4 June 1998 

Date: Thu, 04 Jun 1998 15:05:55 -0400
To: jy@jya.com
From: Edward Roback <edward.roback@nist.gov>
Subject: web references

FYI, on our web site we recently posted the DRAFT encryption key recovery
recommendations of the Technical Advisory Committee to Develop a Federal
Infomation Processing Standard for the Federal Key Management
Infrastructure.  

See  http://csrc.nist.gov/tacdfipsfkmi/ under the "June 1998" section 
[mirror below]

We also posted a draft of the Committee's transmittal letter to the
Secretary of Commerce.  

See http://csrc.nist.gov/tacdfipsfkmi/cover.txt [mirror below]

Both of these will be discussed at the Committee's meeting June 17-19.

Ed Roback, NIST




Materials from June 1998 Meeting

 

June 1998Discussion Draft Cover Letter cover.txt
[see below]
June 1998Draft Assembled Document (MS Word '97) OriginalFIPS698_Word97.doc
[NIST link]
June 1998Draft Assembled Document (MS Word 6 / '95)FIPS698_Word95.doc
[NIST link]
June 1998Draft Assembled Document text formatFIPS698.txt
[NIST link]
[Mirror on this site (222K)]




Source: http://csrc.nist.gov/tacdfipsfkmi/cover.txt

Following is a draft of the cover letter for discussion at the June 1998 TAC 
meeting...


D R A F T   (5/26/98)

Secretary of Commerce
Etc.

Dear Mr. Secretary:

I am pleased to forward to you the enclosed recommended draft of the "Technical 
Advisory Committee to Develop a Federal Information Processing Standard for the 
Federal Key Management Infrastructure" for a federal Key Recovery Standard.  
This recommendation fulfills the requirements established in the Charter 
establishing this Technical Advisory Committee, and we are cognizant of the 
steps you are obligated to take under various statutes and policies to seek 
public comment in making your determination about whether this draft should, in 
fact, become a Federal Information Processing Standard.  

In carrying out our work, we are cognizant that the market technologies for 
encryption key recovery are in the early stages of  evolution. Therefore, our 
recommendations specify functional, security, interoperability, and assurance 
requirements for key recovery functions within a TAC-defined key recovery model, 
but do not endorse any specific key recovery technology.

Since we began meeting in December, 1996, we have necessarily remained focused 
on producing a recommendation within our allocated timeframe.  Therefore, our 
recommendation addresses key recovery components (e.g., end-user products and 
key recovery agents), but does not address the assembly of components into a 
working key recovery system, or other aspects of procuring, implementing, or 
operating a key recovery system.   

As our worked progress, we took due note of a number of important parallel steps 
would assist in implementing any FIPS that you determine appropriate for federal 
government use in this area.   Thus, the TAC strongly recommends that a number 
of supporting activities be undertaken by the government in order for this 
standard to be useful and useable.  First, detailed implementation guidance 
should be developed to address, among other issues,  how agencies should 
configure products containing conforming functions into operational full key 
recovery systems.  Issues regarding the integration of key recovery systems into 
applications and procurement of key recovery services also need to be addressed.  
Operational, personnel, and managerial issues are of great importance as well.  
The TAC believes that the preparation of such guidance will require substantial 
effort, at least comparable to that of our work over the past nineteen months.  

Additionally, for security concerns, we do not support vendor self-declarations 
of conformance to this standard and urge you to pursue a conformance testing 
program along the lines of NIST's excellent (NVLAP) program for the security of 
cryptographic modules under FIPS 140-1.  This, too, is a considerable 
undertaking, but one we feel is necessary to provide agencies (and other users) 
with sufficient assurance of the quality and security of the key recovery 
products they procure.   We urge these activities be undertaken with input from 
industry and the federal community.

As you know, Committee members were appointed for their individual expertise.  
This recommendation does not have the explicit or implicit endorsement of the 
companies nor organizations with which our members are affiliated.  We request 
that as our Committee's recommendation is distributed for comment, you include 
this accompanying letter.

On behalf of the Committee, we hope you find our recommendations useful.  It has 
been our pleasure to assist the Department in developing this recommended draft 
for an encryption key recovery standard.  

Sincerely,


Dr. Stephen T. Kent,
Chairman