D -- DOD MEDIUM ASSURANCE PUBLIC KEY INFRASTRUCTURE PROPOSAL FOR EXTERNAL CERTIFICATE AUTHORITIES (ECAS) THIS IS A CORRECTION TO INCORPORATE THE INTERNET ENGINEERING TASK FORCE WEB SITE . THE WEB SITE SHOULD HAVE BEEN LISTED UNDER THE SECTION TITLED "BECOMING A DOD-RECOGNIZED ECA." STATEMENT OF INTENT Recognizing a need to provide a range of information security services to clients in both government and private industry, the DOD is releasing a Request For Information (RFI) for potential pilots of an ECA Model. This RFI is released to private industry for interested parties to comment. Interested parties should respond with comments within 30 days of the RFI release. Subsequently, the DOD will determine a date to begin accepting applications. INTRODUCTION For external business transactions using a PKI, the DOD must operate with non-DOD entities and establish a policy for third party trust relationships. In a public key system, the public key must be freely accessible and the user must have a reliable way of verifying the authenticity of public keys. An infrastructure for managing and certifying publickeys can be based on a hierarchy or network of mutually "trusted" certification authorities. PURPOSE This document focuses on the DOD's current implementation of the medium assurance PKI and the plan to operate with parties outside the DOD. Non-DOD entities doing business electronically with DOD must take steps to ensure that any use of the PKI achieves a level of assurance equivalent to the DOD PKI medium assurance, as defined in the Draft U.S. DOD Certificate Policy, thereby ensuring a satisfactory trust relationship for DOD and non-DOD electronic transactions. Non-DOD entities, including DOD contractors, vendors, and other government organizations, achieve this level of assurance, in part, by utilizing the services of ECAs to ensure the integrity of their electronic business. EXTERNAL CERTIFICATE AUTHORITY In the near-term, DOD's intention is to support interoperability by making available to the ECA community a test and certification process. This process will ensure that ECAs using the DOD's PKI on behalf of Non-DOD subscribers will operate at a level of assurance equivalent to the DOD PKI medium assurance. The DOD will certify ECAs to support interoperability with users outside the DOD. The DOD will maintain, continuously update, and publish a list of all certified ECAs so that contractors and vendors may make informed decisions for ECAs to employ for their electronic business transactions. ECAs are not required to be certified. However, non-DOD entities who use uncertified ECAs face a risk that the integrity of electronic transactions will be compromised thereby. Contract clauses should be developed to ensure that contractors are aware that any damages incurred as a result of using an ECA, certified or not, cannot be shifted to the Government. This document describes procedures for testing and certifying an ECA, including assurances that must be provided by such organizations. To permit secure interoperability between DOD and non-DOD users, a common certification path must exist. BECOMING A DOD-RECOGNIZED ECA The establishment of a DOD-certified ECA will be based on compliance with DOD policy and certification criteria. Testing and certification will be performed by or under the direction and control of the DOD. Since users of the DOD PKI already trust the Root, certificates issued by the ECA will be trusted and verifiable by DOD relying parties. Non-DOD relying parties will also need to trust the DOD Root in order to recognize certificates issued by the DOD PKI. ECAs that meet the established DOD requirements will receive certificates digitally signed by the DOD Medium Assurance Root. The DOD Medium Assurance Root will also maintain an accurate and current list of all certified ECAs. This listing will be publicly available to any current or prospective DOD contractor or vendor. Acceptance of a candidate ECA by the DOD will be based primarily, but not exclusively, on the applicant's ability, at a minimum, to meet the medium assurance level criteria defined in the Draft U.S. DOD Certificate Policy, 9 March 1998. Adherence to this policy is required as a condition of continued acceptance of ECA issued certificates by the DOD. ECAs are required to meet certain technical and procedural criteria as defined in the DOD PKI Draft Functional Specification (11 May 98). This specification