--- begin forwarded text Mime-Version: 1.0 Date: Thu, 10 Apr 1997 11:44:59 -0700 From: jmuller@brobeck.com (John D. Muller) Subject: Japan E-Commerce Promotion Council on CAs To: dcsb@ai.mit.edu Sender: bounce-dcsb@ai.mit.edu Precedence: bulk Reply-To: jmuller@brobeck.com (John D. Muller) Press release Announcement of Certification Authority Guidelines in Japan ---------------------------------------------------------------------- -- Full Document 7th, April, 1997 Electronic Commerce Promotion Council of Japan ---------------------------------------------------------------------- -- 1. Background The Electronic Commerce Promotion Project partially funded by the Japanese government was started In late 1995 . The project consists of 19 test-bed projects which experimentally provide various kinds of electronic commerce between consumers and businesses. Currently over 350 companies participate in the projects and more than 500,000 consumers are presumed to have join. To foster Electronic Commerce(EC) in Japan, and also to support and coordinate these projects, the Electronic Commerce Promotion Council of Japan (ECOM) was established in early 1996. ECOM has set up 14 Working Groups to study a wide range of EC related issues. One of these Working Groups is the Certification Authority(CA) Working Group which focuses on the technology, practice, and legal environment of CA. One of objectives of this CA Working Group is to develop the CA Guidelines. The primary draft of the Guidelines was made public in the December 1996. 2. Objectives of the CA Guidelines CA Guidelines provide the foundation for the operation of CAs which issue digital certificates. A digital certificate, which electronically verifies the identity of business parties during network transactions, will play an important role in electronic commerce conducted via open networks. Digital certification guarantees the security of transaction information transmitted through networks, and information transmitted between organizations, within organizations and between individuals, by eliminating problems such as wiretapping, tampering or repudiation. This fosters the reliance and trust required to conduct business. 3. Structure of the CA Guidelines(Alpha Version) (1) Introduction This section first defines the basic terminology related to CAs, such as public keys, certificates, and revocation of certificates, etc. The section then deals with the following subjects concerning public key infrastructure, which can be regarded as the technological foundation of the guidelines: (1) certificate management service for issuance, publication, and storage of certificates, services relating to the registration and management of personal information, and electronic notary, etc. (2) hierarchical structure of CAs; (3) purpose of use and format of certificates. (2) Management requirements As management requirements are important for increasing the reliability of CAs, establishment and publication of policies relating to certification, requirements needed by organizations, operational security requirements, and information disclosure requirements are stipulated. Within the policy arena the establishment and presentation of provisions concerning the requirements for secure operation of equipment and facilities, and of provisions concerning standards for issuance of certificates are discussed. This section also stipulates that organizational requirements must specify independence, third party character and specialization. (3) Service requirements This section specifies requirements for guaranteeing security relating to five services that constitute the certificate management service, which is the basic service of CAs: management of the keys of CAs, issuance of certificates, registration and publicizing of certificates, storage and management of certificates, and revocation of certificates. For example, in view of the serious consequences of leakage or theft, private keys of CAs must be stored in an independent special module with high storage capacity, and in an environment that does not allow illegal removal of the storage module. Auditing of certificate issuance are also discussed. The personal verification of the applicant must be divided into three levels and that personal verifications should be conducted according to these levels. (4) Facilities and system requirements This section specifies that requirements conform to measures classified under group A of the "Information Systems Security Measures Standards," which were announced by MITI in August 1995 and the instruction manual was published by the Information Service Industry Association in October 1996. Group A requirements relate to information systems that affect people's lives, the property of others, privacy and other social elements. 4. Forthcoming Schedule ECOM is requesting that member companies and other relevant parties offer their comments regarding this guidelines draft. At the same time, the guidelines will be applied to the electronic commerce test-bed projects sponsored by MITI ( Ministry of International Trade & Industry), with the results of these test operations to be incorporated in the guidelines. The final version, based on opinions obtained from various sectors, is scheduled to be prepared and announced by March 1998. More information E-mail: tawara@ecom.or.jp FAX : +81-3-5531-0068 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To unsubscribe from the dcsb list, send a letter to: Majordomo@ai.mit.edu In the body of the message, write: unsubscribe dcsb Or, to subscribe, write: subscribe dcsb If you have questions, write to me at Owner-DCSB@ai.mit.edu --- end forwarded text ----------------- Robert Hettinga (rah@shipwright.com), Philodox e$, 44 Farquhar Street, Boston, MA 02131 USA Lesley Stahl: "You mean *anyone* can set up a web site and compete with the New York Times?" Andrew Kantor: "Yes." Stahl: "Isn't that dangerous?" The e$ Home Page: http://www.shipwright.com/