From: Bill Stewart <stewarts@ix.netcom.com>
Date: Tue, 12 Aug 1997 03:45:07 +0800
To: "A. Padgett Peterson P.E. Information Security" <PADGETT@hobbes.orl.lmco.com>
Subject: Re: Feds Seek PKI Bids
In-Reply-To: <970811135334.2020461b@hobbes.orl.lmco.com>
Message-ID: <3.0.2.32.19970811123259.03057908@popd.ix.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain



At 01:53 PM 8/11/97 -0400, A. Padgett Peterson P.E. Information Security
wrote:
>>USG published a solicitation today in the CBD for a
>>Public Key Infrastructure which outlines the system
>>requirements:
>>   http://jya.com/pkicbd.htm
>
>Interesting from what is *not* there - any mention of key recovery/key 
>escow. Looks like they may finally understand what a Certificate Authority
>is (not holding breath). Do not think much of appelations (Classic & Gold)
>and suspect they may need more than two but sounds like a good start.

I'm not sure that it's not there; I'd have to read it three or four more times
to be sure, but I got the impression it was hidden in the fine print.  
The interesting phrase, in the description of "Classic" Certs, is
	"Generation and storage of an asymmetric key pair 
	can be accomplished via software." 
and for "Gold" Certs,
	"Generation and storage of asymmetric key pairs must be performed 
	and protected in hardware."
which sounds like it's implying that the CA will generate the 
asymmetric key pairs rather than the user.  I'm sure the interesting
details are hidden in the parts that weren't in the CBD announcement,
which is normally just an abstract of a procurement.

#			Thanks;  Bill
# Bill Stewart, +1-415-442-2215 stewarts@ix.netcom.com
# You can get PGP outside the US at ftp.ox.ac.uk/pub/crypto/pgp
#   (If this is a mailing list or news, please Cc: me on replies.  Thanks.)