OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

ekmi message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [ekmi] Re: [P1619-3] OASIS EKMI Article in InformationWeek



Arshad Noor wrote:

[snip]

> It is my personal belief that the market for storage-device based
> encryption will dry up within 3-5 years.  Why?  Because of the
> following:

[snip]

> Since the market for encrypted storage-devices is not a long-lived one,
> how much effort do storage vendors want to put into building XML-based
> protocols, libraries, tools and MC applications, when another effort has
> reasonable acceptance and traction, and can be easily used to meet the
> goals of the storage industry?  If storage-industry budgets allow for
> duplicating the OASIS work and dealing with the mixed-marketing messages
> that customers receive, that's a different issue.  However, if you want
> to optimize your investments while making the most of the opportunity
> that presents itself over the next 3-5 years, then it makes sense to do
> the minimum necessary work on the binary protocol and use the OASIS
> XML-based protocol where it makes sense.

I'm not at all certain that there might not be one legacy use for 
hardware level storage - archives of historical keys, data and such 
for later recovery that is software and software version agnostic.

If the encryption is done with V1.1 and several years later V3.7 is 
the version that is in use, how do you recover data from an 
application that used V1.1? One would not want to retain the 
weaknesses of V1.1 in V3.7 in order to recover a V1.1 set of data as 
that would duplicate the LANMAN/NTLM problem.

I think careful thought about the legacy issue is in order and, 
indeed, it may be easiest solved with a low level hardware solution 
that does not change until the data is migrated off the device.

Best,

Allen Schaaf - CISSP, C|EH, C|HFI, CEI
Information Security & Risk Analyst - Business Process Analyst
Training & Instructional Designer - Sr. Documentation Developer
Certified Network Security Analyst and Intrusion Forensics 
Investigator - Certified EC-Council Instructor

Security is lot like democracy - everyone's for it but
few understand that you have to work at it constantly.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]