28 July 1998
Thanks to DS
Date: Tue, 28 Jul 1998 12:40:21 -0400
PART: U.S. GOVERNMENT PROCUREMENTS
SUBPART: SERVICES
CLASSCOD: D--Information Technology Services, including
Telecommunication
Services--Potential Sources Sought
OFFADD: DISA/D211, 5113 Leesburg Pike, Room 428, Falls Church,
VA 22041
SUBJECT: D--DOD MEDIUM ASSURANCE PUBLIC KEY INFRASTRUCTURE PROPOSAL
FOR EXTERNAL CERTIFICATE AUTHORITIES (ECAS)
POC Ms. Happy Barranco, DISA INFOSEC Program Management Office,
(703) 681-7943 or Mr. Peter G. Smingler, Contracting Officer,
(703) 681-0526
DESC: The Defense Information Systems Agency (DISA)/Defense Information
Technology Contracting Organization (DITCO) herewith issue
a Request for Information (RFI) for potential pilots of an
ECA Model. THE GOVERNMENT DOES NOT INTEND TO AWARD A CONTRACT
ON THE BASIS OF THE RFI OR TO OTHERWISE PAY FOR INFORMATION
RECEIVED IN RESPONSE TO THE RFI. Interested parties should
respond with comments no later than 27 August 1998. Subsequently,
the DOD will determine a date to begin accepting applications.
INTRODUCTION: For external business transactions using a
PKI, the DOD must operate with non-DOD entities and establish
a policy for third party trust relationships. In a public key
system, the public key must be freely accessible and the user
must have a reliable way of verifying the authenticity of public
keys. An infrastructure for managing and certifying public
keys can be based on a hierarchy or network of mutually "trusted"
certification authorities. PURPOSE: This document focuses
on the DOD's current implementation of the medium assurance
PKI and the plan to operate with parties outside the DOD. Non-DOD
entities doing business electronically with DOD must take steps
to ensure that any use of the PKI achieves a level of assurance
equivalent to the DOD PKI medium assurance, as defined in the
draft U.S. DOD Certificate Policy, thereby ensuring a satisfactory
trust relationship for DOD and non-DOD electronic transactions.
Non-DOD entities, including DOD contractors, vendors, and other
government organizations, achieve this level of assurance,
in part, by utilizing the services of ECAs to ensure the integrity
of their electronic business.
EXTERNAL CERTIFICATE AUTHORITY: In the near-term, DOD's intention
is to support interoperability by making available to the ECA community
a test and certification process. This process will ensure that ECAs
using the DOD's PKI on behalf of Non-DOD subscribers will operate at
a level of assurance equivalent to the DOD PKI medium assurance. The
DOD will certify ECAs to support interoperability with users
outside the DOD. The DOD will maintain, continuously update,
and publish a list of all certified ECAs so that contractors
and vendors may make informed decisions for ECAs to employ
for their electronic business transactions. ECAs are not required
to be certified. However, non-DOD entities who use uncertified
ECAs face a risk that the integrity of electronic transactions
will be compromised thereby. Contract clauses will be developed
to ensure that contractors are aware that any damages incurred
as a result of using an ECA, certified or not, cannot be shifted
to the Government. This document describes procedures for testing
and certifying an ECA, including assurances that must be provided
by such organizations. To permit secure interoperability between
DOD and non-DOD users, a common certification path must exist.
BECOMING A DOD-RECOGNIZED ECA: The establishment of a DOD-certified
ECA will be based on compliance with DOD policy and certification
criteria. Testing and certification will be performed by or
under the direction and control of the DOD. Since users of
the DOD PKI already trust the Root, certificates issued by
the ECA will be trusted and verifiable by DOD relying parties.
Non-DOD relying parties will also need to trust the DOD Root
in order to recognize certificates issued by the DOD PKI. ECAs
that meet the established DOD requirements will receive certificates
digitally signed by the DOD Medium Assurance Root. The DOD
Medium Assurance Root will also maintain an accurate and current
list of all certified ECAs. This listing will be publicly available
to any current or prospective DOD contractor or vendor. Acceptance
of a candidate ECA by the DOD will be based primarily, but
not exclusively, on the applicant's ability, at a minimum,
to meet the medium assurance level criteria defined in the
Draft U.S. DOD Certificate Policy, 9 March 1998. Adherence
to this policy is required as a condition of continued acceptance
of ECA issued certificates by the DOD. ECAs are required to
meet certain technical and procedural criteria as defined in
the DOD PKI Draft Functional Specification (11 May 98). This
specification references the profile of the DOD certificate.
