Re: [ekmi] Groups - EKMI-TC FAQ (Draft) (faq.html) uploaded

[Arshad Noor <arshad.noor@strongauth.com>]

Thank you for the correction, Tomas.  I will fix that.

The SKMS within an EKMI can serve both online and offline devices.  However, the offline devices must be online at least once to connect up to the SKS server to get their KeyCachePolicy (KCP) object.  Once they have this, they can get the symmetric keys they need and go offline.  With the cached keys and their embedded KeyUsePolicies (KUP), offline devices can operate - technically - indefinitely.  (This was a business requirement for POS terminals in the Retail sector when I put the architecture/protocol together).

However, from an operational - and security - point of view, Security Officers of most companies will want to have even offline devices periodically check with the SKS server for updated KCP policies, in case the company's symmetric key policy has changed - perhaps a newly discovered vulnerability in 3DES is forcing them to abandon all 3DES keys and re-encrypt ciphertext using AES keys - and now all cached keys must be destroyed and new keys downloaded from the server for re-encryption of data.  

How frequently an offline device must contact the SKS server will remain a configurable operational detail for each company, since the KCP allows the SO to configure the validity period of the caching policy.

Arshad Noor
StrongAuth, Inc.

----- Original Message -----
From: Tomas Gustavsson <tomas@primekey.se>
Date: Tuesday, May 29, 2007 1:37 am
Subject: Re: [ekmi] Groups - EKMI-TC FAQ (Draft) (faq.html) uploaded

> 
> Hi Arshad,
> The only spelling error I can find is in Q2, bullet 3, there "the" 
> is 
> spelled "t he".
> 
> Regarding Q3. It says that EKMI "It is not focused on any specific 
> industry or device.".
> But is it not so that EKMI primarily targets on-line devices? It 
> sounds 
> like, for example, P1619.3 would potentially target an off-line 
> device, 
> such as a hard drive in a laptop, or stand-alone computer.
> 
> Cheers,
> Tomas
> 
> 
> arshad.noor@strongauth.com skrev:
> > Friends,
> > 
> > OASIS is planning to put out a press release on the EKMI-TC to 
> coincide> with the Burton Catalyst conference in late June.  One 
> document that is
> > useful to writers/editors in writing about the TC is a 
> Frequently Asked
> > Questions (FAQ).
> > 
> > I have taken the liberty of drafting an FAQ based on a standard 
> OASIS> template.  I would like the TC to review the questions and 
> answers over the
> > next week - it is fairly short - if possible.  If there are 
> suggestions for
> > additional questions, and/or improvement of the answers, please 
> send them
> > to the TC alias.  if we can get the FAQ finalized by the middle 
> of June, it
> > will help OASIS' marketing department in getting the PR 
> scheduled for late
> > June.  
> > 
> > Thanks.
> > 
> > Arshad Noor
> > StrongAuth, Inc.
> > 
> >  -- Arshad Noor*
> > 
> > The document named EKMI-TC FAQ (Draft) (faq.html) has been 
> submitted by
> > Arshad Noor* to the OASIS Enterprise Key Management 
> Infrastructure (EKMI)
> > Technical Committee document repository.
> > 
> > Document Description:
> > Frequently asked questions about the EKMI-TC and its work.
> > 
> > View Document Details:
> > http://www.oasis-
> open.org/apps/org/workgroup/ekmi/document.php?document_id=24121> 
> > Download Document:  
> > http://www.oasis-
> open.org/apps/org/workgroup/ekmi/download.php/24121/faq.html> 
> > 
> > PLEASE NOTE:  If the above links do not work for you, your email 
> application> may be breaking the link into two pieces.  You may be 
> able to copy and paste
> > the entire link address into the address field of your web browser.
> > 
> > -OASIS Open Administration
>