EKMI Implementation, Operations & Audit Guidelines (IOAG)

[Arshad Noor <arshad.noor@strongauth.com>]

Now that we' have a CS behind us, we have a fair amount of
information to start considering the TC Guidelines for how
an EKMI will be built, operated and audited.  (While vendor
implementations of the protocol will certainly help in the
creation of these guidelines, IMO, many of these guidelines
are common-sense best-practices, and with a few details, I
don't believe we need to wait until implementations are on
the ground before we begin the IOAG work).

We have two new Co-Chairs of the IOAG SubCommittee (Davi and
Ken) who will help us drive the creation of the IOAG document,
but I would encourage members of the TC who are interested in
bringing their experiences of managing security infrastructures
to bear on this document, to please join the discussion.

In 2007, Tomas and I created an initial DRAFT of the Impl. &
Ops. guidelines, but shelved it because we felt the SKSML
protocol needed to be finalized before the IOAG documents
could be created.  You can read the initial DRAFT here:

http://www.oasis-open.org/committees/documents.php?wg_abbrev=ekmi-implementation

Please review and start throwing out ideas on how you think this
document should be structured.  Are there suggestions on other
guideline documents that we could use as a model?  Remember
that the target audience consists of three groups of people:
people who will build the EKMI, people who will operate it on
a day-to-day basis, and finally, people who will audit it and
look for compliance to policy/regulations.

I envision that the document will have three major sections
corresponding to these 3 groups of users, but that's open to
debate.

Thanks.

Arshad