[SOLVED] What is the difference between a Template and Template-Attribute Structure in KMIP?

What is the difference between a Template and Template-Attribute Structure in KMIP?

I'm currently learning and developing KMIP (Spec 1.0) using the open source library KMIP4J. I was looking through the use cases offered as examples in the spec sheet, and I am stuck trying to differentiate the use of a Template and a Template-Attribute Structure.

What is the difference between these two Use Cases? Both have the Cryptographic Algorithm and Cryptographic Length Attribute, but I don't understand the difference between them.

Use Case 3.1.4, which uses a Template.
Use Case 3.1.1, which uses a Template-Attribute Structure.

Solution

Within the KMIP Specification, there are two different types of objects: Managed Objects and Base Objects.

A Managed Object refers to:

Objects stored and maintained by a key management system [KMIP Spec, Section 1]

Examples of Managed Objects: Certificate, Symmetric Key, Public Key, Private Key, Template
A Base Object refers to:

Objects used within the messages of the protocol but not managed by the key management system. Base Objects are components of Managed Objects. [KMIP Spec, Section 2.1]

Examples of Base Objects: Attribute, Credential, Key Value, Template-Attribute Structure

A Template is a type of Managed Object.

A Template is the named Managed Object containing the client-settable attributes of a Managed Cryptographic Object (i.e., a stored, named list of attributes). Attributes specified in a Template apply to any object created that references the Template by name. [KMIP Spec, Section 2.2.6]
A Template-Attribute Structure is a type of Base Object.

Template-Attribute Structures are used in various operations to provide the desired attribute values and/or template names in the request and to return the actual attribute values in the response. [KMIP Spec, Section 2.1.8]

So, let's look at the use cases you've pointed to:

In Use Case 3.1.1:

The client sends a Create request, which contains the Object Type (Symmetric Key) and a Template-Attribute Structure containing the list of desired attribute values for that key:
- Cryptographic Algorithm
- Cryptographic Length
- Cryptographic Usage Mask.

In Use Case 3.1.4:

The client uses the Register operation to register a Template, containing a specific set of Attributes:
- Cryptographic Algorithm
- Cryptographic Length
- Name, referring to the name of the Template to create: Template1
The client sends a Create request, which, like before, contains the Object Type (Symmetric Key) and a Template-Attribute Structure. However, this time the Template-Attribute Structure contains:
- A reference to a Template named Template1, indicating that the operation should use the attributes specified by Template1 (which we know from step 1 are Cryptographic Algorithm and Cryptographic Length)
- Name, referring the name of the Key: key1
- Cryptographic Usage Mask

So the two operations essentially create the same Symmetric Key with the same attribute values, but the second case uses a pre-defined Template (and, trivially, adds a key name), while the first does not.

A side note:

The KMIP 1.0 Specification is fairly out of date at this point. KMIP 1.3 was released in December 2015. I mention this specifically because the Template Structure is deprecated as of 1.3.