Re: [ekmi] Reminder about postponement of next week's meeting(IOGFeedback)

[Anil Saldhana <Anil.Saldhana@redhat.com>]

> WRT the crypto protocols for the transfer of symmetric keys,
> since an assumption in the SKSML is that it would leverage
> other standards such as XML Encryption and XML Signature
> (which are implemented in OASIS' Web Services Security layer),
> I felt that the specification of the crypto protocols could
> be relegated to those standards.
>
> We could reference those standards and mention them in our
> document, but would defer to those standards for conformance;
> do you agree?  
 From an implementation perspective in the java world, the key 
size(>=128k means you will need unlimited crypto policy support from the 
jvm due to US export requirements) and JDK support for algorithms is 
going to define choices for the various algorithms. My guess is that 
lower strength encryption will anyway not find any use cases for SKMS in 
the real world.  Do you see any usage of encryption algorithms like 
Blowfish, DES etc in your field experience?  I would suspect 3DES (or 
AES) may be used. I am not sure what this committee should do - whether 
to keep the choice of algorithms tied to ws-sec usage or define 
particular algorithms from practical experiences. :)

>
>
> Anil Saldhana wrote:
>> The use cases document will be a valuable addition to the IOG 
>> document in my opinion.  The use cases document in the current form 
>> describes the applicability of SKMS without any specifics. I wonder 
>> if explanation of maybe 2 use cases with specifics of 
>> SKMS/protocols/messages etc may be of value in the IOG.  Or IOG is 
>> not supposed to have any details?
>>
>> Another aspect that may have value is the select subset of crypt 
>> protocols(that are commonly used in practice) for transport of the 
>> keys that SKMS will prescribe and  appropriately provide references 
>> to their description. I guess the resource section will cover this.
>>
>> Arshad Noor wrote:
>>
>>> I would agree, Anil.
>>>
>>> There is a document that does describe some use-cases, Anil:
>>>
>>> http://www.oasis-open.org/committees/download.php/22700/SKSML-UseCases-11.pdf 
>>>
>>>
>>> This can, potentially, be incorporated into the Implementation and
>>> Operations Guidelines (IOG) document.  Have you had a chance to
>>> review this?
>>>
>>> Arshad Noor
>>> StrongAuth, Inc.
>>>
>>> Anil Saldhana wrote:
>>>
>>>> Arshad,
>>>>  looking at the TOC, I suggest adding a section for use 
>>>> cases/profiles at the end. People using the specification would 
>>>> very much benefit with some real-life examples of the specication. 
>>>> This may be useful for specific verticals like health care, finance 
>>>> etc.
>>>>
>>>> Just a thought.
>>>>
>>>> Regards,
>>>> Anil
>>>>
>>>> Arshad Noor wrote:
>>>>
>>>>> Just a reminder that I had mentioned in the minutes a few weeks
>>>>> ago that next week's EKMI-TC con-call will clash with the OASIS
>>>>> Symposium and that the TC will meet on Tuesday April 24th at
>>>>> 9:00am PDT instead for this month.  We will go back to the
>>>>> regular schedule of third Tuesday at 9:00am PDT in May '07.
>>>>>
>>>>> If you haven't had a chance, please review the DRAFT SKSML
>>>>> documents uploaded a few weeks ago, as well as the proposed
>>>>> "Table of Contents" for the EKMI Implementation & Operations
>>>>> Guidelines document to be produced by the TC.  Your comments
>>>>> and feedback are essential to the clarity of the message that
>>>>> the TC will produce in these areas.
>>>>>
>>>>> Regards,
>>>>>
>>>>> Arshad Noor
>>>>> StrongAuth, Inc.
>>>>
>>>>
>>>
>>

-- 
Anil Saldhana
JBoss Security & Identity Management
http://labs.jboss.com/portal/jbosssecurity/