references the profile of the DOD certificate. It is essential that certificates issued by ECAs comply with the DOD certificate profile requirements. The ECA will also provide directory services for its clients and a Lightweight Directory Access Protocol (LDAP) interface to its repository. The ECA must demonstrate adequate arrangements to protect private encryption of keys held by the ECA from improper disclosure and use. The ECA must demonstrate adequate arrangements for protecting the hierarchical keys upon which the secrecy of client keys or system keys are dependent. Each potential ECA will submit an application in the form of a Certification Practice Statement (CPS) in the Internet Engineering Task Force Public Key Infrastructure X.509 (IETF/PKIX) part 4 format to the DOD PKI Policy Management Authority (PMA) Sub-Committee for approval. Prospective ECAs can visit the IETF web site at <ftp://ftp.ietf.org/internet-drafts/draft-ietf-pkix-ipki-part4-03.t xt> to reference the format. CANDIDATE ECA REVIEW PROCESS Candidate ECAs seeking DOD certification shall submit to the DOD PKI Policy Management Authority (PMA) Sub-Committee the application consisting of a CPS in the IETF/PKIX part 4 format (reference the IETF web site for the format) and a system design/architecture, in particular, CA configuration parameters. The applications will be processed and reviewed individually in the order in which they are received by the DOD PKI PMA Sub-Committee, composed of representatives from the National Security Agency (NSA), the Defense Information Systems Agency (DISA), the military services, and the DOD agencies. If the application is determined unacceptable, the DOD PKI PMA Sub-Committee will provide written notice with the reason for the rejection. At its discretion, the DOD PKI PMA Sub-Committee may allow subsequent modifications or corrections from the candidate ECA for immediate reconsideration or may require the candidate to resubmit an application to be processed after the applications on hand at the time of resubmission. If the application is determined acceptable, the DOD PKI PMA Sub-Committee will conduct site inspections and interviews. Following the site inspections and interviews, the DOD PKI PMA Sub-Committee will either submit comments in writing to the candidate ECA for re-evaluation or will recommend the candidate ECA to the DOD PKI PMA. The DOD PKI PMA reserves the right to grant exceptions for approval at any stage in the process. The DOD PKI PMA, with senior representatives from NSA and DISA, will review the findings and recommendations of the DOD PKI PMA Sub-Committee and will approve or disapprove the candidate ECA. Following approval by the DOD PKI PMA, a Memorandum of Agreement will be generated between the DOD and the ECA. A list of approved ECAs will be published for public information. This procedure is not intended to create any rights or privileges for candidate ECAs, adverse decisions may not be appealed above the DOD PKI PMA, and judicial review is not available. Since use of a certified ECA will not be required by contract, certification does not create any right of action against the Government in the contractors or vendors who subscribe to the services of an ECA. LIABILITY It is DOD's intent to provide a service for non-DOD entities wishing to use PKI for business transactions. In the case of private industry users, specifically DOD Contractors, the Contractors must be informed in the contract that the ECA testing and certification process does not create any rights in the candidate ECA or the non-DOD entity. Matters of liability for damages from a failure of the ECA's PKI service are properly to be covered in the agreement between the private industry users and the ECAs. POINT OF CONTACT The pointof contact for technical issues concerning this announcement is Ms. Happy Barranco, DISA at (703) 681-7943, <barranch@ncr.disa.mil>. DOD PKI documents referenced in this RFI can be obtained by sending an electronic request to Ms. Barranco. It is requested that responses to the RFI be submitted at the web site no later than 21 August 1998.***** LLLL WEB: Click here to visit the Internet Engineering Task Force, ftp://ftp.ietf.org/internet-drafts/draft-ietf-pkix-ipki-part4-03.txt. E-MAIL: Click here to contact the technical specialist., barranch@ncr.disa.mil. Posted 08/20/98 (W-SN239795).

Loren Data Corp. http://www.ld.com (SYN# 0651 19980824\SP-0001.MSC)