SAKEM allows a unique form of dual control for high security network initialization. This is great for the strictiest standards of cryptographic key management.
When network security is a foremost concern, the initialization procedures are proportionately as critical as in any other case, but the suitable options are just as few. Initializing security devices encompasses the configuration of one or more cryptographic keys or shared secrets. The organization overseeing the secure network operations needs assurance that keys are not configured maliciously.
Generally, this is achieved by mandating a trusted person to do the initialization. Because a single person would be too empowered, operating rules and stardards usually call for dual control over the initialization operation. But in practice the dual control strategy is seldom effective: because very similar functions are performed by the two persons, they share the same background, and often the work location and the same boss. Moreover, it is very difficult to prevent the simple cost-saving strategy of assigning a single person do the two complementary operations (sometimes the mere presence of two trusted persons at a remote location is problematic).
The SAKEM procedure offers an alternative method of providing dual control, with intrinsic role differentiation, and with the added benefit of lower operating costs. Specifically, the applicant's role and the issuer agent's role in the verification of identity are both performed by trusted persons of the organization.