SKSML public review - comment - proposal to allow for different key payload containers and alignment with IETF PSKC

["Philip Hoyer" <philip.hoyer@actividentity.com>]

Ladies and Gentlemen,

 

Having been made aware of the SKSML work by Arshad Noor I wanted to comment on the current specification and make a proposal.

 

I am the author of the PSKC spec (http://www.ietf.org/internet-drafts/draft-ietf-keyprov-portable-symmetric-key-container-06.txt) which is part of the IETF ‘keyprov’ working group (http://www.ietf.org/html.charters/keyprov-charter.html) that has some overlap with the work done for SKSML

 

My main comment around SKSML is that it would be nice to be able to define the type of payload container (where the key resides) that is transported.

 

This has several advantages:

1. It decouples the protocol to obtain  the keys from the payload to transfer the keys
2. it allows for several different containers to be transported with the same protocol
3. It allows extensions to the payload to have a separate lifecycle to the protocol
4. It will allow profiling of payloads for key related meta-data not yet considered by the spec

 

One of the main reasons is that there could be alignment of the payload between SKSML and the work that has been done in IETF keyprov group.

 

Especially I would suggest you to consider the work that has been done on the PSKC spec which seems to satisfy most of the requirements in SKSML and already has many implementers.

 

The proposal could be to add one layer of abstraction in the SymKeyResponse element which indicates the type of key container being used:

 

Example 1 – using SKSML container

 

<ekmi:SymkeyResponse  xmlns:ekmi='http://docs.oasis-open.org/ekmi/2008/01'  xmlns:xenc='http://www.w3.org/2001/04/xmlenc#'>

<ekmi:SymkeyContainer type=” http://docs.oasis-open.org/ekmi/2008/01”>

<ekmi:SymkeyList>

<ekmi:Symkey>

 <ekmi:GlobalKeyID>10514-1-235</ekmi:GlobalKeyID>

<ekmi:KeyUsePolicy>

<ekmi:KeyUsePolicyID>10514-4</ekmi:KeyUsePolicyID>

……

 

Example 2 – using PSKC container

 

<ekmi:SymkeyResponse  xmlns:ekmi='http://docs.oasis-open.org/ekmi/2008/01'  xmlns:xenc='http://www.w3.org/2001/04/xmlenc#'>

<ekmi:SymkeyContainer type=”urn:ietf:params:xml:ns:keyprov:pskc:1.0”>

                        <KeyContainer Version="1.0" xmlns="urn:ietf:params:xml:ns:keyprov:pskc:1.0">

    <Device>

        <DeviceInfo>

            <Manufacturer>aManufacturer</Manufacturer>

            <SerialNo>10514-1-235</SerialNo>

        </DeviceInfo>

        <Key KeyAlgorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"

        KeyId="10514-1-235">

            <Issuer>anIssuer</Issuer>

                                    …….

 

 

Looking forward to your feedback and please do not hesitate to contact me for further clarificatons,

 

Philip

 

________________________________

 

Philip Hoyer

 

Senior Architect - Office of CTO

 

ActivIdentity (UK)

117 Waterloo Road

London SE1 8UL

 

Telephone: +44 (0) 20 7960 0220

Fax: +44 (0) 20 7902 1985

 

Private and confidential: This message and any attachments may contain

privileged / confidential information. If you are not an intended recipient,

you must not copy, distribute, discuss or take any action in reliance on it.

If you have received this communication in error, please notify the sender

and delete this message immediately.