extracted from: Network World volume 11, number 28 July 11, 1994 page 8, page 63 Gov't eyes plans for a public-key infrastructure by Ellen Messmer Federal agencies are mulling how to set up procedures and policy guidelines for linking a user's identity to that person's public-key digital signature, but costs and liability issues in certifying users are presenting obstacles. The U.S. government intends to operate a public-key certification system for government users that will also serve the private sector, as well. But a report just completed by Mitre Corp. for the National Institute of Standards and Technology (NIST) puts the price tag at $1 billion for the start-up of the government alone, with a possible $2 billion annual operational cost for managing certificate-revocation lists. Users can sign and verify electronic documents using unique digital signatures based on a secret cryptography key, but security experts have long recognized that a certification system is needed so keys can be revoked if the key is stolen or a person changes jobs. According to Mitre's report, "The Public Key Infrastructure Study," the role of the Policy Certification Authority (PCA) could be assumed by either the U.S. Postal Service, the Federal Reserve Board, General Services Administration or even private-sector organizations such as telecommunications providers and banks (see sidebar). The Postal Service is eager to step into the role, said sources at NIST, but the high price tag for operating the X.500 directory listing public keys and revocation lists is causing some alarm. The Postal Service declined to comment. For years, the Internet Society has contemplated setting up the same sort of trusted certificate authority. But it got bogged down almost exclusively because of liability concerns, said Steve Kent, chief scientist at Bolt Beranek and Newman, Inc. PCAs nevertheless spring up. Trusted Information Systems, Inc., the Massachusetts Institute of Technology and RSA Data Security, Inc. have all set themselves up as PCAs with different policies. Apple Computer, Inc., which now ships RSA digital signatures as part of its operating system, offers a computerized certification request to register public keys with RSA. But while this type of certification may be fine for use in some commercial purchases, it would not be sufficient at Northen Telecom, Inc. (NTI), which intends to use digital signatures in multimillion- dollar transactions, noted Brian O'Higgins, director of security networks at NTI. O'Higgens said NTI is testing its own system for issuing digital signature certificates to all employees. "It's easy to do within one enterprise," O'Higgins said. "But the interenterprise applications hasn't started to happen, and that's where a government public-key infrastructure would help." A new study on legal issues faced by the government in the effort warns that a federal certificate authority must establish strict equipment and personnel requirements for the certificate-issuance process and accept some liability for improper actions. The study, "Federal Certification Authority Liability and Policy," authored by Michael Baum, principal at Independent Monitoring in Cambridge, Mass., points out that the federal government can claim sovereign status protecting it from lawsuits. But in his report, Baum notes that the commercial sector will not be ready to accept public-key certificates issued by the government for use in electronic commerce unless the government accepts some liability for its actions. "This is the foundation on which electronic commerce will be built," he said. Setting clear security for both the equipment and personnel involved is issuing public-key certificates make sense, added O'Higgins. "We absolutely have to have a security policy in this," he said. (side bar) PKI pyramid lexicon Policy Approving Authority (PAA) Creates overall guidelines for the Public Key Infrastructure and may also certify PCA public keys. Policy Certification Authority (PCA) Establishes policy for all certification authorities and users within its domain, and approves CA public keys. Certification Authority (CA) Certifies public keys for users in a manner consistent with PCA and PAA policies. Organizational Registration Authority Acts as an intermediary between a CA and a user to vouch for the identity and affiliation of the user. ------------ To respond to the sender of this message, send mail to remailer@soda.berkeley.edu, starting your message with the following 8 lines: :: Response-Key: ideaclipper ====Encrypted-Sender-Begin==== MI@```%ES^P;+]AB?X9TW6\8WR:2P&2%`$A:^X<=%2MQ&K,"#9W2V4M]H[VQ^ MB5V0!,$C6Y;FGL-L!")=HM/1UHHCI^%&V6:;UA,A]6>#S_D/01M'@Q/1-:(\ $ET'N,P`` ====Encrypted-Sender-End====