[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

X/Open drafting requirements for global PKI

Some of you may find this useful/interesting.  I will gladly answer
questions.  Please be careful in followups and try to avoid cross-post
clutter if not necessary.

>From 100126.3211@compuserve.com Fri Mar 22 10:47:03 1996
Date: 22 Mar 96 10:42:16 EST
>From: Nick <100126.3211@compuserve.com>
To: "(unknown)" <SIG-SECURITY@osf.org>, "(unknown)" <XOSECRTG@xopen.co.uk>
Cc: Anish Bhimani Bellcore <anish@att.bellcore.com>,
        Clint Brooks <CBROOKS@ROMULUS.NCSC.MIL>,
        "Prof. William J. Caelli" <w.caelli@qut.edu.au>,
        Mark King CESG <100126.3650@compuserve.com>,
        Dorothy Denning <denning@cs.cosc.georgetown.edu>,
        David Herson <100137.1072@compuserve.com>,
        Chris Sundt ICL <C.Sundt@win0104.wins.icl.co.uk>,
        Mike Nelson <MNELSON@ostp.eop.gov>,
        Nanette Di Tosto <ditoston@btec.com>, Stephen Walker <steve@tis.com>
Subject: Open Group PKI Business Requirements
Status: RO


The Open Group (X/Open-OSF) Security Business Requirements Group (BRG) has
established a PKI TasK Group (PKI TG).

The PKI TG is collecting the high level PKI Business Requirements necessary to
balance the needs of government, commerce and private individuals in the global
PKI infrastructure required to support global electronic commerce.

The Open Group PKI TG had its first meeting at the Open Group Security BRG
meeting in San Francisco.
The draft requirements below has taken account of many government, commercial
and privacy requirements published in many sources over the past year. It
recognises the need to satisfy many governance models in the development of a
practical global PKI.

The final list of requirements will be presented to those developing high level
Global Information Infrastructure (GII) policy and supporting technical
standards. This draft has no political significance and is limited to capturing
known governance and technology drivers in a useful form.

Only after we have a consistent high level view can we usefully descend to the
lower levels of supporting standards and technology.

Open Group (OSF - X/Open)
Security Business Requirements Group (BRG)
Public Key Infrastructure Task Group (PKI TG)

U.S. comments and suggestions should be sent to Will Frazier NIST ( by email
only) at frazier@sst.ncsl.nist.gov 
Technical input to Dean Adams X/Open (by email only) at  d.adams@xopen.org
All other contributions (by email only) to PKI TG at  xosecrtg@xopen.org

Draft Version 0.4

Input for Version 0.5 to be transmitted to xosecrtg@xopen.org by 17th May 1996.

It is expected to issue draft Version 0.5 by 31 May 1996. 

Baseline Requirements for a Global PKI

An interoperable global PKI is required to provide privacy and digital signature
services in support of international commerce, balancing the legitimate needs of
commerce, governments and privacy of citizens.

The global PKI must support multiple governance policy models within a single
global PKI framework, and must enable the enforcement of all existing governance
policy mandates.

The global PKI shall support the following Security Services:

. confidentiality (sealing)
.  integrity and authentication (signing)
. non-repudiation service
. end-to-end monitoring, reporting and auditing of PKI services

The global PKI shall have the following functionality and characterisitics:

1. Key life-cycle management
. Data recovery facilities
. Mandatory Trust (Unconditional trust, policed according to a strict policy,
with liability and penalties attached to loss)
. authenticated key storage
. synchronisation between management (eg retirement) of public keys in PKI and
private keys in data recovery centres
. ageing / revocation of keys
. discretionary key fragmentation
. Key Generation  facility
. Method of key generation will be discretionary, subject to commercial decision
and business requirement.
. Discretionary Trust (level of trust placed on this will in practice be a
commercial decision and may be negotiated between partners)
. Key Distribution and Revocation
. Warranted retrieval
. Law enforcement retrieval (subject to due process of law)
. Corporate agency retrieval (subject to policy and authorisations)
. Individual retrieval (subject to policy and authorisation)
. Notorised electronic warrant (able to take advantage of existing legal

2. Distributed Certification Authority (CA) structure (driven by requirements of
transaction/business domain)
. policing and enforcing policy (governance model)
. policy creation and maintenance
. registration, naming and query
. authentication (mandatory binding PK to Directory Name, discretionary binding
entity to a Directory Name)
. auditing and monitoring of compliance
. detection of non-compliance and revocation
. support of multiple policies 

3. Security of the PKI
. protection of key services (e.g. key generation, distribution, storage)
. availability of PKI services
. integrity of the PKI
. non-repudiation of the PKI

Known Issues

Single directory standard for PKI (X.500 or DNS ) or federated with single
defined access and control application protocol Interface and protocols for
directory interoperability.


Adopt international standard X.509 version 3 as a basis for the development of
the global PKI
Adopt and adapt existing standards and technology  wherever possible, only
invent as a last resort.

Contributing organisations to draft Version 0.4
Barclays Bank, Shell International, Sweden Post,
UK Ministry of Defence,  BCTEL, DISA,
The Open Group, Telecom Finland Ltd,  Pacific Gas & Electric,
Electronic Data Systems, Jet Propulsion Laboratory,  Boeing Information &
Support Group
Harris Corporation, ICL, Lockheed Martin, Guide International	

Parties invited to develop requirement (not exhaustive)

. U.S. Government (NIST as conduit to all U.S. government agencies)
. Canadian Government
. European Information Security Business Advisory Group (IBAG) & Member
. European Commission DG III & DG XIII
. European Commission DG XIII  Senior Officials Group - Information Security
. CommerceNet
. Japanese Govt Initiative (JapanNet)
. Verisign
. Open Group (OSF -X/Open)
. Electronic Mail Associations
. Lotus
. Microsoft
. Trusted Information Systems (TIS)
. Bankers Trust

The Open Group PKI TG looks forward to your responses.

Sent on behalf of the Open Group PKI TG by
Nick Mansfield
Shell International B.V.

Disclaimer: The views expressed in this note are not necessarily those of Shell
International B.V. or any other Shell Group company.