[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: OASIS EKMI standard (was Re: [dev-crypto] Free IDtrust workshop inBarcelona)
Certainly, Andreas. To begin, I am in agreement with you that cryptographic keys are best protected when generated, stored and used within hardware devices such as HSMs, TPMs and smartcards. The OASIS EKMI TC implementation guidelines (currently being written up) recommend that, and the Symmetric Key Services Markup Language (SKSML) supports that on the client as well as the server. The problem is that enterprises are faced with the daunting prospect of managing symmetric encryption on a diverse group of applications and devices such as laptops, PDAs, databases, web-application servers, desktops, thumb-drives, SAN, NAS, tape-libraries and so on. Currently, they are being forced to manage symmetric encryption keys on these applications and devices in silos - each one with their own management tools and interfaces for defining policy, escrow, recovery and access control. Even with a single abstract policy, companies are forced to implement multiple procedures and support multiple technologies within their key-management infrastructures. Add to this that most EKMIs will be audited for regulatory compliance to various security regulations (PCI-DSS, PCSA, HIPAA, FISMA, EU Directive), companies may have to undergo multiple audits to certify their compliance. There is also the risk that with multiple KMIs, human error will introduce vulnerabilities due to differing technologies and procedures. The SKSML protocol aims to alleviate this problem by providing a standard language for requesting key-management services just as the DNS protocol allows a client to request IP-address resolution from a DNS server. It hopes to bring some sanity to the madness that is sure to result if enterprises are forced to implement proprietary protocols and APIs for each KMI. I would encourage you to review the content of the OASIS EKMI TC website, read its charter and some of the documents posted there. The Technical Committee (TC) started with six (6) supporters 8 months ago, but now numbers twenty-eight (28). Supporters include Visa, Wells Fargo, Red Hat, the US Dept. of Defense, PA Consulting, Primekey, Wave Systems amongst many others. Individuals who specialize in security and IT audit are also part of this TC, as well as some of the leading software companies in the world in the PC, database and security space (whose names I cannot mention publicly) Arshad Noor StrongAuth, Inc. (Also, the Chair of the OASIS EKMI TC) ----- Original Message ----- From: "Andreas Schwier" <andreas.schwier@cardcontact.de> To: "Arshad Noor" <arshad.noor@strongauth.com> Cc: dev-crypto@bouncycastle.org Sent: Wednesday, September 5, 2007 1:39:56 AM (GMT-0800) America/Los_Angeles Subject: Re: [dev-crypto] Free IDtrust workshop in Barcelona Can someone explain to me what the rational for this OASIS standard is ? Working with cryptographic systems for quite a while now, I would always try to store a symmetric key in a physically protected device (HSM or Smart Card) and do all cryptographic processing within the device. Why would someone use this protocol to send a symmetric key from a server to a client (which by the way is what any hybrid encryption scheme does as well) ? Andreas Arshad Noor schrieb: > For those attending the Burton Group Catalyst conference, or those > anywhere in the vicinity, this free session will also cover a session > on Enterprise Key Management Infrastructure (EKMI) for managing > symmetric encryption keys across the enterprise (see following URL for > details on the work of the OASIS EKMI Technical Committee): > > http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=ekmi > > Thanks. > > Arshad Noor > StrongAuth, Inc. > > > ----------------------------------------------------------------------- > > Registration opens for free IDtrust workshop in Barcelona > > The OASIS IDtrust Member Section is hosting a free workshop in > conjunction with the Burton Group's Catalyst conference in Barcelona, > Spain on 22 Oct. Presentations will focus on the critical need for > strong identity management initiatives, protocols, and standards > supported by scalable, data-protection and integrity services. Speakers > will include Abbie Barbir of Nortel, John Sabo of CA, Eve Maler of Sun > Microsystems, Anthony Nadalin of IBM, Juan Carlos Cruellas of > CATCert-Agencia Catalana de Certificacio, and others. > > http://events.oasis-open.org/home/idtrust/2007 > -- --------- CardContact Software & System Consulting |.##> <##.| Andreas Schwier |# #| Schülerweg 38 |# #| 32429 Minden, Germany |'##> <##'| Phone +49 171 8334920 --------- http://www.cardcontact.de
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]