[Federal Register Volume 64, Number 129 (Wednesday, July 7, 1999)]
[Notices]
[Pages 36672-36673]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 99-17234]
-----------------------------------------------------------------------
DEPARTMENT OF COMMERCE
National Institute of Standards and Technology
[Docket No. 990608155-9155-01]
RIN 0693-ZA31]
Technical Advisory Committee Report: Requirements for Key
Recovery Products
AGENCY: National Institute of Standards and Technology (NIST),
Commerce.
ACTION: Notice; request for comments.
-----------------------------------------------------------------------
SUMMARY: The Department of Commerce seeks public comment on
``Requirements for Key Recovery Product,'' encompassing technical
recommendations prepared by the ``Technical Advisory Committee to
Develop a Federal Information Processing Standard for the Federal Key
Management Infrastructure.'' The Committee was established by the
Department to provide technical advice on an encryption key recovery
standard for use by Federal agencies to provide for the continued
government access to encrypted information in the event of the
unavailability (e.g., loss due to unavailability of critical personnel)
of the encryption/decryption key(s). The Committee held its final
meeting in November, 1998, and subsequently delivered its work to the
Secretary of Commerce. Notwithstanding the availability of
opportunities for public input to the Committee's activities, the
Committee's technical report and significance makes them worthy of
additional public discussion and comment. Comments are also sought as
to actions that the Department may wish to take as it contemplates
using this report as the basis for a Federal key recovery standard.
DATES: Comments should be submitted no later than November 4, 1999.
REPORT AVAILABILITY AND ADDRESSES: The report is available
electronically from the Committee's homepage at <>http://csrc.nist.gov/
tacdifipsfkmi/ . Electronic comments on the report may be
sent to Key-recovery@nist.gov.
A hard copy of the report is available by request from NIST,
Information Technology Laboratory, Attention: Review of Key Recovery
Committee Report, 100 Bureau Drive, Stop 8930, Gaithersburg, MD 20899-
8930. Written comments may also be sent to this address.
FOR FURTHER INFORMATION CONTACT: Edward Roback, Executive Secretary,
Technical Advisory Committee to Develop a Federal Information
Processing Standard for the Federal Key Management Infrastructure,
telephone 301-975-3696.
SUPPLEMENTARY INFORMATION: The ``Technical Advisory Committee to
Develop a Federal Information Processing Standard for the Federal Key
Management Infrastructure'' was chartered by the Department of Commerce
in 1996 to seek industry recommendations on technical specifications
for accomplishing the recovery of keys used for encryption (as opposed
to keys used solely for digital signatures, which should not be
recoverable, since a new signature key pair is normally created in
event of loss). The Committee was comprised of 24 members drawn from
the private sector with expertise in computer systems,
telecommunications, banking, security, research and other pertinent
areas. Its activities were augmented by liaisons from various Federal
agencies, who provided input and perspective to the Committee as to the
security and functional key recovery requirements of Federal agencies.
Twelve meetings of the Committee were held between December 1996 and
November 1998. The progress that the Committee made on various drafts
of its report may be seen on the Committee's electronic homepage at
.
In June 1998, the Committee delivered an interim work product to
the Secretary, requested additional time to complete its work, and
suggested that work on detailed implementation guidance be initiated,
noting that such guidance will be essential to the successful
deployment of any key recovery system (since many aspects of key
recovery system security [e.g., integration of key recovery products
into an application/operational system or usage policy] were outside
the scope of the Committee's work). The Committee also urged pursuit of
conformance testing based upon the model employed for Federal
Information Processing Standard (FIPS) 140.1, Security of Cryptographic
Modules. In response to the request for additional time, the Department
extended the charter of the Committee through the end of 1998 and urged
the Committee to use the remaining time to complete its review of the
document,
[[Page 36673]]
resolve inconsistencies and address any remaining issues.
Because this technical input was requested in anticipation of
developing a FIPS on key recovery, the format of the Committee's report
parallels that of a FIPS. However, since the Committee was chartered
only to address technical issues, some areas (e.g., ``applicability''
and ``waiver process'') contained in a FIPS were not addressed by the
Committee. The Committee noted in their draft that text for these
sections would have to be supplied at a later date by the government.
In delivering its report to the Secretary, the Committee noted that
its members did not ``have time to verify the consistency and
completeness of the document as a whole'' and stated that these are
crucial. Therefore, the submission of public comments on the
consistency and completeness of the document is particularly
encouraged.
The Committee's report is divided into two major sections, an
``announcement section'' and a ``specifications section.'' The first
section is fairly pro forma and contains, among other items, a brief
explanation of the document, an index, list of appropriate
applications, notes on implementations, and a glossary. Qualifications
on the use of conforming products are also discussed. The second
section contains the detailed specifications of the document and is
divided into four chapters: (1) Overview, (2) Key Recovery Model, (3)
Security Requirements, and (4) Assurance Requirement. Four appendices
are included: (A) Key Recovery Technique (B) Examples, (C) Key Recovery
Block, and (D) Certificate Extensions.
The key recovery model utilized by the Committee throughout its
document describes five key recovery functions: (1) Key Recovery
Information Generation, (2) Key Recovery Information Delivery, (3)
Function Key Recovery Information Validation, (4) Key Recovery
Requestor and (5) Key Recovery Agent. For each of these functions, one
or more security levels is defined and functional and security
requirements provided. For each security level(s) of a function, a
corresponding assurance level is then specified with appropriate
requirements.
Dated: June 30, 1999.
Karen H. Brown,
Deputy Director.
[FR Doc. 99-17234 Filed 7-6-99; 8:45 am]
BILLING CODE 3510-CN-M
