Re: [ekmi] Discussion on comment received on 15-day review of SKSML

[Anil Saldhana <Anil.Saldhana@redhat.com>]

http://wiki.oasis-open.org/
http://wiki.oasis-open.org/xacml/ (Example)

I think we should get a wiki to keep track of issues.

Arshad Noor wrote:
> Agreed, Tomas.
>
> Anil, would you be kind enough to keep track of things we want to
> work on in 2.0?  Here are some items I've that are of interest so far:
>
> 1) Inclusion of DSKPP key-container (Tomas G and Sandy R);
> 2) KM standard for mobile environments (Upendra M);
> 3) Replication between SKS servers (Arshad N);
>
> I will respond to Philip Hoyer that we want to engage with him/KEYPROV
> to understand the mechanics of DSKPP, their security model and how it
> will fit in with SKSML.  Would someone from the TC volunteer to lead
> this discussion with Philip on the DSKPP item?  Sandy/Tomas?  I will
> be involved, but would prefer to take a back-seat on this discussion.
>
> Since we have heard no objections to the current DRAFT specification,
> I will setup a ballot for moving the current DRAFT to Committee
> Specification status.  We can begin new TC work with our first meeting
> in Jan 2009 (Anil, would you please schedule them in the calendar?
> Thanks).
>
> Thanks all and a very happy new year to everyone.
>
> Arshad
>
> Tomas Gustavsson wrote:
>> Hi Arshad,
>> I agree that we should move on with v1 of the protocol. We should 
>> maintain a list of items that will be studied for v2.
>>
>> Regards,
>> Tomas
>>
>>
>> Arshad Noor <arshad.noor@strongauth.com> wrote:
>>
>>> Hi Tomas (Sandy and Ben),
>>>
>>> Thanks for your thoughts.
>>>
>>> I don't have anything (yet) against considering the merger of the
>>> DSKPP key-container into SKSML - I just think that we should study
>>> it before deciding on it.
>>>
>>> EKMI TC, the KEYPROV WG and the IEEE 1619.3 WG all had unique
>>> charters 2 years ago, so everybody was comfortable that there was
>>> no overlap.
>>>
>>> Since then, it appears that the IEEE and the KEYPROV WGs have carved
>>> some part of the EKMI TC focus into their charter, causing the overlap;
>>> we've still stayed true to our focus and mission for the last 2 years.
>>>
>>> Now that we're at the threshold of voting it to Committee Spec status,
>>> I would hate to have 2-years worth of work delayed for a few more
>>> months just so we can determine if the DSKPP key-container fits in
>>> within SKSML.  (I also recall that there was consensus in the last TC
>>> meeting that we would not add any new features to SKSML 1.0 after the
>>> asynch-request/encryption-cert support, as it was leading to scope-
>>> creep).
>>>
>>> Vendors need to start building implementations of SKSML so they can 
>>> learn about its own implementation issues.  However, they need a stable
>>> spec for that; if we keep changing the protocol every 2-3 months 
>>> without
>>> putting a stake in the ground, we'll never finish SKSML.
>>>
>>> I think we can study the DSKPP key-container and create some vendor
>>> implementations of the Committee Spec concurrently without sacrificing
>>> anything.  The SKSML implementation experience may cause us to 
>>> fine-tune
>>> our own protocol and by then we will also know how well the DSKPP key-
>>> container fits in with SKSML.  Sometime in spring, we can then vote on
>>> how to move forward with the standards vote and the DSKPP.
>>>
>>> Thoughts?
>>>
>>> Arshad
>>>
>>> Tomas Gustavsson wrote:
>>>> Hi,
>>>> I didn't study the pskc document in detail now, only went over it 
>>>> briefly. It seems quite, perhaps overly, complex.
>>>>
>>>> In general the idea of standardizing key container is good. If it 
>>>> were PKI we were talking about I would be suspicious of any new 
>>>> protocol that did not allow piggy-backing of existing standard 
>>>> messages such as pkcs#10 requests and pkcs#12 keystores.
>>>>
>>>> The pskc seems to be simply such a standardized keystore, similar 
>>>> to pkcs#12 but for symmetric keys. If it is as Philip says that 
>>>> there are already wide-spread implementation of this keystore type, 
>>>> I think it would be beneficial for ekmi to support this.
>>>>
>>>> Regarding your point 5 Arshad, I think this would be the benefit of 
