Policy-based cryptographic key management: experience with the KRP project

Policy-based cryptographic key management is powerful, flexible method of creating, distributing, protecting, and destroying cryptographic keys in accordance with an organizational policy governing information security. The Policy-Controlled Cryptographic Key Release project addressed one part of key management. The goals included: (1) developing a formal language for specifying policies indicating to whom and under what conditions a cryptographic key could be accessed; (2) implementing a prototype system for administering (i.e., enforcing) these policies; and (3) experimenting with automated verification tools which analyzed the policies for consistency and completeness. The requirements for the key release policy language and administering systems are identified; the initial language and system design are described; and the lessons learned from the project are summarized. An example key release policy is included