Minutes of the December 17-18, 1997 Meeting of the 
Technical Advisory Committee 
to Develop a Federal Information Processing Standard 
for the Federal Key Management Infrastructure

Wednesday, December 17, 1997

A quorum being present, the seventh meeting of the Committee was called to
order at 9:05 a.m. by the Chair, Dr. Stephen Kent.  In addition to the
Chair, members present were: Joe Alexander, Josh Benaloh, David Carman,
Santosh Chokhani, Paul Clark, John Edwards, Mark Etzel, Ken Konechy, Bill
Franklin, Roger French, Daniel Harkins, Richard Hite, Russ Housley, Paul
Lambert, Mike Markowitz, Mike Matyas, and Joe Pato.   Government liaisons
in attendance were: Elaine Barker, Clem Boyleston, Dianne Dunshee, Barbara
Kirsch, Bruce Kutz, Julie Lever, Jan Manning, John Sabo, and Miles Smid.
Also attending was Mark Bohannon of the Department of Commerce.

Ed Roback, Executive Secretary, welcomed everyone and reviewed the agenda
for the two day meeting, which was comprised of a series of working group
reports, ensuing discussion, and editing of draft requirements.  (See
Reference #1.)  Special mention was made of the need to complete and file
the confidential financial disclosure forms with the Secretary before the
next TAC meeting.   

As with all TAC meetings, the entire meeting was conducted in open, public
session.

Dr. Kent's Opening Remarks

Dr. Kent began by thanking the three members for their demonstrations/
informal briefings of the prior day.  Next, turning to the draft work
products of the WGs, Dr. Kent noted that the language needs to be more
"compliance oriented" (i.e., to provide sufficient information for use by a
testing organization to determine conformance to the standard.)  As was
mentioned in October, the WG documents need to be cross-reviewed for
consistency and the TAC needs to review the drafts in order to ascertain
whether anything is missing.  

Federal Liaison Perspectives - Mark Bohannon

Before proceeding to the WG reports, Dr. Kent asked Mark Bohannon, Chief
Counsel for the Technology Administration at the U.S. Department of
Commerce, to provide the TAC with a summary of a meeting of the TAC federal
liaisons held on November 18.  The meeting was held to address three issues
which arose at the TAC's October meeting:  applicability of the KR
standard, tiering and interoperability.  (See reference for prepared
presentation.)

Mr. Bohannon stated that the government's policy is that key recovery will
be used whenever cryptography is used for confidentiality purposes.  The
liaisons agreed that it would be inappropriate to include a tier in the
standard that was not approved for government use.  The liaisons suggested
two tiers, a principal distinguishing feature between the two being whether
key recovery is "always on" or is on by default but could be
administratively disabled.  Regarding interoperability, the liaisons
thought that given TAC's timeframe, and early stage of key recovery
technology, interoperability protocols (e.g., between a key recovery
requester and KRA) need not be requirements of the initial TAC
recommendations if they will delay the TAC's progress.

On the topic of time criticality, Mr. Bohannon stated that agencies are
pushing to have a FIPS developed in order for them to proceed with their
planned and pending agency procurements.   Therefore, he is hoping for the
TAC to deliver a document to the Secretary in February.  He reminded the
group that this standard will likely have a two year review period in order
to accommodate technology changes that may occur.  

Working Group #1 (Framework) Status Report - Roger French

Mr. French gave a briefing on the efforts of this group since the last
meeting.  WG#1 had distributed their material prior to the TAC meeting, but
no comments were received.  (See references.)  The issue of tiering needs
to be addressed quickly.  He suggested that there be one central compiler
of all the working group reports and have them incorporated into one draft
document.   Miles Smid volunteered that NIST would be willing to gather all
of the inputs and produce one single draft document, if requested.     

Working Group #2 (Security Models) Status Report - Josh Benaloh

Dr. Benaloh began by noting his appreciation for the work of Santosh
Chokhani and Diane Dunshee in turning the WG#2's goals in FIPS language.
He feels that an appropriate framework and skeleton are now in place.  Jan
Manning and Diane Dunshee  developed a matrix of security requirements (see
references) which was distributed and the subject of much discussion later
in the meeting.  

Working Group #5 (Interoperability) Status Report - Paul Clark

The working group had a handout in the meeting material package.
Interoperability requirements were "exported" to WG#1 and WG#2.  Question
on protocol for interoperability was raised by Paul Clark.  He asked what
the the liaisons' point of view was on this issue.  The general feeling
seemed to be, in short, if interoperability specifications can be provided
without holding up the TAC's progress, that would be welcomed.  

Working Group #8 (Documentation and Assurance) Briefing  -  Santosh Chokhani

Prepared handout material of his group's efforts was distributed (see
references).  Mr. Chokhani plans to address comments made by Miles Smid who
suggested that a section be added to the security functional and assurance
requirements stating that these requirements can be met using FIPS 140-1
level n and TCSEC or Common Criteria profile Y, plus the following
additional TCSEC or CC requirements, plus the following key recovery unique
requirements.  (See referenced e-mail note distributed at meeting, dated
12/10/97).