>>>> supporting pskc, easing integration with existing implementations 
>>>> that already use pskc containers AFTER the delivery of the key by 
>>>> the SKS. Being able to "EKMI-ify" existing systems.
>>>>
>>>> This is one of the areas where I think for example XKMS failed. It 
>>>> did not acknowledge the vast installed base of implementations 
>>>> using pkcs#10 but required implementing something completely new, 
>>>> making it impossible to easy "XKMS-ify" existing systems.
>>>>
>>>> Happy new year to all,
>>>> Tomas
>>>>
>>>> Arshad Noor wrote:
>>>>> All,
>>>>>
>>>>> Many people are probably still on vacation and enjoying the holidays
>>>>> with their families/loved ones, but I thought that it would be useful
>>>>> to start the discussion on the comment received from Philip Hoyer on
>>>>> the 15-day review of SKSML that concluded last week:
>>>>>
>>>>> http://lists.oasis-open.org/archives/ekmi-comment/200812/msg00000.html 
>>>>>
>>>>>
>>>>> Here are my thoughts (in no particular order of importance):
>>>>>
>>>>> 1) We have not received any objections or concerns with the current
>>>>>    definition of the SKSML protocol itself;
>>>>>
>>>>> 2) Harmonizing key-management standards are good for the industry and
>>>>>    for customers; those amongst us at the Key Management Summit held
>>>>>    in Baltimore in September 2008 heard this very clearly from the
>>>>>    customers that attended the summit;
>>>>>
>>>>> 3) The IETF key-management effort has always been focused on 
>>>>> symmetric
>>>>>    authentication keys, which is a very different objective than what
>>>>>    the EKMI TC is focused on.  This was discussed even before the TC
>>>>>    came into existence:
>>>>>
>>>>> http://lists.oasis-open.org/archives/oasis-charter-discuss/200611/msg00003.html 
>>>>>
>>>>>
>>>>>    Since it was agreed that there was no overlap between KEYPROV and
>>>>>    EKMI TC (other than that both groups used symmetric cryptographic
>>>>>    keys to achieve their different objectives), the OASIS TC was
>>>>>    allowed to be created.
>>>>>
>>>>> 4) The key-container is an integral part of the SKSML protocol, but
>>>>>    not the most critical part of the protocol.  The truly critical
>>>>>    element is the KeyUsePolicy element, since this is what defines
>>>>>    policy and establishes control.  Without the KUP, there is no
>>>>>    key-management system;
>>>>>
>>>>> 5) The key-container in SKSML is tied to the use of XML Encryption
>>>>>    and X509 digital certificates for transporting the key; this not
>>>>>    only provides us the transport security, but also ties it to the
>>>>>    authentication credential of the client (also an X509 digital
>>>>>    certificate).  Without having studied the KEYPROV protocol, I am
>>>>>    not certain what additional benefits SKSML will gain by allowing
>>>>>    for different key-containers to carry the key.  At a minimum, it
>>>>>    will require studying the impact on the security and assumptions
>>>>>    we need to make about the requesting client;
>>>>>
>>>>> 6) We are at the point of only voting on a Committee Specification,
>>>>>    not an OASIS standard.  The next 3-6 months will be spent in
>>>>>    creating implementations to validate our choices and learn from
>>>>>    the experience before voting on the standard.
>>>>>
>>>>> I would recommend that, given the effort we have put in over the
>>>>> last two years, we continue with making the current spec a Committee
>>>>> Specification to validate our work through implementations.  At the
>>>>> same time, I also recommend that one or more TC members engage in
>>>>> discussions with Philip to understand the details and implications
>>>>> of his suggestion.  The engaging-member(s) can then report back to
>>>>> the TC with an analysis on what impact this suggestion has on SKSML
>>>>> and his/her/their recommendation.  The analysis can occur 
>>>>> concurrently
>>>>> with the implementation validation so we will have a fair amount of
>>>>> information before deciding on what to do before going for an OASIS
>>>>> standards vote.
>>>>>
>>>>> Let me know what others think about this.
>>>>>
>>>>> Arshad Noor
>>>>> StrongAuth, Inc.