[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Encryption: It's Time
Sir, Thank you for an informative article on encryption and key-management in the 5/21/07 issue of ComputerWorld. While cryptographers have always been aware of the issues with key management for decades, it is gratifying to note that the general computing press is starting to pay attention to this important topic. While there are a few proprietary solutions on the market today (as was covered in your article), I wanted to bring your attention to an industry effort to standardize symmetric key-management services, being driven by the OASIS Enterprise Key Management Infrastructure Technical Committee (EKMI-TC) to deliver on the following goals: * To standardize a protocol - the Symmetric Key Services Markup Language (SKSML) - for applications and/or computerized devices to acquire symmetric key management services, securely, over a network * To create implementation and Operations Guidelines for how to build and operate enterprise-scale Symmetric Key Management Systems (SKMS) * To work with other standards-setting bodies (see below) on Audit Guidelines for SKMS and * To create an interoperability testing suite for the Symmetric Key Services Markup Language (SKSML) protocol The effort has been underway since January and has garnered the support of Visa, the US DoD, Red Hat, Sterling Commerce, FundServ, Wave Systems, PrimeKey, PA Consulting, StrongAuth and many security-minded individuals. Oracle, RSA (EMC), Symantec, Entrust, Booz Allen Hamilton and Mitre participate on this TC and maintain Observer status. The TC is also working with the Information Security Auditors & Controllers Association (ISACA) to ensure that auditors are trained and knowledgable in key-management guidelines when they audit such complex infrastructures. The ISACA International conference in Singapore in July 2007, has scheduled a session on "EKMI: Understanding them before auditing them" to kick-off this initiative. OASIS is teaming with the San Francisco/Silicon Valley chapters of ISACA - and potentially the Information Systems Security Association (ISSA) - in conducting a day-long workshop on EKMI later this year. Besides educating people on what is an SKMS, it is also expected to cover how to setup a secure SKMS, operate it, and how to audit an SKMS to ensure attendeees understand the differences between strong and weak implementations of a SKMS. I would encourage you to keep up the good work of educating your readers on key-management and, hopefully, encourage them to join the effort to create a single standard for such services. Just as the internet could never have grown to its current size without DNS, we believe that a standard key-management protocol is absolutely critical to protecting data on the internet in a consistent & reliable manner. You can find more information on the OASIS EKMI-TC effort at this URL: http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=ekmi There are use-cases, presentations, an article on SKMS, as well as the schema definition of the proposed SKSML protocol. If you have any questions, please don't hesitate to contact me. Regards, Arshad Noor StrongAuth, Inc. Chair, OASIS EKMI-TC
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]