Key pilots 'all business-driven'

Starting this month, the Social Security Administration, the Small Business
Administration and the Energy Department's Lawrence Livermore Laboratory will begin pilots
to assess key recovery applications and develop a plan for building a public-key
infrastructure.


A task force, led by members of the Government Information Technology Services Board
and the Interagency Working Group on Cryptography Policy, is coordinating the pilots.


Besides SSA, SBA and the lab, other agencies-including the Transportation and Treasury
departments, the Patent and Trademark Office, the General Services Administration and the
National Technical Information Service-plan to conduct pilots this year.


Patricia Edfors, the GITS Board's security expert, said 10 pilots will be running by
October.


The group will report in December about whether key recovery can provide economical
encryption solutions that will support new electronic government services.


The pilots are "all business-driven, and the idea is to test the concept to make
sure it's something useful for the agencies," Edfors said. "By year's end we'll
learn what works, what doesn't and why."


Edfors outlined the demonstration projects at the National Computer Systems Security
and Privacy Advisory Board's meeting this month in Gaithersburg, Md.


The White House has advocated a key escrow approach since 1994, when it issued the
controversial Escrowed Encryption Standard (EES). But the administration recently altered
its escrow strategy after repeated complaints from industry and privacy groups about EES'
classified algorithm and the possibility that it contains a back door for government
surveillance.


The White House now wants to establish a global key management scheme for both digital
signatures and fully encoded communications that will let law enforcement agencies access
encoded data if they have a court order. Under the revamped plan, users can choose their
key managers and create their key management and recovery systems.


Nevertheless, the administration is counting on the pilot programs to make the business
case and generate industry support for the development of a public key infrastructure.
Edfors said the pilots will help the government establish technical and management
standards, too.


The National Institute of Standards and Technology is seeking information on commercial
key recovery products and services to support the pilot projects.


NIST is supplying technical support as well as certificate authority services to
generate the certificates that bind users to their public encryption keys.


"We want to walk before we run and study what the barriers are to interoperability
in the different solutions," said Jerry Mulvenna, a NIST computer scientist.
"This is not a government-imposed solution. We want to do it with commercial products
and technology."


More information about the pilot projects is available from the key recovery
demonstration World Wide Web site at http://csrc.nist.gov/krdp.


inside gcn

  • security compliance

    Security fundamentals: Policy compliance

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above