TPM Key backup/migration and KMIP interop

[Wyllys Ingersoll <Wyllys.Ingersoll@Sun.COM>]

The TCG infrastructure working group (IWG) defined a backup/migration specification
for migrating keys from on TPM platform to another.  The current IWG document (from 2004) 
specifies the use of Web Services Architecture profiles for interoperability.  That
spec also calls for an XML-based message format be used for passing
the key migration information between platforms via a SOAP interface.  However, the 
spec does allow for the transport of data over other interfaces, including 
a TLS channel or a proprietary transfer mechanism.  Presumably, it would also
allow for the use of a KMIP protocol if the messages could be made to work in the
KMIP object space.

The IWG is wondering if there is a way to move TPM migration objects using the KMIP
protocol.  Currently, the list of managed objects and attributes defined in the KMIP
spec would probably not be sufficient to represent the data that the TPM migration
would require.  The TPM migration data could be wedged into the Opaque Object with
custom attributes, but that is probably not the optimal solution.  Also, the list of
client-server operations currently defined might not fully meet the requirements
of the TPM migration operation (more investigation needed here, though).

I wanted to bring this to the attention of the group because the IWG would like to
be able to use the KMIP protocols in the future and are asking for advice on what
would be the best way to move forward.  Would they need to write a new usage profile
or possibly suggest objects, attributes, and operations for the core spec?  Additionally,
the IWG would also have to amend their own specs to indicate how to use KMIP.

-Wyllys Ingersoll
 TCG IWG Liason