DRAFT (12/1/95) Key Escrow Agent Criteria Introduction An often heard concern regarding key escrow encryption is that users of such encryption are vulnerable to abuse of the escrowed key by the escrow agents or others. Many have suggested that changes in the law are needed that specifically, criminalize any such abuses. We agree that such laws will be beneficial in deterring acts by anyone to access escrowed keys without authority or to undermine the integrity of the escrow key system. However, the availability of criminal prosecution is not alone sufficient. Key escrow agents must be selected not only with a view toward assuring the availability of escrowed keys for properly authorized government officials, but also to assure that the escrow agents have the commitment and means to protect the confidentiality and integrity of the keys they escrow and the escrow system. This will be particularly important if, as we expect will occur, some key escrow products will be designed such that the escrow agent could discern the identity of the user from the keys and other information that is escrowed with them. The following criteria were drafted with these principles in mind. We have not yet addressed conditions under which users can be the sole repository of the keys for their system. We recognize that some organizations or people do not want anybody but themselves to escrow their keys. However, since an important reason for escrowing is to preserve effective law enforcement, we must assure authorized officials can reliably and timely obtain access to escrowed keys through entities independent of the subject of electronic surveillance. Thus we welcome suggestions on how best to meet this range of interests. In considering the criteria appropriate for approving escrow agents, we considered whether the government needs to assure it has timely and reliable access when authorized and what key escrow encryption users would want to ensure that the escrowing of keys does not undermine their security. Of course, the government is also a user of key escrow encryption products and shares with other users an interest to ensure the integrity and security of the escrow system. Similarly, organizations interested in data recovery share the government's interest to have a system through which access to escrowed key is enabled under appropriate circumstances. With these considerations in mind, we developed criteria in two categories, "Escrow System Integrity and Security" and "Key Access Requirements." We expect that prospective escrow agents that meet criteria such as these would be considered as "approved" escrow agents for export purposes, to hold keys for government systems, etc. Note that keys and/or key components for devices that may process classified information shall be escrowed with escrow agent entities selected by the U.S. government, and that those escrow agent entities may be required to meet more stringent requirements. Escrow System Integrity and Security 1. Escrow agent entities shall devise and institutionalize policies, procedures, and mechanisms to ensure the confidentiality, integrity, and availability of key escrow related information. a. Escrow agent entities shall be designed and operated so that a failure by a single person, procedure, or mechanism does not compromise the confidentiality, integrity or availability of the key and/or key components (e.g., two person control of keys, split keys, etc.) b. Unencrypted escrowed key and/or key components that are stored and/or transmitted electronically shall be protected (e.g., via encryption) using approved means. c. Unencrypted escrowed key and/or key components stored and/or transferred via other media/methods shall be protected using approved means (e.g., safes). 2. Escrow agent entities shall ensure due form of escrowed key access requests and authenticate the requests for escrowed key and/or key components. 3. Escrow agent entities shall protect against disclosure of information regarding the identity of the person/ organization whose key and/or key components is requested, and the fact that a key and/or key component was requested or provided. 4. Escrow agent entities shall enter keys/key components into the escrowed key database immediately upon receipt. 5. Escrow agent entities shall ensure at least two copies of any key and/or key component in independent locations to help ensure the availability of such key and/or key components due to unforeseen circumstances. 6. Escrow agent entities that are certified by the U.S. government shall work with developers of key escrow encryption products and support a feature that allows products to verify to one another that the products' keys have been escrowed with a U.S.-certified agent. Key Access Requirements 7. An escrow agent entity shall employ one or more persons who possess a SECRET clearance for purposes of processing classified (e.g., FISA) requests to obtain keys and/or key components. 8. Escrow agent entities shall protect against unauthorized disclosure of information regarding the identity of the organization requesting the key or key components. 9. Escrow agent entities shall maintain data regarding all key escrow requests received, key escrow components released, database changes, system administration accesses, and dates of such events, for purposes of audit by appropriate government officials or others. 10. Escrow agent entities shall maintain escrowed keys and/or key components for as long as such keys may be required to decrypt information relevant to a law enforcement investigation. 11. Escrow agent entities shall provide key/key components to authenticated requests in a timely fashion and shall maintain a capability to respond more rapidly to emergency requirements for access. 12. Escrow agent entities shall possess and maintain a Certificate of Good Standing from the State of incorporation (or similar local/national authority). 13. Escrow agent entities shall provide to the U.S. government a Dun & Bradstreet/TRW number or similar credit report pointer and authorization. 14. Escrow agent entities shall possess and maintain an Errors & Omissions insurance policy. 15. Escrow agent entities shall provide to the U.S. government a written copy of, or a certification of the existence of a corporate security policy governing the key escrow agent entity's operation. 16. Escrow agent entities shall provide to the U.S. government a certification that the escrow agent will comply with all applicable federal, state, and local laws concerning the provisions of escrow agent entity services. 17. Escrow agent entities shall provide to the U.S. government a certification that the escrow agent entity will transfer to another approved escrow agent the escrow agent entity's equipment and data in the event of any dissolution or other cessation of escrow agent entity operations. 18. Escrow agent entities for products sold in the U.S. shall not be a foreign country or entity thereof, a national of a foreign country, or a corporation of which an alien is an officer or more than one-fourth of the stock which is owned by aliens or which is directly or indirectly controlled by such a corporation. Foreign escrow agent entities for products exported from the U.S. will be approved on a case by case basis as law enforcement and national security agreements can be negotiated. 19. Escrow agent entities shall provide to the U.S. government a certification that the escrow agent entity will notify the U.S. government in writing of any changes in the forgoing information. 20. Fulfillment of these and the other criteria are subject to periodic recertification. 12/1/95