From: Anonymous User <nobody@soda.berkeley.edu>
Date: Mon, 11 Jul 94 21:22:46 PDT
To: cypherpunks@toad.com
Subject: Gov't eyes public-key infrastructure
Message-ID: <199407120422.VAA07596@soda.berkeley.edu>
MIME-Version: 1.0
Content-Type: text/plain



 
extracted from:
 
Network World
volume 11, number 28
July 11, 1994
 
page 8, page 63
 
 
Gov't eyes plans for a public-key infrastructure
 
by Ellen Messmer
 
 
Federal agencies are mulling how to set up procedures and policy
guidelines for linking a user's identity to that person's public-key
digital signature, but costs and liability issues in certifying users
are presenting obstacles.
 
The U.S. government intends to operate a public-key certification
system for government users that will also serve the private sector,
as well. But a report just completed by Mitre Corp. for the National
Institute of Standards and Technology (NIST) puts the price tag at
$1 billion for the start-up of the government alone, with a possible
$2 billion annual operational cost for managing certificate-revocation
lists.
 
Users can sign and verify electronic documents using unique digital
signatures based on a secret cryptography key, but security experts
have long recognized that a certification system is needed so keys can
be revoked if the key is stolen or a person changes jobs.
 
According to Mitre's report, "The Public Key Infrastructure Study,"
the role of the Policy Certification Authority (PCA) could be assumed
by either the U.S. Postal Service, the Federal Reserve Board, General
Services Administration or even private-sector organizations such as
telecommunications providers and banks (see sidebar).
 
The Postal Service is eager to step into the role, said sources at
NIST, but the high price tag for operating the X.500 directory listing
public keys and revocation lists is causing some alarm. The Postal
Service declined to comment.
 
For years, the Internet Society has contemplated setting up the same
sort of trusted certificate authority. But it got bogged down almost
exclusively because of liability concerns, said Steve Kent, chief
scientist at Bolt Beranek and Newman, Inc.
 
PCAs nevertheless spring up. Trusted Information Systems, Inc., the
Massachusetts Institute of Technology and RSA Data Security, Inc. have
all set themselves up as PCAs with different policies. Apple Computer,
Inc., which now ships RSA digital signatures as part of its operating
system, offers a computerized certification request to register public
keys with RSA.
 
But while this type of certification may be fine for use in some
commercial purchases, it would not be sufficient at Northen Telecom,
Inc. (NTI), which intends to use digital signatures in multimillion-
dollar transactions, noted Brian O'Higgins, director of security
networks at NTI.
 
O'Higgens said NTI is testing its own system for issuing digital
signature certificates to all employees. "It's easy to do within one
enterprise," O'Higgins said. "But the interenterprise applications
hasn't started to happen, and that's where a government public-key
infrastructure would help."
 
A new study on legal issues faced by the government in the effort
warns that a federal certificate authority must establish strict
equipment and personnel requirements for the certificate-issuance
process and accept some liability for improper actions.
 
The study, "Federal Certification Authority Liability and Policy,"
authored by Michael Baum, principal at Independent Monitoring in
Cambridge, Mass., points out that the federal government can claim
sovereign status protecting it from lawsuits.
 
But in his report, Baum notes that the commercial sector will not be
ready to accept public-key certificates issued by the government for
use in electronic commerce unless the government accepts some
liability for its actions.
 
"This is the foundation on which electronic commerce will be built,"
he said.
 
Setting clear security for both the equipment and personnel involved
is issuing public-key certificates make sense, added O'Higgins.
 
"We absolutely have to have a security policy in this," he said.
 
 
 
(side bar)
 
    PKI pyramid lexicon
 
Policy Approving Authority (PAA)
 Creates overall guidelines for the Public
 Key Infrastructure and may also certify
 PCA public keys.
 
Policy Certification Authority (PCA)
 Establishes policy for all certification
 authorities and users within its domain,
 and approves CA public keys.
 
Certification Authority (CA)
 Certifies public keys for users in a manner
 consistent with PCA and PAA policies.
 
Organizational Registration Authority
 Acts as an intermediary between a CA and a
 user to vouch for the identity and affiliation
 of the user.
 


------------
To respond to the sender of this message, send mail to
remailer@soda.berkeley.edu, starting your message with
the following 8 lines:
::
Response-Key: ideaclipper

====Encrypted-Sender-Begin====
MI@```%ES^P;+]AB?X9TW6\8WR:2P&2%`$A:^X<=%2MQ&K,"#9W2V4M]H[VQ^
MB5V0!,$C6Y;FGL-L!")=HM/1UHHCI^%&V6:;UA,A]6>#S_D/01M'@Q/1-:(\
$ET'N,P``
====Encrypted-Sender-End====