I spent a week in the US recently working on key management in a single-minded way that I rarely have the opportunity for these days.
First there was a two-day Key Management Workshop at NIST. Day one focused on review of the SP 800-130 Key Management Framework and the SP 800-152 Key Management Profile. Day Two was a series of presentations by various folks from industry, government and academia on issues and opportunities in key management. As part of this second day of the workshop, John Leiseboer (CTO for Quintessence Labs), Saikat Saha (Senior Product Manager at SafeNet) and I did a panel on issues in key-related interactions across security domains, looking particularly at cloud, Hardware Security Modules and Quantum Key Distribution. The slides we presented are available here, including the list of issues we suggested as implied by these environments. For the cloud environment, for example, I talked about the issues of policy negotiation and propagation across several different models of cloud deployment, using a hybrid cloud deployment as the example.
The second half of the week was devoted to the OASIS KMIP TC face-to-face. Over the past five months, the KMIP technical committee has been developing the use cases that will drive our decisions about what to include in our next version of the standard. Those use cases address key management interoperability in a number of areas: not only the areas of cloud, HSMs and QKD that we discussed at the NIST workshop, but also storage and PGP, for example. It was an intense three days, resulting in very significant decisions about the scope and direction of the next version of KMIP, decisions that we’ll be discussing in the KMIP webinar being offered by OASIS this week.
There were significant accomplishments in both these events. But looking back, what strikes me most strongly is the incredible depth of commitment and energy that everyone involved brought to these meetings. There are lots of issues to be addressed in key management in order to make sure that it is effective both near-term and long-term. Some of those areas are well understood, such as in the role of key management for storage. Others are just beginning to be recognized, such as in the role of cryptographic keys in ensuring authentication and tracking in open APIs. But if these two events are any indication, there is strong industry recognition that these and other issues can and should be addressed.
In his presentation opening the Key Management Workshop, Whit Diffie remarked that “key management binds keys to the real world.” For me, spending a week wrapped up in problems and solutions for doing key management in the real world was definitely time very well spent.