It is essential that certificates issued by ECAs comply with
the DOD certificate profile requirements. The ECA will also
provide directory services for its clients and a Lightweight
Directory Access Protocol (LDAP) interface to its repository.
The ECA must demonstrate adequate arrangements to protect private
encryption of keys held by the ECA from improper disclosure
and use. The ECA must demonstrate adequate arrangements for
protecting the hierarchical keys upon which the secrecy of
client keys or system keys are dependent. Each potential ECA
will submit an application in the form of a Certification Practice
Statement (CPS) in the Internet Engineering Task Force Public
Key Infrastructure X.509 (IETF/PKIX) part 4 format to the DOD
PKI Policy Management Authority (PMA) Sub-Committee for approval.
Prospective ECAs can visit the IETF web site at
to reference the format.
CANDIDATE ECA REVIEW PROCESS: Candidate ECAs seeking DOD
certification shall submit to the DOD PKI Policy Management
Authority (PMA) Sub-Committee the application consisting of a CPS
in the IETF/PKIX part 4 format (reference the IETF web site for
the format) and a system design/architecture, in particular,
CA configuration parameters. The applications will be processed
and reviewed individually in the order in which they are received
by the DOD PKI PMA Sub-Committee, composed of representatives
from the National Security Agency (NSA), the Defense Information
Systems Agency (DISA), the military services, and the DOD agencies.
If the application is determined unacceptable, the DOD PKI PMA
Sub-Committee will provide written notice with the reason for the
rejection. At its discretion, the DOD PKI PMA Sub-Committee may
allow subsequent modifications or corrections from the candidate
ECA for immediate reconsideration or may require the candidate to
resubmit an application to be processed after the applications on
hand at the time of resubmission. If the application is determined
acceptable, the DOD PKI PMA Sub-Committee will conduct site inspections
and interviews. Following the site inspections and interviews,
the DOD PKI PMA Sub-Committee will either submit comments in
writing to the candidate ECA for re-evaluation or will recommend
the candidate ECA to the DOD PKI PMA. The DOD PKI PMA reserves
the right to grant exceptions for approval at any stage in
the process. The DOD PKI PMA, with senior representatives from
NSA and DISA, will review the findings and recommendations
of the DOD PKI PMA Sub-Committee and will approve or disapprove
the candidate ECA. Following approval by the DOD PKI PMA, a
Memorandum of Agreement will be generated between the DOD and
the ECA. A list of approved ECAs will be published for public
information. This procedure is not intended to create any rights
or privileges for candidate ECAs, adverse decisions may not
be appealed above the DOD PKI PMA, and judicial review is not
available. Since use of a certified ECA will not be required
by contract, certification does not create any right of action
against the Government in the contractors or vendors who subscribe
to the services of an ECA.
LIABILITY: It is DOD's intent
to provide a service for non-DOD entities wishing to use PKI
for business transactions. In the case of private industry
users, specifically DOD Contractors, the Contractors must be
informed in the contract that the ECA testing and certification
process does not create any rights in the candidate ECA or
the non-DOD entity. Matters of liability for damages from a
failure of the ECA's PKI service are properly to be covered
in the agreement between the private industry users and the
ECAs. The point of contact for technical issues concerning
this announcement is Ms. Happy Barranco, DISA at (703) 681-7943,
. DOD PKI documents referenced in this
RFI can be obtained by sending an electronic request to Ms.
Barranco. The point of contact for contractual issues is Mr.
Peter G. Smingler, Contracting Officer, DISA/D211 at (703)
681-0526.***** LLLL
EMAILADD: barranch@ncr.disa.mil
EMAILDESC: Click here to contract the DISA INFOSEC Program Management
Office via e-mail.
CITE: (W-208 SN228891)