RE: [ekmi-comment] SKSML public review - comment - proposal to allow for different key payload containers and alignment with IETF PSKC

["Philip Hoyer" <philip.hoyer@actividentity.com>]

Arshad,
We would be available to discuss and webex present Tuesday-Friday week
commencing 19/1 and then the Monday 26th or Friday 30th.

Would any such dates suite you and if not could you come back with some
candidate dates in February for us to consider.

Thanks,
Philip

-----Original Message-----
From: Arshad Noor [mailto:arshad.noor@strongauth.com] 
Sent: Saturday, January 03, 2009 12:25 AM
To: Philip Hoyer
Cc: ekmi-comment@lists.oasis-open.org; ekmi
Subject: Re: [ekmi-comment] SKSML public review - comment - proposal to
allow for different key payload containers and alignment with IETF PSKC

Philip,

Thank you very much for your comments on the DRAFT specification
of SKSML, and the potential to include the DSKPP key-container
within SKSML.

The Technical Committee has agreed to begin discussions with you
(and/or other members of KEYPROV) to understand the implications
of this change.

A small group of TC members would like to start understanding the
details of DSKPP, how it fits in with SKSML and its impact on
SKSML.  Please let us know how you would like to begin - I imagine
a web-presentation from you on the current DSKPP architecture and
mechanics would be the appropriate first step.

The TC has also decided that since there were no objections from
anyone in the Public Review to the current SKSML DRAFT specification,
it will move forward with a ballot to designate the DRAFT as a
Committee Specification.  This is not an OASIS standard.  That may
be many months away - which gives us the time to understand the
DSKPP technology, and the opportunity to include the key-container
(if the TC votes for it) before SKSML becomes an OASIS standard.

Let me know some convenient dates and times when you might be able
to provide that web-presentation.  We should have a sub-group named
by the 20th of January (our monthly TC meeting), so any time after
that would be appropriate.

Regards and a happy new year.

Arshad Noor
StrongAuth, Inc.

Philip Hoyer wrote:
> Ladies and Gentlemen,
> 
>  
> 
> Having been made aware of the SKSML work by Arshad Noor I wanted to 
> comment on the current specification and make a proposal.
> 
>  
> 
> I am the author of the PSKC spec 
>
(http://www.ietf.org/internet-drafts/draft-ietf-keyprov-portable-symmetr
ic-key-container-06.txt) 
> which is part of the IETF 'keyprov' working group 
> (http://www.ietf.org/html.charters/keyprov-charter.html) that has some

> overlap with the work done for SKSML
> 
>  
> 
> My main comment around SKSML is that it would be nice to be able to 
> define the type of payload container (where the key resides) that is 
> transported.
> 
>  
> 
> This has several advantages:
> 
>    1. It decouples the protocol to obtain  the keys from the payload
to
>       transfer the keys
>    2. it allows for several different containers to be transported
with
>       the same protocol
>    3. It allows extensions to the payload to have a separate lifecycle
>       to the protocol
>    4. It will allow profiling of payloads for key related meta-data
not
>       yet considered by the spec
> 
>  
> 
> One of the main reasons is that there could be alignment of the
payload 
> between SKSML and the work that has been done in IETF keyprov group.
> 
>  
> 
> Especially I would suggest you to consider the work that has been done

> on the PSKC spec which seems to satisfy most of the requirements in 
> SKSML and already has many implementers.
> 
>  
> 
> The proposal could be to add one layer of abstraction in the 
> SymKeyResponse element which indicates the type of key container being
used:
> 
>  
> 
> Example 1 - using SKSML container
> 
>  
> 
> <ekmi:SymkeyResponse 
>  xmlns:ekmi='http://docs.oasis-open.org/ekmi/2008/01' 
>  xmlns:xenc='http://www.w3.org/2001/04/xmlenc#'>
> 
> <ekmi:SymkeyContainer type=" http://docs.oasis-open.org/ekmi/2008/01";>
> 
> <ekmi:SymkeyList>
> 
> <ekmi:Symkey>
> 
>  <ekmi:GlobalKeyID>*10514-1-235*</ekmi:GlobalKeyID>
> 
> <ekmi:KeyUsePolicy>
> 
> <ekmi:KeyUsePolicyID>10514-4</ekmi:KeyUsePolicyID>
> 
> ......
> 
>  
> 
> Example 2 - using PSKC container
> 
>  
> 
> <ekmi:SymkeyResponse 
>  xmlns:ekmi='http://docs.oasis-open.org/ekmi/2008/01' 
>  xmlns:xenc='http://www.w3.org/2001/04/xmlenc#'>
> 
> <ekmi:SymkeyContainer type="urn:ietf:params:xml:ns:keyprov:pskc:1.0">
> 
>                         <KeyContainer Version="1.0" 
> xmlns="urn:ietf:params:xml:ns:keyprov:pskc:1.0">
> 
>     <Device>
> 
>         <DeviceInfo>
> 
>             <Manufacturer>aManufacturer</Manufacturer>
> 
>             <SerialNo>*10514-1-235*</SerialNo>
> 
>         </DeviceInfo>
> 
>         <Key
KeyAlgorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc";
> 
>         KeyId="*10514-1-235*">
> 
>             <Issuer>anIssuer</Issuer>
> 
>                                     .......
> 
>  
> 
>  
> 
> Looking forward to your feedback and please do not hesitate to contact

> me for further clarificatons,
> 
>  
> 
> Philip
> 
>  
> 
> ________________________________
> 
>  
> 
> Philip Hoyer
> 
>  
> 
> Senior Architect - Office of CTO
> 
>  
> 
> ActivIdentity (UK)
> 
> 117 Waterloo Road
> 
> London SE1 8UL
> 
>  
> 
> Telephone: +44 (0) 20 7960 0220
> 
> Fax: +44 (0) 20 7902 1985
> 
>  
> 
> Private and confidential: This message and any attachments may contain
> 
> privileged / confidential information. If you are not an intended
recipient,
> 
> you must not copy, distribute, discuss or take any action in reliance
on it.
> 
> If you have received this communication in error, please notify the
sender
> 
> and delete this message immediately.
> 
>  
>