Strength in Complexity?

Arshad Noor arshad.noor at
Sun Aug 3 20:30:49 EDT 2008

Ben Laurie wrote:
> So, an executive summary of your responses appears to be "EKMI leaves 
> all the hard/impossible problems to be solved by components that are out 
> of scope".

A more optimistic way of putting this, Ben, is to state that EKMI allows
domain-experts of underlying components to address the complex issues of
their domain in ways that they deem best, while providing value on top
of those components.  I see no reason to reinvent any of the components
- despite their imperfections - when they serve my purpose very well.
The business goal here is not cryptographic elegance or perfection, but
a solution to a problem without creating new vulnerabilities.

> As such, I'm not seeing much value.

That may be because you are a cryptographer.  If you were the CSO, an
Operations Director, or an Application Developer in a company that had
to manage encryption keys for 5,000 POS Terminals, 10,000 laptops,
desktops and servers across multiple data-centers and 400 stores, you
would see it very differently.

> Is there anything other than key escrow that's actually in scope?


- The <KeyUsePolicy> element in SKSML tells conforming applications
   how to use the symmetric key, where to use it, when to use it, for
   what purpose, for how many transactions, etc.
- The <KeyCachePolicy> element tells SKSML clients whether they may
   cache keys, and if they may, how many of them and for how long so
   that conforming applications can continue to use keys even when
   disconnected from the central key-management server.

Arshad Noor
StrongAuth, Inc.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list