Oasis group aims to simplify crypto-key management

Open-standards consortium Oasis has formed a group to devise a standard aimed at allowing encryption products to work easily with business applications and with each other.

Group members include IBM, Cisco, EMC, HP, PGP Corporation, Symantec and the US National Institute of Standards and Technology (NIST).

The Oasis group, called the Key Management Interoperability Protocol (KMIP) Technical Committee, will aim to define a single protocol for communication between encryption systems and enterprise applications, to cover such things as email, databases and storage devices. The companies participating in the new group submitted a key-management interoperability standard to Oasis in February.

Key-management interoperability is "vital" for businesses to be able to successfully implement encryption and protect data, according to Jamie Cowper, PGP's EMEA marketing manager.

"With the best will in the world, businesses are never going to be using a single encryption product, or a single company to provide that," Cowper told ZDNet UK on Thursday. "It's great to see key members of the security and encryption community working together and recognising the business need for key-management interoperability."

Key management is a problem for businesses, according to Cowper. As more documents are encrypted throughout an enterprise or shared with third parties, keys proliferate. Managing the administration of those keys until they are revoked is a problem that is exacerbated as companies grow, said Cowper.

"Encryption is really just a standard," said Cowper. "To strongly protect and decrypt in an automated way is the clever bit."

The Oasis KMIP group aims to provide a protocol that will enable interoperability of products throughout a key's lifecycle, which includes the generation, submission, retrieval and deletion of cryptographic keys. KMIP will support symmetric and asymmetric keys, digital certificates and other shared secrets.