[KEYPROV] Provisioning versus Key Management
Anders Rundgren <anders.rundgren@telia.com> Sat, 04 December 2010 17:57 UTC
Return-Path: <anders.rundgren@telia.com>
X-Original-To: keyprov@core3.amsl.com
Delivered-To: keyprov@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C2ED73A6AF8 for <keyprov@core3.amsl.com>; Sat, 4 Dec 2010 09:57:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.042
X-Spam-Level:
X-Spam-Status: No, score=-3.042 tagged_above=-999 required=5 tests=[AWL=0.557, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dtQyUKwrPUks for <keyprov@core3.amsl.com>; Sat, 4 Dec 2010 09:57:33 -0800 (PST)
Received: from smtp-out21.han.skanova.net (smtp-out21.han.skanova.net [195.67.226.208]) by core3.amsl.com (Postfix) with ESMTP id 727773A6AF5 for <keyprov@ietf.org>; Sat, 4 Dec 2010 09:57:33 -0800 (PST)
Received: from [192.168.0.201] (81.232.45.215) by smtp-out21.han.skanova.net (8.5.124.10) (authenticated as u36408181) id 4C7E10650256EFD1; Sat, 4 Dec 2010 18:58:51 +0100
Message-ID: <4CFA815B.1060604@telia.com>
Date: Sat, 04 Dec 2010 18:58:51 +0100
From: Anders Rundgren <anders.rundgren@telia.com>
User-Agent: Thunderbird 2.0.0.23 (X11/20090817)
MIME-Version: 1.0
To: KEYPROV <keyprov@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: [KEYPROV] Provisioning versus Key Management
X-BeenThere: keyprov@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "Provisioning of Symmetric Keys \(keyprov\)" <keyprov.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyprov>, <mailto:keyprov-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyprov>
List-Post: <mailto:keyprov@ietf.org>
List-Help: <mailto:keyprov-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyprov>, <mailto:keyprov-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Dec 2010 17:57:34 -0000
For people with interests in future provisioning and key management standards... My initial take on KeyGen2 already in the version it got during my RSA time supported key management as a part of the provisioning process. However, it used a fairly simple-minded approach since any serious key management requires some kind of verification that key(s) to be managed actually are available. I have subsequently dropped all the original KeyGen2 ideas [*] in order to create something that scales better and is more reliable than schemes based on "assumptions". The net result is that KeyGen2 now can perform an arbitrary mix of key provisioning and key management functions. To do that the revised protocol support 5 request-response pair but not all of them needs to be used. - PlatformNegotiation - ProvisioningInitialization - Optional: CredentialDiscovery - Optional: KeyInitialization - ProvisioniningFinalization An example of a KM-only sequence: http://webpki.org/papers/keygen2/remote-key-unlock.pdf The KM scheme uses a souped-up version of that of GlobalPlatform. -- Anders *] Except using X.509 certificates as key-IDs. CA keys are though no longer used for key management because that could inhibit adoption. http://webpki.org/auth-token-4-the-cloud.html
- [KEYPROV] Provisioning versus Key Management Anders Rundgren