Ten little Soldiers
Ten little Soldier boys went out to dine;
One choked his little self and then there were nine.
Agatha Christie, And Then There Were None
The number of key management standards has grown dramatically in the past few years, and now there are over a dozen of them either completed or being worked on. With that many different standards, it’s sometimes hard to keep track of exactly what has been defined and in which document. Luckily, there’s a good summary of all of the different efforts here.
Not all of these standards overlap. Some just tell you what you need to do, but they don't tell you how to do it. Others tell you how to do it in a precise, interoperable way. The older standards tend to be the ones that just tell you what to do. The newer ones actually tell you how to do it.
We’re now seeing two interoperability standards emerge as the ones that vendors will actually implement, and we’ve now seen the first key management standard admit that it’s going nowhere. This happened yesterday when Arshad Noor, the person driving the Enterprise Key Management Infrastructure standard, withdrew his support from it. Here’s what he said about this:
I believe the policies at OASIS makes it difficult to put out a coherent message [on key-management] that benefits users in the IT industry. In light of the following facts:
* that charter members of the KMIP TC chose not to engage with the EKMI TC despite observing its activities for over two years [from within the OASIS EKMI TC];
* that some of [the KMIP charter members] were surreptitiously working on [the KMI] protocol while giving the appearance of engaging with [the IEEE 1619.3] industry standards group;
* that OASIS facilitated the creation of a new TC with overlapping charters rather than encourage charter members of the KMIP TC to engage in a constructive discussion with an existing OASIS TC that has a Committee Specification; and
* that there is nothing in OASIS policy to prevent yet another splinter group from the KMIP charter members to start yet another [key-management] related TC within OASIS, if it serves the splinter group' purposes
it appears that OASIS' policies are more sympathetic to IT vendors than to IT customers. In light of this, I believe that the [key-management] industry is better served by having the EKMI vision evolve in the 'do-or-die' competitive environment of the global open-source community, where technology and standards are largely driven by IT users than by vendors.
In other words, it looks like he’s throwing in the towel because EKMI never found support from other vendors. That’s definitely not a problem with the other two leading standards, the IEEE P1619.3 standard and the OASIS Key Management Interoperability Protocol (KMIP). The big security storage and security vendors are still backing them, and we’ll probably seem them both supported in shipping products before too long. Don't be surprised if other key management standards join EKMI soon. There are still too many of them.