OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

ekmi message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Encryption: It's Time

Sir,

Thank you for an informative article on encryption and
key-management in the 5/21/07 issue of ComputerWorld.

While cryptographers have always been aware of the issues
with key management for decades, it is gratifying to note
that the general computing press is starting to pay
attention to this important topic.

While there are a few proprietary solutions on the market
today (as was covered in your article), I wanted to bring
your attention to an industry effort to standardize
symmetric key-management services, being driven by the
OASIS Enterprise Key Management Infrastructure Technical
Committee (EKMI-TC) to deliver on the following goals:

* To standardize a protocol - the Symmetric Key Services
   Markup Language (SKSML) - for applications and/or
   computerized devices to acquire symmetric key management
   services, securely, over a network

* To create implementation and Operations Guidelines for
   how to build and operate enterprise-scale Symmetric Key
   Management Systems (SKMS)

* To work with other standards-setting bodies (see below)
   on Audit Guidelines for SKMS and

* To create an interoperability testing suite for the
   Symmetric Key Services Markup Language (SKSML) protocol

The effort has been underway since January and has garnered
the support of Visa, the US DoD, Red Hat, Sterling Commerce,
FundServ, Wave Systems, PrimeKey, PA Consulting, StrongAuth
and many security-minded individuals.

Oracle, RSA (EMC), Symantec, Entrust, Booz Allen Hamilton and
Mitre participate on this TC and maintain Observer status.

The TC is also working with the Information Security Auditors
& Controllers Association (ISACA) to ensure that auditors are
trained and knowledgable in key-management guidelines when they
audit such complex infrastructures.  The ISACA International
conference in Singapore in July 2007, has scheduled a session
on "EKMI: Understanding them before auditing them" to kick-off
this initiative.

OASIS is teaming with the San Francisco/Silicon Valley chapters
of ISACA - and potentially the Information Systems Security
Association (ISSA) - in conducting a day-long workshop on EKMI
later this year.  Besides educating people on what is an SKMS,
it is also expected to cover how to setup a secure SKMS, operate
it, and how to audit an SKMS to ensure attendeees understand the
differences between strong and weak implementations of a SKMS.

I would encourage you to keep up the good work of educating your
readers on key-management and, hopefully, encourage them to join
the effort to create a single standard for such services.  Just
as the internet could never have grown to its current size
without DNS, we believe that a standard key-management protocol
is absolutely critical to protecting data on the internet in a
consistent & reliable manner.

You can find more information on the OASIS EKMI-TC effort at this
URL: http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=ekmi
There are use-cases, presentations, an article on SKMS, as well as
the schema definition of the proposed SKSML protocol.

If you have any questions, please don't hesitate to contact me.

Regards,

Arshad Noor
StrongAuth, Inc.
Chair, OASIS EKMI-TC

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]