Re: [KEYPROV] [ekmi-comment] SKSML public review - comment - proposal to allow for different key payload containers and alignment with IETF PSKC

[Tomas Gustavsson <tomas at primekey.se>]

Hi EKMI,

I've though about allowing different key payloads in SKSML now. It's 
been quite a while, that I blame entirely on the turmoil in this 
standards area lately :-)

In short, I am in favor of Philips suggestion below. Using a simple 
<ekmi:SymkeyContainer> wrapper. The reason for this is that the change 
to the protocol is really small. EKMI don't even have to profile the 
PSKC case, but can leave that to keyprov.

This small change would allow for a level of flexibility that can be of 
benefit.

Regards,
Tomas Gustavsson
PrimeKey Solutions AB


Arshad Noor wrote:
> Hi Philip,
>
> Tomas Gustaavson of Primekey in Sweden, has agreed to lead the effort
> from the EKMI TC to understand the KEYPROV work, and the ways in
> which KEYPROV and EKMI might overlap and work together.  He (and any
> other TC members who volunteer to work with him on this) will make a
> recommendation to the TC on what we should do.
>
> I will participate in the KEYPROV presentation & discussions (schedule
> permitting), but I will let Tomas drive the schedule and respond with
> dates convenient to him.  Except for the morning of the 23rd, I am
> open both weeks.
>
> Thanks.
>
> Arshad
>
> Philip Hoyer wrote:
> > Arshad,
> > We would be available to discuss and webex present Tuesday-Friday week
> > commencing 19/1 and then the Monday 26th or Friday 30th.
> >
> > Would any such dates suite you and if not could you come back with some
> > candidate dates in February for us to consider.
> >
> > Thanks,
> > Philip
> >
> > -----Original Message-----
> > From: Arshad Noor [mailto:arshad.noor at strongauth.com] Sent: Saturday, 
> > January 03, 2009 12:25 AM
> > To: Philip Hoyer
> > Cc: ekmi-comment at lists.oasis-open.org; ekmi
> > Subject: Re: [ekmi-comment] SKSML public review - comment - proposal to
> > allow for different key payload containers and alignment with IETF PSKC
> >
> > Philip,
> >
> > Thank you very much for your comments on the DRAFT specification
> > of SKSML, and the potential to include the DSKPP key-container
> > within SKSML.
> >
> > The Technical Committee has agreed to begin discussions with you
> > (and/or other members of KEYPROV) to understand the implications
> > of this change.
> >
> > A small group of TC members would like to start understanding the
> > details of DSKPP, how it fits in with SKSML and its impact on
> > SKSML.  Please let us know how you would like to begin - I imagine
> > a web-presentation from you on the current DSKPP architecture and
> > mechanics would be the appropriate first step.
> >
> > The TC has also decided that since there were no objections from
> > anyone in the Public Review to the current SKSML DRAFT specification,
> > it will move forward with a ballot to designate the DRAFT as a
> > Committee Specification.  This is not an OASIS standard.  That may
> > be many months away - which gives us the time to understand the
> > DSKPP technology, and the opportunity to include the key-container
> > (if the TC votes for it) before SKSML becomes an OASIS standard.
> >
> > Let me know some convenient dates and times when you might be able
> > to provide that web-presentation.  We should have a sub-group named
> > by the 20th of January (our monthly TC meeting), so any time after
> > that would be appropriate.
> >
> > Regards and a happy new year.
> >
> > Arshad Noor
> > StrongAuth, Inc.
> >
> > Philip Hoyer wrote:
> > > Ladies and Gentlemen,
> > >
> > >  
> > >
> > > Having been made aware of the SKSML work by Arshad Noor I wanted to 
> > > comment on the current specification and make a proposal.
> > >
> > >  
> > >
> > > I am the author of the PSKC spec
> > (http://www.ietf.org/internet-drafts/draft-ietf-keyprov-portable-symmetr
