ON THE ROADICMC 2026 · Arlington, VA · Mon, Apr 20
Demystify KMIP: a night in Washington
Monday afternoon, Arlington. Cryptsoft's CTO Tim Hudson takes a red-lit podium and, with the calm of someone twenty-five years into the work, sets out to dismantle a stubborn assumption: that centralised key management is, by definition, a single point of failure. A transmission from ICMC 2026 — the room, the talk, and a late dinner one block from the White House.
MZ
By Magdalena Zdunkiewicz
On the road with Cryptsoft · 6 min read
[ Above ]Tim Hudson, CTO, Cryptsoft — opening the Crypto Infrastructure Day session at the Renaissance Arlington Capital View.
i.The TalkK02b · 14:00
Centralised key management, without centralised failure.
The title slide goes up — CRYPTSOFT. Demystify KMIP. How centralised key management eliminates single points of failure — and the room settles. A good crypto audience has a particular quality: attentive, unhurried, sceptical by trade. ICMC 2026 is full of them. Fourteen years in, this is where the people who build, certify and deploy cryptographic modules come to compare notes — and this year, the conversation is almost entirely about post-quantum, and what it will cost.
Tim has been giving talks like this one for decades — OpenSSL, KMIP, multi-vendor interop — and there is a style to it now. He takes the assumption most engineers arrive with — that "centralised" and "single point of failure" are synonyms — and pulls it apart. Centralisation isn't the enemy. Undisciplined centralisation is.
The argument runs like this. A key-management server isn't a box in a rack; it is a role. Under KMIP, that role is played by servers from many vendors, speaking one open protocol, holding managed objects whose lifecycle — create, activate, rotate, revoke, destroy — belongs to the standard, not to any single implementation. Clients neither know nor care which vendor they're talking to this quarter. The protocol is the contract.
Done well, that's exactly what the audit committee asks for: one policy-governed place where every key's lifecycle can be observed and controlled — and the freedom to run multiple servers in parallel, across regions, hardware and vendors, with clients failing over between them untouched. It's the line the talk keeps returning to: centralised policy, distributed availability.
KMIP — the Key Management Interoperability Protocol — is an OASIS standard that lets a key-management server and its clients speak the same language regardless of vendor. It covers the full lifecycle of a cryptographic object: create, activate, rotate, revoke, destroy.
Cryptsoft maintains Client and Server SDKs in C, C++, C#, Java and Python, with full OASIS KMIP compliance from v1.0 through v3.0 — the first PQC-ready version of the standard — embedded inside products from many of the world's largest storage, security and cloud vendors.
{{ k.n }}
{{ k.l }}
He moves through it without theatrics — the Cryptsoft starburst ticking quietly in the corner of each slide. KMIP v3.0. ML-KEM, ML-DSA, SLH-DSA. Harvest-now-decrypt-later, framed not as a slogan but a scheduling problem: every record captured today becomes a decrypted record the moment a cryptographically relevant quantum computer arrives. The only insurance is to have finished the migration before it does.
He closes on the line Cryptsoft has been saying for a decade — centralised key management eliminates single points of failure, provided you build it right — and this time, in a room of people who certify cryptographic modules for a living, nobody argues. By the time the deck lands on Q&A, three or four hands are already up.
K02B / CRYPTO INFRASTRUCTURE DAY — STUDIO E, RENAISSANCE ARLINGTON
ii.The Room14:30 · Q&A
A chandelier the colour of amber, and a serious audience.
The room at the Renaissance Arlington is all warm amber — drum chandeliers, a geometric carpet, a low platform. It's a room that wants to be listened to. In front of it: thirty-odd delegates — FIPS testers, CTOs, standards people, engineers from three continents. ICMC is small enough that everyone knows each other's work, and large enough that they haven't all met.
The questions run long — how KMIP v3.0 handles hybrid PQC, whether ML-KEM managed objects sit cleanly in an existing key hierarchy, what "interoperable" means when three vendors each claim it. Tim answers in his usual register: directly, with the version number in hand, occasionally deflecting a hypothetical with a real war-story.
It is, in the end, a working-engineer's talk — the right register. No one here needs to be told quantum is coming; they want to know which SDKs have shipped, which standards are stable, and whose implementations have actually been tested against each other. KMIP — and Cryptsoft's posture of doing key management and nothing else — fits the brief almost exactly.
[ by the numbers ]OASIS KMIP TC interop, 2011–2025
{{ n.val }}{{ n.unit }}
{{ n.label }}
Cryptsoft is the only vendor to have participated in every OASIS KMIP Technical Committee interop since the protocol began — including the March 2025 PQC round that cleared all 1,452 ML-KEM, ML-DSA and SLH-DSA test vectors alongside TLS 1.3 hybrid key agreement.
iii.The Night19:30 · 14th & G St NW
Dinner at La Grande Boucherie, one block from the White House.
Session wraps. Last question. The slow pour of people into the Renaissance lobby — green sculpted carpet, ribbon chandelier — and the evening moves downtown. La Grande Boucherie sits on the corner of 14th and G Street NW, the most high-profile block in Washington, one street from the White House.
It's a deliberate room: elegant, ornamental, Art Nouveau. Mahogany and glass partitions. Gilded accents. Curved arches. A massive curved bar, metal top imported from Paris — exactly where you want to be on a Monday night in April after seven hours of cryptographic standards.
The conversation drifts, as it always does: from the session just finished to the ones still ahead, from interop to interop, from signing schemes to cooking temperatures.
LA GRANDE BOUCHERIE / 699 14TH ST NW / THE GILDED CEILING
It's a good room for a post-talk dinner. It's also, in its way, the afternoon's thesis in built form: a big, complex, much-admired space held together by careful, centralised work — structure, attention, repair — invisible when it's done well. Which is about as close as a restaurant review gets to key management.
Back at the hotel near midnight, the atrium is still lit: bronze ribbon sculpture, tall chandelier, the green river-pattern carpet. Tim's back in Studio E tomorrow, along with most of the room. Focus-day runs through Thursday; by then the Cryptsoft booth, the OpenSSL team, the OASIS regulars and the cert-lab contingent will each have said a version of the same sentence about fifty times: well, at least the standards bodies agree on something this year.
For an afternoon, in Arlington, they did.
RENAISSANCE ARLINGTON CAPITAL VIEW — ATRIUM, LOUNGE, SOCCI
Twenty-five years in, the short version stays short: if it's standards-based, interoperable, and you want it still working in a post-quantum world — we probably already ship it.