Strength in Complexity?

Arshad Noor arshad.noor at strongauth.com
Sat Jul 5 10:42:07 EDT 2008


Florian Weimer wrote:
> * Arshad Noor:
>>
>> http://www.informationweek.com/shared/printableArticle.jhtml?articleID=208800937
> 
> On a more serious note, I think the criticism probably refers to the
> fact that SKSML does not cryptopgrahically enforce proper key
> management.  If a participant turns bad (for instance, by storing key
> material longer than permitted by the protocol), there's nothing in the
> protocol that stops them.

Thank you for your comment, Florian.

I may be a little naive, but can a protocol itself enforce proper
key-management?  I can certainly see it facilitating the required
discipline, but I can't see how a protocol alone can enforce it.
Any examples you can cite where this has been done, would be very
helpful.

The design paradigm we chose for EKMI was to have:

1) the centralized server be the focal point for defining policy;
2) the protocol carry the payload with its corresponding policy;
3) and the client library enforce the policy on client devices;

In some form or another, don't all cryptographic systems follow a
similar paradigm?

Arshad Noor
StrongAuth, Inc.

P.S. Companies deploying an EKMI must have an external process in
place to ensure their applications are using "verified" libraries
on the client devices, so their polices are not subverted.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list