Minutes of the December 5-6, 1996 Meeting of the Technical Advisory Committee to Develop a Federal Information Processing Standard for the Federal Key Management Infrastructure December 5, 1996 The first meeting of the Technical Advisory Committee to Develop a Federal Information Processing Standard for the Federal Key Management Infrastructure (TAC) was called to order at 11:05 a.m. at the Sheraton Hotel at Dallas Ft. Worth Airport, in Irving, Texas. All portions of the meeting were held in open public session. All members were present. The Secretary, Ed Roback, reviewed the agenda and handouts, and initial member introductions followed. The Chairperson, Dr. Stephen Kent, was then introduced and made a few opening remarks, commenting that the task of the TAC was very important, yet not easy, requiring a significant technical effort. He suggested that the TAC would need to form working groups, perhaps developing parallel solutions to key recovery for stored data, store and forward, and transmissions. He introduced Dr. Mary L. Good, Under Secretary of Commerce for Technology. Dr. Good began her remarks by extending the appreciation of the Vice President and Secretary of Commerce to the members for their willingness to assist the Administration in this effort to work together to develop solutions to a problem which confronts both industry and government, namely, recovery of encryption keys. She emphasized the Administration's desire to work with the private sector in this effort, which can affect U.S. global competitiveness. In short, the task of the TAC is to find an acceptable approach to key recovery while minimizing risk. No technical constraints are being placed upon the TAC in developing its recommendations. She suggested the TAC listen to the needs of private sector and federal customers for key recovery and stressed the urgency of completing this work. Remarking upon how impressed she was with the credentials of those who volunteered, she thanked the members, federal liaisons, Dr. Kent, and the TAC staff. Next, each member and federal liaison was invited to provide a brief personal and corporate introduction, and share any pertinent thoughts on the TAC's mission. This lasted the remainder of the day. The meeting was recessed at 3:50 pm. Note: Beginning at 4:10 pm., Mr. David Maggi, Chief of the Ethics Division at the Department of Commerce, provided a briefing to the TAC on ethics and Federal Advisory Committee Act matters. December 6, 1996 The day began with a briefing by Dr. Denning, TAC Member, of a taxonomy of approaches to key escrow/recovery. [See Reference #1.] Distinctions were made among: 1) the archiving of a recovery key with a recovery/escrow center (whole or split), 2) a recovery key unique to a product, user, or recovery center, and 3) a recovery key associated with a sender or receiver; 4) a recovery key used for recovery (or distribution) of a data encrypting key; and 5) recovery services or time-bounded derivative to obtain the data encrypting key. Standards are needed for recovery fields, recovery services and center operations. Next, Ms. Edfors, Government Information Technology Services (GITS) Board liaison to the TAC, briefed the group on GITS' efforts to work with industry, academia, and federal, state, and local governments to design a public key infrastructure (PKI) based on standards and interoperable off-the-shelf products. Over 40 PKI pilot activities are currently underway in the federal government, involving digital signature or encryption. [See Reference #2.] Of these, ten pilots involving encryption were selected to test approaches to key recovery via the Emergency Access Demonstration Project, under the Interagency Working Group on Cryptography Policy. The purpose of this activity is to demonstrate the viability of key recovery, as a security service, for federal business applications. [See Reference #3.] Ms. Edfors reviewed the pilot selection criteria, pilot applications, government and industry team member, and overall approach to the demonstration, stressing that the activity will lean from both successes and failures. Ms. Edfors also noted that the pilots would not be recovering keys used only for digital signature and will not mandate what cryptography federal agencies use. Dr. Kent then proceeded to begin framing issues for discussion. [See Reference #4.] He remarked upon the need for a glossary in order to avoid confusion in understanding and interpretation of terms. Regarding intellectual property issues, he asked that all members identify documents on techniques for key recovery, to be provided to the Secretariat for collection and distribution (on-line references strongly preferred.) He also asked all members, including the federal government liaisons, to make the TAC aware of any intellectual property rights with regard to key recovery technology, that currently exist or are underway which could reasonably be expected to affect the TAC activities. A specific request was made of NIST to accomplish research about any government patents or licenses in this area. He also encouraged members to make documents electronically available on the TAC's web site (http://csrc.nist.gov/tacdfipsfkmi/) or provide references to other sites for relevant documents. A good reference library to key recovery materials is required. Regarding working groups (WGs), Dr. Kent expressed his preference for the use of e-mail (in ASCII, as requested by some members) to formulate