OASIS Key Management Interoperability Protocol (KMIP) Technical Committee

The KMIP Technical Committee will develop specification(s) for the interoperability of key management services with key management clients. The specifications will address anticipated customer requirements for key lifecycle management (generation, refresh, distribution, tracking of use, life-cycle policies including states, archive, and destruction), key sharing, and long-term availability of cryptographic objects of all types (public/private keys and certificates, symmetric keys, and other forms of "shared secrets") and related areas.

The initial goal is to define an interoperable protocol for standard communication between key management servers, and clients and other actors which can utilize these keys. Secure key management for TPMs (Trusted Platform Modules) and Storage Devices will be addressed. The scope of the keys addressed is enterprise-wide, including a wide range of actors: that is, machine, software, or human participants exercising the protocol within the framework. Actors for KMIP may include:

• Storage Devices
• Networking Devices
• Personal devices with embedded storage (e.g. Personal Computers, Handheld Computers, Cell Phones)
• Users
• Applications
• Databases
• Operating Systems
• Input/Output Subsystems
• Management Frameworks
• Key Management Systems
• Agents

Out of scope areas include:

• Implementation specific internals of prototypes and products
• Multi-vendor Key Management facility mirrors or clusters
• Definition of an architectural design for a central enterprise key management or certificate management system other than any necessary models, interfaces and protocols strictly required to support interoperability between Actors in the multi-vendor certificate and key management framework.
• Framework interfaces not dedicated to secure key and certificate management
• Certain areas of functionality related to key management are also outside the scope of this technical committee, in particular registration of clients, server-to-server communication and key migration.
• Bindings other than tag-length-value wire protocol and XSD-based encodings.

The deliverables for the KMIP Technical Committee are anticipated to include the following:

• Revised KMIP Specification v0.98. This provides the normative expression of the protocol, including objects, attributes, operations and other elements. A Committee Specification is scheduled for completion within 12 months of the first TC meeting.
• Revised KMIP Usage Guide v0.98. This provides illustrative and explanatory information on implementing the protocol, including authentication profiles, implementation recommendations, conformance guidelines and security considerations. A Committee Specification is scheduled for completion within 12 months of the first TC meeting.
• Revised KMIP Use Cases and Test Cases v0.98. This provides sample use cases for KMIP, test cases for implementing those use cases, and examples of the protocol implementing those test cases. A Committee Specification is scheduled for completion within 12 months of the first TC meeting.
• Revised KMIP Frequently Asked Questions. This document provides guidance on what KMIP is, the problems it is intended to address and other frequently asked questions.

KMIP, as defined in the above deliverables, will be scoped to include the following:

1. Comprehensive Key and Certificate Lifecycle Management Framework
   1. Lifecycle Management Framework to Include:
      1. Provisioning of Keys and Certificates
         1. Creation
         2. Distribution
         3. Exchange/Interchange
         4. Auditing
      2. Reporting
      3. Logging (Usage tracking)
      4. Backup
      5. Restore
      6. Archive
      7. Update/Refresh
      8. Management of trust mechanisms between EKCLM (Enterprise Key and Certificate Lifecycle Management) actors only as necessary to support EKCLM
   2. Comprehensive Key and Certificate Policy Framework to include:
      1. Creation
      2. Distribution
      3. Exchange/Interchange
      4. Auditing
      5. Reporting
      6. Logging (Usage tracking)
      7. Backup
      8. Restore
      9. Archive
      10. Update/Refresh
      11. Expectation of Policy Enforcement
          1. At endpoints
          2. At Key Manager
          3. At intermediaries between endpoints and Key Manager facility
   3. Interoperability between Machine Actors in performing all aspects of A) and B), and addressing:
      1. pre-provisioning and late binding of keys and certificates
      2. support for hierarchical or delegation or direct models
      3. actor discovery and enrollment as necessary to support ECKLM
      4. key, certificate and policy migration
      5. audit and logging facilities
   4. General Capabilities may include:
      1. Secure and Robust Mechanisms, Techniques, Protocols and Algorithms
      2. Recovery capabilities, only as needed by interoperable interfaces, anticipating power failure, or other common failures of automated Actors
      3. Forward compatibility considerations
      4. Interface to Identity Management facilities as necessary for A) and B)
      5. Interface to Enterprise Directory facilities as necessary for A) and B)

KMIP TC will also support activities to encourage adoption of KMIP. This would likely include:

• Interoperability sessions to test effectiveness of the specification
• Reference implementations of KMIP functionality

The KMIP TC is anticipated to operate under RF on RAND.

KMIP is intended for the following audiences:

• Architects, designers and implementers of providers and consumers of enterprise key management services.

Work group business and proceedings will be conducted in English.