OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

ekmi message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: OASIS Call for Participation: EKMI TC

To:  OASIS members & interested parties

   A new OASIS technical committee is being formed. The OASIS Enterprise Key
Management Infrastructure (EKMI) Technical Committee has been proposed by the
members of OASIS listed below. The proposal, below, meets the requirements of
the OASIS TC Process [a]. The TC name, statement of purpose, scope, list of
deliverables, audience, and language specified in the proposal will constitute
the TC's official charter. Submissions of technology for consideration by the
TC, and the beginning of technical discussions, may occur no sooner than the
TC's first meeting.

   This TC will operate under our 2005 IPR Policy [b]. The eligibility
requirements for becoming a participant in the TC at the first meeting (see
details below) are that:

   (a) you must be an employee of an OASIS member organization or an individual
member of OASIS;
   (b) the OASIS member must sign the OASIS membership agreement [c];
   (c) you must notify the TC chair of your intent to participate at least 15
days prior to the first meeting, which members may do by using the "Join this
TC" button on the TC's public page at [d]; and
   (d) you must attend the first meeting of the TC, at the time and date fixed

Of course, participants also may join the TC at a later time. OASIS and the TC
welcomes all interested parties.

   Non-OASIS members who wish to participate may contact us about joining OASIS
[c]. In addition, the public may access the information resources maintained for
each TC: a mail list archive, document repository and public comments facility,
which will be linked from the TC's public home page at [d].

   Please feel free to forward this announcement to any other appropriate lists.
OASIS is an open standards organization; we encourage your feedback.



Mary P McRae
Manager of TC Administration, OASIS
email: mary.mcrae@oasis-open.org  
web: www.oasis-open.org 

[a] http://www.oasis-open.org/committees/process.php
[b] http://www.oasis-open.org/who/intellectualproperty.php  
[c] See http://www.oasis-open.org/join/ 
[d] http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=ekmi

OASIS Enterprise Key Management Infrastructure (EKMI) TC


OASIS Enterprise Key Management Infrastructure (EKMI) TC

Statement of Purpose

Public Key Infrastructure (PKI) technology has been around for more than a
decade, and many companies have adopted it to solve specific problems in the
area of public-key cryptography.  Public-key cryptography has been embedded in
some of the most popular tools -- web clients and servers, VPN clients and
servers, mail user agents, office productivity tools and many industry-specific
applications -- and underlies many mission-critical environments today.
Additionally, there are many commercial and open-source implementations of PKI
software products available in the market today.  However, many companies across
the world have recognized that PKI by itself, is not a solution.

There is also the perception that most standards in PKI have already been
established by ISO and the PKIX (IETF), and most companies are in
operations-mode with their PKIs -- just using it, and adopting it to other
business uses within their organizations. Consequently, there is not much left
to architect and design in the PKI community.

Simultaneously, there is a new interest on the part of many companies in the
management of symmetric keys used for encrypting sensitive data in their
computing infrastructure. While symmetric keys have been traditionally managed
by applications doing their own encryption and decryption, there is no
architecture or protocol that provides for symmetric key management services
across applications, operating systems, databases, etc. While there are many
industry standards around protocols for the life-cycle management of asymmetric
(or public/private) keys -- PKCS10, PKCS7, CRMF, CMS, etc. -- however, there is
no standard that describes how applications may request similar life-cycle
services for symmetric keys, from a server and how public-key cryptography may
be used to provide such services.

Key management needs to be addressed by enterprises in its entirety -- for both
symmetric and asymmetric keys.  While each type of technology will require
specific protocols, controls and management disciplines, there is sufficient
common ground in the discipline justifying the approach to look at
key-management as a whole, rather than in parts.  Therefore, this TC will
address the following:


A) The TC will create use-case(s) that describe how and where
    the protocols it intends to create, will be used;

B) The TC will define symmetric key management protocols,
    including those for:

1. Requesting a new or existing symmetric key from a server; 
2. Requesting policy information from a server related to caching of keys on the
3. Sending a symmetric key to a requestor, based on a request; 
4. Sending policy information to a requestor, based on a request; 
5. Other protocol pairs as deemed necessary.