position papers that can be presented at TAC meetings. As appropriate, WG materials can also be provided to the Secretariat for posting to the TAC web site. Three general categories were discussed: storage, real-time communications, and staged delivery. It may make sense to look at the requirements and technical approaches to each separately. Also discussed was the need to address: key recovery centers, assurance of key recovery components, performance requirements, and an appropriate threat model. During the meeting, a number of WGs were proposed: 1. Framework This WG will develop a top-level model for key recovery, identifying the elements of a key recovery system, the functions of the elements, system goals, etc. Key recovery in the context of real-time communication, staged delivery (e.g., e-mail) communication, and storage applications will be encompassed by the framework. 2. Security Model This WG will describe the security context in which a key recovery system operates. It will describe the security requirements from the perspective of each participant in the system (e.g., users, organizations, law enforcement, ...). It will examine the threats (i.e., capable, motivated adversaries) applicable to such systems, and the capabilities of such adversaries. 3. Key Recovery Agents (KRAs) Many key recovery systems embody the concept of a key recovery agent, often, though not always, a trusted third party (TTP). This WG will describe criteria for KRAs, both ones operated by a third party (e.g., a service agency) or operated within an organization for its own key recovery purposes. Criteria applicable to the operation of KRAs will be described. Such criteria will include both security concerns and performance and availability considerations. The WG will also develop proposals for how KRAs will be evaluated against these criteria to ensure compliance, e.g., via government agencies or certified private organizations. 4. Non-KRA Components A key recovery system entails components other than KRAs, e.g., mechanisms that enable recovered keys to provide access to data. Many of the same concerns that apply to KRAs apply to these other components. This WG will examine security assurance issues, performance (bandwidth and computation) concerns, application independence, and enforcement features (e.g., mechanisms to ensure that key recovery is being used). 5. Interoperability The introduction of a key recovery system will not make previously non-interoperable systems interoperable. However, systems that were or could be interoperable (especially communication systems), can be rendered non-interoperable as a result of the introduction of a key recovery system. This WG will explore various interoperability implications of key recovery systems. Topics to be explored include those that impact user-user communications, user-KRA interactions, and recovery actions (e.g., with a KRA). Included in this WG will be issues of backward compatibility (for archival storage purposes). Dr. Kent requested each member to let him know via e-mail (kent@bbn.com) in what areas or WGs each member would be interested. (ACTION - Members) In the afternoon, this discussion continued, reviewing the "initial questions" handout. The key recovery standard can be independent of specific algorithms. Regarding the level of responsiveness to specific agency needs, it was agreed that it would be appropriate to ask federal agencies to brief their requirements to the TAC at the February meeting. Tiers of compliance for responsiveness and approach could be considered in a framework. The model initially discussed for the FIPS development activity calls for two tiers of FIPS. The first FIPS would provide a framework for key recovery in general, while successive FIPS would provide algorithm-specific details for key recovery systems. Default algorithms could be described to promote interoperability. Logistics and locations for future meetings were briefly discussed, with a few clear member preferences: 2 day meetings approximately every 2-3 months, avoiding Mondays and Fridays (particularly Friday afternoons). There was also a request for arranging for WG meeting space the day before and after the TAC meeting, since it was seen as unlikely that WG s could meet face-to-face at other times. A few members offered to host meetings; these raise questions which will have to be resolved with the Ethics Division. The TAC meetings for 1997 are scheduled for: February 19-20, 1997 (San Francisco area, exact venue TBD) April 23-24, 1997 (TBD) June 18-19, 1997 (TBD) August 27-28, 1997 (TBD) October 15-16, 1997 (TBD) December 17-18, 1997 (TBD) Areas of interest for the February meeting include: briefings on foreign perspectives (ACTION - SECRETARIAT), requirements of federal agencies (ACTION - FEDERAL LIAISONS), and the FIPS Development process, particularly in light of recent legislation directing agencies to use commercial standards (ACTION - MESSRS. BOHANNON and SMID). During the period of time set aside for public comment, a representative of PGP Inc., Mr. Dave Del Torto, stated that his firm would like to make a statement at the February meeting. The meeting was adjourned at 3:30 p.m. References: [Note: References are on file with the Secretariat.] 1. Dr. Denning's taxonomy 2. Ms. Edfors' GITS IT 10.03, "Federal Public Key Infrastructure Activities" briefing 3. Ms. Edfors' "Emergency Access Demonstration Project" briefing "Initial Questions for Discussion"