like keys

  • Want to make users aware that uniqueness may not be properly implemented in all servers and that they should be aware of their conflict resolution approaches used by different server implementations.

  • KMIP consistency model and the multi-master replication implementations can potentially conflict with one another.

  • TC debated this proposal with multiple members noting that server implementations are outside of scope of the KMIP protocol and that we should not be modifying the KMIP spec just because of bad server designs/implementations.

  • Anthony will propose Usage Guide text that will be reviewed by the TC at a future date.

Key Rotation (Tim H)

Key Rotation Proposal

  • Tim walked through the presentation

  • Problem: There is no in-protocol way to automate Re-key, Re-Key KeyPair and Re-Certify

  • Solution: The proposal adds three new attributes (Renewal Interval, Renewal Automatic and Rotate Offset) to enable automation of these three operations. The Rotate Offset attributes will enable an activation date in future.

  • The proposal also includes three additional attributes (Rotate Date, Rotate Generation, Rotate Name) to help to handle performance issues.

  • A Rotate Current Boolean will indicate what is the latest key without having to use name.

 

  • If you retrieve a set of keys, Rotate Current gets you the latest in the set

  • Based on discussion – the name of Rotate Current will be changed to Rotate Latest

 

  • Bruce R asked if this created an asynchronous request that must be addressed in the other async proposals. Tim didn’t think so.

Motion to proceed with the Key Rotation proposal for KMIP 2.1

  • Bruce R moves, Judy F seconds. No objections, abstentions, or comments. Motion approved.

This & That (aka Wheat vs Chaff) (Bruce R)

This and That Proposal

  • Proposal covered one item to remove from the Spec and one to restore to the Spec.

  • The item to remove was a text change - remove use of ‘default’ as a reserved text string for Object Group.

  • In KMIP 2.0 we lost the distinction between server vendors owning the y attributes and the client vendors owning x attributes for custom attributes.

  • TC agreed that we should not wait to KMIP 2.1 to fix these issued but instead go ahead and fix them now in the KMIP 2.0 Spec.

Motion to update the KMIP 2.0 Spec with the two changes specified in the This and That Proposal

  • Gerry S moves, Tim H seconds. No objections, abstentions, or comments. Motion approved.

Usage Guide

TC continued work to complete the outstanding UG text from the KMIP 2.0 proposals that were started yesterday. Judy F will incorporate the new text in the next working draft of the KMIP 2.0 UG.

Attribute (Set and Adjust) (Anthony B)

  • Content developed during meeting

  • During discussion another error in the KMIP 2.0 Spec was noticed – In section 11.45 of the KMIP 2.0 Spec “attribute single value” should be changed to “attribute single instance”. Tony C will make this change in the next KMIP 2.0 Spec update

Full Async (Gerry S)

  • Content developed during meeting

  • IoT Profile for Full Async will be brought forward by Gerry S for KMIP 2.1. This will be presented at a future TC meeting.

AWS Signature (Anthony B)

  • TC decided that we didn’t need UG text for AWS Signature

Re-Encrypt (Tim H)

  • Content developed during meeting

Default Crypto Parameters (Bruce R)

  • Content developed during meeting

Additional Result Reasons (Tim H)

  • Content developed during meeting

Lunch

Usage Guide Continued

Flow Control (Gerry S)

  • Content developed during meeting

Interop Operation (Bruce R)

  • Content developed during meeting

  • John L made observation that Interop Operation is in the baseline profile for servers, so it is required for conformance but it’s a function that should not be used in normal operation. Would a separate Interop operation baseline profile make sense? It was decided that we should covered in the UG.

  • Presently there is not a section in the Usage Guide to explain the purpose of profiles and what conformance to them means. This new section will be added to KMIP 2.1 work item list.

PKCS#11 (Anthony B)

  • TC decided that we didn’t need UG text for PKCS#11

KMIP 2.0 Spec Update Revisit (Tony C)

  • Tony C presented most of the updates to the KMIP 2.0 Spec that were raised during this F2F meeting.

KMIP 2.1 Recap (Tony C)

  • TC reviewed the list of proposals for KMIP 2.1 that was discussed during the F2F.

  • Tony C asked all with actions to provide due dates for their proposals by the next TC meeting (See below). You may update the wiki directly or send the dates to the co-chairs who can do the edits.

  • TC briefly discussed the date by which we want to cut the scope for 2.1. Tony C will go through a scheduling exercise using the Interop at RSAC 2020 and working backward to determine an appropriate cut-off date for KMIP 2.1

Next TC Meeting

  • 14 March 2019

KMIP Webinar (Tony C)

  • Co-Chairs have been asked by OASIS to present a Webinar on KMIP

  • Targeting this for early April 2019

  • Focus will be on all the new content in KMIP 2.0

  • We will share the slides with the TC at a future meeting.

  • OASIS will be promoting the Webinar, but we also ask that all TC members promote the webinar via their channels. Details will be provided to the TC

Key Management Domain Definition Revisited (Tony C)

  • TC reviewed and refined the definition to one which all could agree. Tony C will include this to the next KMIP 2.0 Spec update.

Motion to Adjourn

  • Bruce R moves, Tim H seconds. No objections, abstentions, or comments. Meeting adjourned

Meeting adjourned at 1:56 PM PST