[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: OASIS EKMI standard (was Re: [dev-crypto] Free IDtrust workshop inBarcelona)
Certainly, Andreas.
To begin, I am in agreement with you that cryptographic keys
are best protected when generated, stored and used within
hardware devices such as HSMs, TPMs and smartcards. The
OASIS EKMI TC implementation guidelines (currently being
written up) recommend that, and the Symmetric Key Services
Markup Language (SKSML) supports that on the client as well
as the server.
The problem is that enterprises are faced with the daunting
prospect of managing symmetric encryption on a diverse group
of applications and devices such as laptops, PDAs, databases,
web-application servers, desktops, thumb-drives, SAN, NAS,
tape-libraries and so on. Currently, they are being forced
to manage symmetric encryption keys on these applications and
devices in silos - each one with their own management tools
and interfaces for defining policy, escrow, recovery and
access control.
Even with a single abstract policy, companies are forced to
implement multiple procedures and support multiple technologies
within their key-management infrastructures. Add to this that
most EKMIs will be audited for regulatory compliance to various
security regulations (PCI-DSS, PCSA, HIPAA, FISMA, EU Directive),
companies may have to undergo multiple audits to certify their
compliance. There is also the risk that with multiple KMIs,
human error will introduce vulnerabilities due to differing
technologies and procedures.
The SKSML protocol aims to alleviate this problem by providing
a standard language for requesting key-management services
just as the DNS protocol allows a client to request IP-address
resolution from a DNS server. It hopes to bring some sanity
to the madness that is sure to result if enterprises are forced
to implement proprietary protocols and APIs for each KMI.
I would encourage you to review the content of the OASIS EKMI
TC website, read its charter and some of the documents posted
there. The Technical Committee (TC) started with six (6)
supporters 8 months ago, but now numbers twenty-eight (28).
Supporters include Visa, Wells Fargo, Red Hat, the US Dept. of
Defense, PA Consulting, Primekey, Wave Systems amongst many
others. Individuals who specialize in security and IT audit
are also part of this TC, as well as some of the leading software
companies in the world in the PC, database and security space
(whose names I cannot mention publicly)
Arshad Noor
StrongAuth, Inc.
(Also, the Chair of the OASIS EKMI TC)
----- Original Message -----
From: "Andreas Schwier" <andreas.schwier@cardcontact.de>
To: "Arshad Noor" <arshad.noor@strongauth.com>
Cc: dev-crypto@bouncycastle.org
Sent: Wednesday, September 5, 2007 1:39:56 AM (GMT-0800) America/Los_Angeles
Subject: Re: [dev-crypto] Free IDtrust workshop in Barcelona
Can someone explain to me what the rational for this OASIS standard is ?
Working with cryptographic systems for quite a while now, I would always
try to store a symmetric key in a physically protected device (HSM or
Smart Card) and do all cryptographic processing within the device. Why
would someone use this protocol to send a symmetric key from a server to
a client (which by the way is what any hybrid encryption scheme does as
well) ?
Andreas
Arshad Noor schrieb:
> For those attending the Burton Group Catalyst conference, or those
> anywhere in the vicinity, this free session will also cover a session
> on Enterprise Key Management Infrastructure (EKMI) for managing
> symmetric encryption keys across the enterprise (see following URL for
> details on the work of the OASIS EKMI Technical Committee):
>
> http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=ekmi
>
> Thanks.
>
> Arshad Noor
> StrongAuth, Inc.
>
>
> -----------------------------------------------------------------------
>
> Registration opens for free IDtrust workshop in Barcelona
>
> The OASIS IDtrust Member Section is hosting a free workshop in
> conjunction with the Burton Group's Catalyst conference in Barcelona,
> Spain on 22 Oct. Presentations will focus on the critical need for
> strong identity management initiatives, protocols, and standards
> supported by scalable, data-protection and integrity services. Speakers
> will include Abbie Barbir of Nortel, John Sabo of CA, Eve Maler of Sun
> Microsystems, Anthony Nadalin of IBM, Juan Carlos Cruellas of
> CATCert-Agencia Catalana de Certificacio, and others.
>
> http://events.oasis-open.org/home/idtrust/2007
>
--
--------- CardContact Software & System Consulting
|.##> <##.| Andreas Schwier
|# #| Schülerweg 38
|# #| 32429 Minden, Germany
|'##> <##'| Phone +49 171 8334920
--------- http://www.cardcontact.de
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]