Ben Laurie wrote:
So, an executive summary of your responses appears to be "EKMI leaves all the hard/impossible problems to be solved by components that are out of scope".
A more optimistic way of putting this, Ben, is to state that EKMI allows domain-experts of underlying components to address the complex issues of their domain in ways that they deem best, while providing value on top of those components. I see no reason to reinvent any of the components - despite their imperfections - when they serve my purpose very well. The business goal here is not cryptographic elegance or perfection, but a solution to a problem without creating new vulnerabilities.
As such, I'm not seeing much value.
That may be because you are a cryptographer. If you were the CSO, an Operations Director, or an Application Developer in a company that had to manage encryption keys for 5,000 POS Terminals, 10,000 laptops, desktops and servers across multiple data-centers and 400 stores, you would see it very differently.
Is there anything other than key escrow that's actually in scope?
Yes. - The <KeyUsePolicy> element in SKSML tells conforming applications how to use the symmetric key, where to use it, when to use it, for what purpose, for how many transactions, etc. - The <KeyCachePolicy> element tells SKSML clients whether they may cache keys, and if they may, how many of them and for how long so that conforming applications can continue to use keys even when disconnected from the central key-management server. Arshad Noor StrongAuth, Inc. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]