KMIP v.Next PGP Support

KMIP v.Next PGP Support 1

KMIP v.Next PGP Support

Michael AllenSr. Technical Director, Symantec

Agenda

KMIP v.Next PGP Support 2

Trust Establishment1

Current KMIP Situation2

Proposed Enhancements2

Trust Establishment - Email

3KMIP v.Next PGP Support

Trust Establishment – External Directory


Where Are We Now


Note About Notation


How Do We Fit This Into That?


8

What’s Missing from KMIP?

2

• Each PGP key have multiple user IDs (usually email addresses, can be images as well)

• Searches for other PGP keys usually use these user IDs• KMIP has certificate identifier but doesn’t have the

right bits in that attribute• User IDs can be signed just as keys can be signed

Multiple User IDs1

• A PGP key consists of a unifying key and multiple purpose-specific sub keys

• Keys are tied together via signatures between each other

• KMIP doesn’t have a link notion between sets of public / private key pairs

Top Key / Sub Key Structures

3

• Anyone’s PGP key can sign another key• These signatures may play a role in arbitrary trust

calculations

Arbitrary Signature Sets4

• PGP-specific feature where the key ID of another PGP key rides along with one’s own PGP key

• Anything encrypted with one’s PGP key also gets encrypted to the ADK

• Searches for ADK occur via its key ID

Additional Decryption Key


PGP Certificate Type Re-Examined


Top Key and Sub Key Link Objects

10


Top Key and Sub Key Link Objects

11


New Link Types

12


Table 9.1.3.2.20: Link Type Enumeration

New PGP Key ID Attribute

13


Section 3.XX

New PGP User ID Attribute

14


Section 3.XX

New PGP ADK Attribute

15


Section 3.XX

New PGP Signature Attribute

16


Section 3.XX

Thank you!

17

Michael [email protected]

mailto:[email protected]

Documents

KMIP v.Next PGP Support