The Key Management Summit
It will soon be time for the IEEE Key Management Summit, which will be held September 23-24 in Baltimore, Maryland. It will bring together academics, customers and key management vendors to discuss the requirements for key management technology and how the evolving key management standards can work together, at least that's the plan. It looks like it might not quite work out as well as the organizers had hoped – it looks like almost everyone coming is from a security vendor. This means that we won’t be getting much of the customers' point of view on key management at all.
That's disappointing. I'll be attending the event, and the panel discussions with customers were the part that I was looking forward to the most. It's hard to find out what customers really want without talking to them, and I was hoping to use these panel discussions to get a better idea of what people are looking for in key management products.
After the customer panels, my favorites are probably a toss-up between the talks by NSA and NIST and the panel discussion about the different key management standards. NSA seems to influence the thinking at NIST, and the thinking at NIST seems to influence the rest of the world, at least when it comes to information security. Because of this, I'd like to hear what their thoughts are on the subject.
The panel discussion about the different key management standards might also be interesting. There are already a number of standards out there on key management, but these focus more on what to do, not on how to do it. Because of this, they really don't provide the level of detail that vendors need to make interoperable products. There are three main standards for key management that are being developed now that will actually allow the creation of interoperable products, and each has their own set of strengths and weaknesses.
The Provisioning of Symmetric Keys (KEYPROV) working group of the IETF is working on the Dynamic Symmetric Key Provisioning Protocol (DSKPP). This lets you initialize a device with a symmetric key, but without using any public-key operations. It's an interesting and useful idea, but one that seems to have rather limited uses.
The Enterprise Key Management Infrastructure (EKMI) Technical Committee of OASIS is working on the Symmetric Key Services Markup Language (SKSML), an XML-based protocol for managing symmetric keys and the policies that govern their use. This standard seems to just represent the work of a single small company, and has little support from other vendors. Because of this, I don't think that it will be very widely adopted.
The Security in Storage Working Group of the IEEE is working on the P1619.3 Standard for Key Management Infrastructure for Cryptographic Protection of Stored Data. This one looks like a winner – it solves a pressing problem and has lots of vendor support. On the other hand, the progress of the standard has apparently been crippled recently by politics and the inability of the working group to make the simplest of decisions. If the working group can overcome these difficulties, this standard probably stands the best chance of being successful.
So I'm looking forward to seeing the panel discussion on standards to see how the various groups position their work relative to the others. It will be particularly interesting to see how the comparison between SKSML and P1619.3 turns out. Those two seem to have a bit of overlap, but the working groups that are developing them will almost certainly have an explanation prepared that explains how the two differ. I'm looking forward to hearing what they have to say.
Comments