Appendix -- CKRS System Policies A compliant Cryptographic Key Recovery System may provide configurable options that enable a single compliant product to be used in a variety of applications. These options shall be collectively termed the system policy. Products that would otherwise be compliant with this FIPS will remain compliant if they provide for any or all of the following policy options. A.1 Affected data types. A.1.1 In a system comprising encrypted stored data, a system policy may define whether or not stored data is to be made available for recovery. A.1.2 In a system comprising encrypted electronic mail, a system policy may define whether or not electronic mail is to be made available for recovery. A.1.3 In a system comprising encrypted real-time communications, a system policy may define whether or not real-time communications are to be made available for recovery. A.1.4 A system policy may further identify what data is to be made available for recovery. A.2 Access policy. A.2.1 For each affected data type for which recovery has been selected, the system policy may define the recovery mechanism to be used, i.e. precisely how the key recovery is to be done - particularly when a variety of key recovery options are available. A.2.2 For each affected data type for which recovery has been selected, the system policy may define what recovery agent or agents shall be used. A.2.3 For each recovery agent and affected data type selected, a system policy may define what requestors may recover the data. A.2.4 For each requestor selected, a system policy may define the conditions under which each recovery agent shall make the data available to the requestor. A.2.5 For each recovery agent and affected data type, a system policy may define what measures are to be taken by the recovery agent to prevent destruction of the data. A.3 Data integrity policy. A.3.1 For each recovery agent and affected data type, a system policy may define the requirements for maintaining integrity of the data. A.3.2 For each recovery agent and affected data type, a system policy may define whether a cryptographic "proof" of data integrity shall be required (perhaps utilizing digital signature) and, if so, a security confidence level for this "proof" (e.g. bit length). A.3.3 For each recovery agent and affected data type, a system policy may define what (if any) measures are required to provide "proof" (perhaps utilizing digital signatures verifiable by a third party) of the source of the recovered data. A.3.4 For each recovery agent and affected data type, a system policy may define the auditing procedures to be followed by the recovery agent. A.4 Interoperability policy. A.4.1 For each affected data type, a system policy may define what (if any) interoperability restrictions are to be placed on the system. A.4.2 For each affected data type, a system policy may define what (if any) interoperability conditions require a warning to the user.