Strength in Complexity?
Arshad Noor
arshad.noor at strongauth.com
Sun Aug 3 20:30:49 EDT 2008
Ben Laurie wrote:
> So, an executive summary of your responses appears to be "EKMI leaves
> all the hard/impossible problems to be solved by components that are out
> of scope".
A more optimistic way of putting this, Ben, is to state that EKMI allows
domain-experts of underlying components to address the complex issues of
their domain in ways that they deem best, while providing value on top
of those components. I see no reason to reinvent any of the components
- despite their imperfections - when they serve my purpose very well.
The business goal here is not cryptographic elegance or perfection, but
a solution to a problem without creating new vulnerabilities.
> As such, I'm not seeing much value.
That may be because you are a cryptographer. If you were the CSO, an
Operations Director, or an Application Developer in a company that had
to manage encryption keys for 5,000 POS Terminals, 10,000 laptops,
desktops and servers across multiple data-centers and 400 stores, you
would see it very differently.
> Is there anything other than key escrow that's actually in scope?
Yes.
- The <KeyUsePolicy> element in SKSML tells conforming applications
how to use the symmetric key, where to use it, when to use it, for
what purpose, for how many transactions, etc.
- The <KeyCachePolicy> element tells SKSML clients whether they may
cache keys, and if they may, how many of them and for how long so
that conforming applications can continue to use keys even when
disconnected from the central key-management server.
Arshad Noor
StrongAuth, Inc.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list