Brocade, EMC/RSA, HP, IBM, LSI, NetApp, Seagate, and Thales e-Security launched an initiative with OASIS to address the requirements for interoperable key management features for enterprise storage.
KMIP (key management interoperability protocol) "establishes a single, comprehensive protocol for communication between enterprise key management servers and cryptographic clients. By defining a protocol that can be used by any cryptographic client, ranging from a simple automated electric meter to very complex disk-arrays, KMIP enables enterprise key management servers to communicate via a single protocol to all cryptographic clients supporting that protocol. Through vendor support of KMIP, an enterprise will be able to consolidate key management in a single enterprise key management system, reducing operational and infrastructure costs while strengthening operational controls and governance of security policy. KMIP addresses the critical need for a comprehensive key management protocol built into the information infrastructure, so that enterprises can deploy effective unified key management for all their encryption, certificate-based device authentication, digital signature, and other cryptographic capabilities."
Initial supporting entities for KMIP included Brocade, Cisco, EMC/RSA, HP, IBM, LSI, NetApp, Seagate, and Thales e-Security. Additional statements of support have been received (corporate or individual) from Algorithmic Research (Arx), Axway Software, BeCrypt, CipherOptics, Dajeil, Election Systems and Software, Emulex, Lexmark International, MIT, Mitre Corporation, NIST, Oracle, PayPal, PGP Corporation, Quantum, Red Hat, SafeNet, Skyworth TTG, Sun Microsystems, Symantec, US Department of Defense (DoD), Valicore, Venafi, Verisign, and others.
The OASIS KMIP Technical Committee "will develop specification(s) for the interoperability of key management services with key management clients. The specifications will address anticipated customer requirements for key lifecycle management (generation, refresh, distribution, tracking of use, life-cycle policies including states, archive, and destruction), key sharing, and long-term availability of cryptographic objects of all types (public/private keys and certificates, symmetric keys, and other forms of "shared secrets") and related areas."
The problem addressed by KMIP, according to the published FAQ document, is "primarily that of standardizing communication between encryption systems that need to consume keys and the key management systems that create and manage those keys. Being able to encrypt and retain access to data requires that encryption keys be generated and stored. To date, organizations deploying encryption have not been able to take advantage of interoperability across encryption and the key management systems. By defining a low-level protocol that can be used to request and deliver keys between any key manager and any encryption system, KMIP enables the industry to have any encryption system communicate with any key management system. Through this interoperability, companies will be able to deploy a single enterprise key management infrastructure to manage keys for all encryption systems in the enterprise that require symmetric keys, asymmetric keys pairs, certificates and other security objects..."
Planned deliverables from the OASIS KMIP TC include: (1) Revised KMIP Specification which defines the normative expression of the protocol, including objects, attributes, operations and other elements; (2) Updated KMIP Usage Guide which provides illustrative and explanatory information on implementing the protocol, including authentication profiles, implementation recommendations, conformance guidelines and security considerations; (3) Revised document for KMIP Use Cases and Test Cases which supplies sample use cases for KMIP, test cases for implementing those use cases, and examples of the protocol implementing those test cases; (4) Updated KMIP FAQ Document to provide guidance on what KMIP is, the problems it is intended to address, and other frequently asked questions.