> > ic-key-container-06.txt)
> > > which is part of the IETF 'keyprov' working group 
> > > (http://www.ietf.org/html.charters/keyprov-charter.html) that has some
> >
> > > overlap with the work done for SKSML
> > >
> > >  
> > >
> > > My main comment around SKSML is that it would be nice to be able to 
> > > define the type of payload container (where the key resides) that is 
> > > transported.
> > >
> > >  
> > >
> > > This has several advantages:
> > >
> > >    1. It decouples the protocol to obtain  the keys from the payload
> > to
> > >       transfer the keys
> > >    2. it allows for several different containers to be transported
> > with
> > >       the same protocol
> > >    3. It allows extensions to the payload to have a separate lifecycle
> > >       to the protocol
> > >    4. It will allow profiling of payloads for key related meta-data
> > not
> > >       yet considered by the spec
> > >
> > >  
> > >
> > > One of the main reasons is that there could be alignment of the
> > payload
> > > between SKSML and the work that has been done in IETF keyprov group.
> > >
> > >  
> > >
> > > Especially I would suggest you to consider the work that has been done
> >
> > > on the PSKC spec which seems to satisfy most of the requirements in 
> > > SKSML and already has many implementers.
> > >
> > >  
> > >
> > > The proposal could be to add one layer of abstraction in the 
> > > SymKeyResponse element which indicates the type of key container being
> > used:
> > >  
> > >
> > > Example 1 - using SKSML container
> > >
> > >  
> > >
> > > <ekmi:SymkeyResponse 
> > >  xmlns:ekmi='http://docs.oasis-open.org/ekmi/2008/01' 
> > >  xmlns:xenc='http://www.w3.org/2001/04/xmlenc#'>
> > >
> > > <ekmi:SymkeyContainer type=" http://docs.oasis-open.org/ekmi/2008/01";>
> > >
> > > <ekmi:SymkeyList>
> > >
> > > <ekmi:Symkey>
> > >
> > >  <ekmi:GlobalKeyID>*10514-1-235*</ekmi:GlobalKeyID>
> > >
> > > <ekmi:KeyUsePolicy>
> > >
> > > <ekmi:KeyUsePolicyID>10514-4</ekmi:KeyUsePolicyID>
> > >
> > > ......
> > >
> > >  
> > >
> > > Example 2 - using PSKC container
> > >
> > >  
> > >
> > > <ekmi:SymkeyResponse 
> > >  xmlns:ekmi='http://docs.oasis-open.org/ekmi/2008/01' 
> > >  xmlns:xenc='http://www.w3.org/2001/04/xmlenc#'>
> > >
> > > <ekmi:SymkeyContainer type="urn:ietf:params:xml:ns:keyprov:pskc:1.0">
> > >
> > >                         <KeyContainer Version="1.0" 
> > > xmlns="urn:ietf:params:xml:ns:keyprov:pskc:1.0">
> > >
> > >     <Device>
> > >
> > >         <DeviceInfo>
> > >
> > >             <Manufacturer>aManufacturer</Manufacturer>
> > >
> > >             <SerialNo>*10514-1-235*</SerialNo>
> > >
> > >         </DeviceInfo>
> > >
> > >         <Key
> > KeyAlgorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc";
> > >         KeyId="*10514-1-235*">
> > >
> > >             <Issuer>anIssuer</Issuer>
> > >
> > >                                     .......
> > >
> > >  
> > >
> > >  
> > >
> > > Looking forward to your feedback and please do not hesitate to contact
> >
> > > me for further clarificatons,
> > >
> > >  
> > >
> > > Philip
> > >
> > >  
> > >
> > > ________________________________
> > >
> > >  
> > >
> > > Philip Hoyer
> > >
> > >  
> > >
> > > Senior Architect - Office of CTO
> > >
> > >  
> > >
> > > ActivIdentity (UK)
> > >
> > > 117 Waterloo Road
> > >
> > > London SE1 8UL
> > >
> > >  
> > >
> > > Telephone: +44 (0) 20 7960 0220
> > >
> > > Fax: +44 (0) 20 7902 1985
> > >
> > >  
> > >
> > > Private and confidential: This message and any attachments may contain
> > >
> > > privileged / confidential information. If you are not an intended
> > recipient,
> > > you must not copy, distribute, discuss or take any action in reliance
> > on it.
> > > If you have received this communication in error, please notify the
> > sender
> > > and delete this message immediately.
> > >
> > >  
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php