IEEE P1619.3 Plan for 2010

Matt Ball, IEEE Security in Storage Working Group Chair

Walt Hubis, IEEE P1619.3 Task Group Chair

Version 1 — January 19, 2010

Overview

This document [source, posting] describes the plans for the IEEE P1619.3 Task Group for the 2010 calendar year.

Background

The IEEE P1619.3 Task Group was formed in February 2007, with the following Title, Scope, and Purpose:

Title:

Draft Standard for Key Management Infrastructure for Cryptographic Protection of Stored Data

Scope:

This standard specifies an architecture for the key management infrastructure for cryptographic protection of stored data, describing interfaces, methods and algorithms.

Purpose:

This standard defines methods for the storage, management, and distribution of cryptographic keys used for the protection of stored data. This standard augments existing key management methodologies to address issues specific to cryptographic protection of stored data. This includes stored data protected by compliant implementations of other standards in the IEEE 1619 family.

In early 2009, a consortium brought forward the "Key Management Interoperability Protocol" (KMIP) into the OASIS standards organization.  This new standard has much in common with the scope and purpose of P1619.3.  Many people have asked whether P1619.3 is still relevant with the presence of OASIS KMIP.  We believe the answer is "yes".

2010 Plan for P1619.3

Overall, the existing of KMIP has benefitted the P1619.3 effort because it is now possible to leverage the KMIP standard — which (as of January 2010) is in public review and nearly complete — as the basis for the low-level key management functions, and position P1619.3 as a KMIP profile that adds on enterprise-class additions to make it suitable for key management in a storage encryption environment.

In reviewing KMIP, the P1619.3 task group plans to enhance KMIP with the following extensions:

  1. Start with the KMIP binary format and the ‘Symmetric Key Foundry’ and ‘Symmetric Key Store’ profiles
  2. Create an XML WSDL that is a mechanical translation of a subset of the KMIP binary protocol, and add on P1619.3-specific extensions.  The KMIP binary primitives have a clean mapping into standard XML-Schema objects, and this work has already been completed by at least two members of the KMIP consortium, for a proof-of-concept.
  3. Add in the P1619.3 Namespace work.  KMIP does not appear to define any namespaces, but relies on the users to hopefully create identifiers that are unique (actually, the only requirement is that they are unique in the local server context).
  4. Define concrete default port bindings for the XML P1619. 3 services, through IANA.  KMIP is currently planning to reserve a port through IANA for both the client and server implementation of the binary KMIP format.
  5. Define an enrollment protocol.  KMIP doesn't do this, but assumes that you've already white-listed the certificates used for the SSL/TLS channel.  The current proposal for this is the Sun KMS Agent Toolkit enrollment service.
  6. Define a discovery protocol.  As a starting point, we could use the discovery protocol as implemented in the Sun KMS Agent Toolkit.
  7. Define an XML-based key backup format for interchangeable archiving keys from a key management server.
  8. Define the use of WS-Security for further authenticating messages within a TLS channel (i.e., the TLS channel itself could have one level of authentication — based on the client certificate — but could be a proxy for other clients that use WS-Security for their authentication)

Strawman schedule for completing P1619.3

Currently, the P1619.3 PAR (Project Authorization Request) is set to expire on December 31, 2011, so we have almost 2 years left to complete the project and deliver the draft to IEEE.  This should be enough time to complete the remaining work, and if not, it is possible to get a 1-2 year extension, if needed.

Many members of P1619.3 are also members of OASIS KMIP, and the previous push was to get the KMIP 1.0 specification out to public review. Now that KMIP 1.0 is in public review, P1619.3 members have more time to focus on completing P1619.3.

Here is a strawman schedule for completing P1619.3 by the end of 2010:

·         January 2010: Decide as a group what will go in to P1619.3 (this document)

·         February 2010: Complete high priority action items for KMIP and Specification integration.

·         March 2010: Complete XML mapping of KMIP binary protocol

·         April 2010: Complete Enrollment and Discovery protocol

·         May 2010: XML based key backup definition

·         June 2010: Complete specification initial draft

·         July 2010: Start Sponsor Ballot

·         Oct 2010: Complete Sponsor Ballot and submit to IEEE

·         Dec 2010: IEEE approves standard

·         June 2011: IEEE publishes standard (typical 6 month delay between approval and publication)