*Draft Charge Statement* Note that this draft was also distributed at the first meeting on December 5-6, 1996. Draft (9/1/96) Charge to the Technical Advisory Committee to Develop a Federal Information Processing Standard for the Federal Key Management Infrastructure Use of strong cryptography on a widespread basis in the GII requires a supporting infrastructure, including the provision of many services (e.g, authentication, trusted notary, etc.) One important service is key recovery (for keys used for confidentiality). This will help protest users when keys are lost or destroyed, and also assist law enforcement decrypt information under lawful circumstances. To facilitate provision of key recovery services for its own use, the government needs a Federal Information Processing Standard. The standard must be developed by working with those who produce and use cryptographic technologies in the private sector. The Advisory Committee, which will be comprised primarily of private sector individuals, will be an important vehicle by which the government gains the benefit of private sector input in developing this standard. To a certain extent, the committee resembles the standards development committees utilized by the private sector; however, it is intended that this Committee provide technical recommendations to the Secretary of Commerce on the development of a standard. When completed, the standard will enable key recovery services for use within the government which are compatible with private sector activities. The Advisory Committee's work will gain from the experiences of the key management infrastructure pilot projects, including key recovery services, underway within the government, which can provide useful input and real-world experiences for the committee. The Committee's work will take place concurrently with (and not supplant) many ongoing private and public sector activities, such as those in the area of public key infrastructure. When adopted, the standard will be available to the public and private sector (on a voluntary basis) for providing key recovery services. What is the exact task of the Committee? The Committee's assignment, as discussed in the charter, is to make technical recommendations regarding the development of a draft FIPS for Cryptographic Escrow Systems which could be incorporated into a Federal Key Management Infrastructure. The Committee will focus on the data recovery services of the Federal Key Management Infrastructure for both stored and communicated information. Consequently, the work assignments of the Committee are as follows: - Developing recommended recovery system requirements (for confidentiality keys/plaintext, not keys used only for digital signature); - Drafting specifications or protocols for: -- registration and re-registration of encryption keys (could be for user keys, organization keys, master keys, session keys, time period keys, etc.); -- recovery of encryption-related keys and/or other information necessary for decryption for law enforcement access; and -- use of more than one TTP for split-key storage. -Recommending validation/certification requirements for recovery systems, escrow entities, and products. Pending successful completion of these tasks, additional related tasks, consistent with the Committee's charter, may be requested of the Committee by the Secretary of Commerce. What is outside the scope of the Committee's activities? Activities of federal advisory committees, including the TACDFIPSFKMI, must be consistent with their charter. The TACDFIPSFKMI charter specifies that "[t]he Committee shall make technical recommendations regarding the development of a draft Federal Information Processing Standard (FIPS) for the Federal Key Management Infrastructure." Some of the specific issues outside the scope of the Committee's charter include, but are not limited to: encryption export controls, federal policy on encryption and key recovery, the need for legislation or proposed legislation, access requirements of law enforcement, liability issues, non-key recovery related aspects of the Public Key Infrastructure, and the ability to limit third party disclosures. The Committee, however, may have to be have a working knowledge of some of these topics. It is the responsibility of the Designated Federal Official assigned to the Committee to assure that the Committee acts within the limits of its charter and the law. How will Committee recommendations be used? Recommendations made by the Committee will be considered by NIST in formulating a draft FIPS which will be announced in the Federal Register for public review and comment. Once comments are received and analyzed, the draft FIPS is modified as appropriate and forwarded to the Secretary of Commerce for approval. FIPS apply to federal organizations, and may be utilized by those outside the Federal government on a voluntary basis. Within the government, FIPS may be either mandatory or advisory, as determined by the Secretary of Commerce. Will Government representatives be on the Committee? Since the purpose of the Committee is to provide the Government with industry suggestions for meeting Government's key recovery requirements, Government officials will not be official voting members of the Committee. Instead, a limited number of adjunct seats (e.g., 5-7, above and beyond the Committee's maximum size of 24 members) will be available for government technical experts to interact with the Committee during its meetings, explain government requirements, answer pertinent questions and offer explanations of its experiences with key recovery systems.