[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [ekmi-comment] SKSML public review - comment - proposal to allowfor different key payload containers and alignment with IETF PSKC
Philip, Thank you very much for your comments on the DRAFT specification of SKSML, and the potential to include the DSKPP key-container within SKSML. The Technical Committee has agreed to begin discussions with you (and/or other members of KEYPROV) to understand the implications of this change. A small group of TC members would like to start understanding the details of DSKPP, how it fits in with SKSML and its impact on SKSML. Please let us know how you would like to begin - I imagine a web-presentation from you on the current DSKPP architecture and mechanics would be the appropriate first step. The TC has also decided that since there were no objections from anyone in the Public Review to the current SKSML DRAFT specification, it will move forward with a ballot to designate the DRAFT as a Committee Specification. This is not an OASIS standard. That may be many months away - which gives us the time to understand the DSKPP technology, and the opportunity to include the key-container (if the TC votes for it) before SKSML becomes an OASIS standard. Let me know some convenient dates and times when you might be able to provide that web-presentation. We should have a sub-group named by the 20th of January (our monthly TC meeting), so any time after that would be appropriate. Regards and a happy new year. Arshad Noor StrongAuth, Inc. Philip Hoyer wrote: > Ladies and Gentlemen, > > > > Having been made aware of the SKSML work by Arshad Noor I wanted to > comment on the current specification and make a proposal. > > > > I am the author of the PSKC spec > (http://www.ietf.org/internet-drafts/draft-ietf-keyprov-portable-symmetric-key-container-06.txt) > which is part of the IETF ‘keyprov’ working group > (http://www.ietf.org/html.charters/keyprov-charter.html) that has some > overlap with the work done for SKSML > > > > My main comment around SKSML is that it would be nice to be able to > define the type of payload container (where the key resides) that is > transported. > > > > This has several advantages: > > 1. It decouples the protocol to obtain the keys from the payload to > transfer the keys > 2. it allows for several different containers to be transported with > the same protocol > 3. It allows extensions to the payload to have a separate lifecycle > to the protocol > 4. It will allow profiling of payloads for key related meta-data not > yet considered by the spec > > > > One of the main reasons is that there could be alignment of the payload > between SKSML and the work that has been done in IETF keyprov group. > > > > Especially I would suggest you to consider the work that has been done > on the PSKC spec which seems to satisfy most of the requirements in > SKSML and already has many implementers. > > > > The proposal could be to add one layer of abstraction in the > SymKeyResponse element which indicates the type of key container being used: > > > > Example 1 – using SKSML container > > > > <ekmi:SymkeyResponse > xmlns:ekmi='http://docs.oasis-open.org/ekmi/2008/01' > xmlns:xenc='http://www.w3.org/2001/04/xmlenc#'> > > <ekmi:SymkeyContainer type=” http://docs.oasis-open.org/ekmi/2008/01”;> > > <ekmi:SymkeyList> > > <ekmi:Symkey> > > <ekmi:GlobalKeyID>*10514-1-235*</ekmi:GlobalKeyID> > > <ekmi:KeyUsePolicy> > > <ekmi:KeyUsePolicyID>10514-4</ekmi:KeyUsePolicyID> > > …… > > > > Example 2 – using PSKC container > > > > <ekmi:SymkeyResponse > xmlns:ekmi='http://docs.oasis-open.org/ekmi/2008/01' > xmlns:xenc='http://www.w3.org/2001/04/xmlenc#'> > > <ekmi:SymkeyContainer type=”urn:ietf:params:xml:ns:keyprov:pskc:1.0”> > > <KeyContainer Version="1.0" > xmlns="urn:ietf:params:xml:ns:keyprov:pskc:1.0"> > > <Device> > > <DeviceInfo> > > <Manufacturer>aManufacturer</Manufacturer> > > <SerialNo>*10514-1-235*</SerialNo> > > </DeviceInfo> > > <Key KeyAlgorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"; > > KeyId="*10514-1-235*"> > > <Issuer>anIssuer</Issuer> > > ……. > > > > > > Looking forward to your feedback and please do not hesitate to contact > me for further clarificatons, > > > > Philip > > > > ________________________________ > > > > Philip Hoyer > > > > Senior Architect - Office of CTO > > > > ActivIdentity (UK) > > 117 Waterloo Road > > London SE1 8UL > > > > Telephone: +44 (0) 20 7960 0220 > > Fax: +44 (0) 20 7902 1985 > > > > Private and confidential: This message and any attachments may contain > > privileged / confidential information. If you are not an intended recipient, > > you must not copy, distribute, discuss or take any action in reliance on it. > > If you have received this communication in error, please notify the sender > > and delete this message immediately. > > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]