C) To ensure cross-implementation interoperability, the TC will create a test
suite (as described under 'Deliverables' below) that will allow different
implementations of this protocol to be certified against the OASIS standard
(when ratified);

D) The TC will provide guidance on how a symmetric key-management infrastructure
may be secured using asymmetric keys, using secure and generally accepted

E) Where appropriate, and in conjunction with other standards organizations that
focus on disciplines outside the purview of OASIS, the TC will provide input on
how such enterprise key-management infrastructures may be managed, operated and

F) The TC may conduct other activities that educate users about, and promote,
securing sensitive data with appropriate cryptography, and the use of proper
key-management techniques and disciplines to ensure appropriate protection of
the infrastructure.

List of Deliverables

1. XSchema Definitions (XSD) of the request and response protocols (by August
2007) 2. A Test Suite of conformance clauses and sample transmitted keys and
content that allows for clients and servers to be tested for conformance to the
defined protocol (by December 2007) 
3. Documentation that explains the communication protocol (by August 2007) 
4. Documentation that provides guidelines for how an EKMI may be built,
operated, secured and audited (by December 2007) 
5. Resources that promote enterprise-level key-management: white papers,
seminars, samples, and information for developer and public use. (beginning
August 2007, continuing at least through 2008)

Anticipated Audiences:

Any company or organization that has a need for managing cryptographic keys
across applications, databases, operating systems and devices, yet desires
centralized policy-driven management of all cryptographic keys in the
enterprise. Retail, health-care, government, education, finance - every industry
has a need to protect the confidentiality of sensitive data. The TC's
deliverables will provide an industry standard for protecting sensitive
information across these, and other, industries.

Security services vendors and integrators should be able to fulfill their use
cases with the TC's key management methodologies.

Members of the OASIS PKI TC should be very interested in this new TC, since the
goals of this TC potentially may fulfill some of the goals in the charter of the



IPR Policy:

Royalty Free on Limited Terms under the OASIS IPR Policy

Additional Non-normative information regarding the start-up of the TC:

a. Identification of similar or applicable work:

The proposers are unaware of any similar work being carried on in this exact
area. However, this TC intends to leverage the products of, and seek liaison
with, a number of other existing projects that may interoperate with or provide
functionality to the EKMI TC's planned outputs, including:

OASIS Web Services Security TC
OASIS Web Services Trust TC
W3C XMLSignature and XMLEncryption protocols and working group 
OASIS Digital Signature Services TC 
OASIS Public Key Infrastructure TC 
OASIS XACML TC (and other methods for providing granular access-control
permissions that may be consumed or enforced by symmetic key management)

b.  Anticipated contributions:

StrongAuth, Inc. anticipates providing a draft proposal for the EKMI protocol,
at the inception of the TC. The current draft can be viewed at:

and a working implementation of this protocol is available at:
http://sourceforge.net/projects/strongkey for interested parties.

c. Proposed working title and acronym for specification:

Symmetric Key Services Markup Language (SKSML), subject to TC's approval or

d.  Date, time, and location of the first meeting:

First meeting will be by teleconference at:
Date:  January 16, 2007
Time:  10 AM PST, 1PM EST
Call in details: to be posted to TC list 
StrongAuth has agreed to host this meeting.

e. Projected meeting schedule:

Subject to TC's approval, we anticipate monthly telephone meetings for the first
year. First version of the protocol to be voted on by Summer 2007. StrongAuth is
willing to assist by arranging for the teleconferences; we anticipate using
readily available free teleconference services.

f. Names, electronic mail addresses, of supporters:

Ken Adler, ken@adler.net 
June Leung,June.Leung@FundServ.com 
John Messing, jmessing@law-on-line.com 
Arshad Noor, arshad.noor@strongauth.com 
Davi Ottenheimer, davi@poetry.org 
Ann Terwilliger, aterwil@visa.com

g. TC Convener:

Arshad Noor, arshad.noor@strongauth.com

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]