Chairman's Comments

Next, the Chairman spent time expressing his views and comments on certain
areas of the documents.  Overall, there is a need to look at specific
sections to better integrate them in to already existing sections.  Some
sections continue to be written at considerably differing levels of detail.
 The security requirements section is very well along and in accordance
with the output from WG#8.  There is a need to add supporting components
which are not addressed yet, address the tier issue, and look at the
descriptions from a vendor's point-of-view (as in trying to build a
compliant component).  Dr. Kent also noted that there were a number of
significant changes since the last WG#1 product was distributed, which need
to be discussed with the larger membership, including the definitions of
category 1 and 2, and the table defining what is covered within the scope
of the FIPS.  Sections 1.1 - 1.3 do not have quite the right flavor for a
FIPS.  The examples are all RSA-based and need to be more general.  The
requirements on each of the supporting components need to be refined and
expanded.  The TAC also needs to review the announcement section. 

Discussion 

The Committee then began to review the announcement section, beginning with
the working title, "Cryptographic Key Recovery Systems."  Since the FIPS
will be component-based, there was concern about including the term
"system" in title.  After much discussion, and examination of alternatives,
the TAC agreed to changing the working definition to "Key Recovery
Standard." It will be clear from other sections of the announcement that
the standard only applied to confidentiality keys.  

After re-convening following the lunch break, Mr. Roback passed on Mr.
Gilmore's regrets at being unable to attend this meeting.  He asked that
the TAC be re-assured of his continuing keen interest in the TAC's
activities.  

The TAC then proceeded to review the announcement section.  Many specific
suggestions were made, including the need to revise the draft to reflect
the two-year review period, and the use of  the terms "audit and
monitoring" vice surveillance.  Dr. Kent pointed out that particular
attention should be paid to the "qualifications" paragraph and perhaps
phrased differently in regards to the security parameters.  NIST will
rework the qualification statement.  In discussions regarding the expected
time gap between completion of the standard and the establishment of the
conformance testing program, Dr. Kent asked that all members let him know
if vendors should be able to claim compliance to the standard (before the
validation program is in place) as being sufficient for federal agency
procurement.  (ACTION - ALL MEMBERS)  

There was considerable discussion as to whether the cryptographic
mechanisms used for key recovery should be stronger than (or equal to) the
maximum strength of the cryptography being employed for confidentiality
protection OR stronger than (or equal to) the minimum strength of the
cryptography being employed for confidentiality protection.  This led to a
discussion of a validating laboratory would compare strengths of various
algorithms.  

After a break, the discussion then turned to the "Security Requirements"
matrix.  Jan Manning conducted a briefing on the security requirements
table covering the key recovery enabled end user product and the key
recovery agent.  There were language difficulties regarding security
requirements and assurance levels, often being mis-equated.  A suggestion
was made that the matrix include additional tiers. Many edits were
suggested and specific areas will be reworded based on input from the
members and the liaisons.  The remainder of the days agenda was spent going
over each element of the security requirements. One particular action item
that emerged was for WG#2 to develop a proposed requirement for the
strength of authentication mechanism (ACTION - WG#2).

The meeting was recessed for the day at 5:40 p.m.

Thursday, December 18, 1997

Discussion, cont.

The meeting was resumed at 9:05 a.m.   

Mike Matyas presented a new definition of Tier 1 and Tier 2
characterization. With particular regard to the number of KRAs, he
suggested that at Tier 1, one KRA is sufficient, while at the Tier 2, the
capability must exist to accomplish KR with one KRA and also with multiple
KRAs.  He also distributed a draft "Overview" section to put the FIPS in
perspective.  (See references.)

A discussion followed on the need for accompanying guidance for agencies
using the FIPS, which the liaisons had also discussed at their November
meeting.  

There is, additionally, a need for an introductory paragraph for the FIPS,
which would place the standard in context (e.g., as the risks to
organizations grow from the unavailability of information, KRAs are
established, which themselves could become targets…)  

Next, Russ Housley presented his definition of what was meant by the term
"confidentiality."  Key recovery information must be protected using
encryption that is as strong or stronger than the algorithm associated with
the recoverable key.   

Discussion turned to the draft framework sections of the report.   First,
Dr. Kent brought up the topic of Section 1.4 on systems policy and the
correct use of the terminology "systems policy."    There is a need for a
separate document that has more of a systems flavor, suggested Dr. Kent,
since the FIPS is component-focused.  When the draft FIPS is delivered to
the Secretary, the cover letter should lay out what this FIPS covers, and
what other supporting documents/guidance the TAC suggests are necessary.
Also, the qualification section of the document could also include similar
information of explanation.  Elaine Barker will draft a sample paragraph to
cover this.  (ACTION - Ms. Barker) 

Additionally, it was suggested that the appendix contain a section similar
to the systems policy section. A guidance appendix would cover a lot of
these issues that the TAC thinks are important, like the systems policy
issue, and that the users will find it very helpful until another guidance
document can be developed, suggested Mr. Smid.  Two different kinds of
methods may be necessary offered Dr. Benaloh: 1) a concise list of
mandatory options imbedded in the document as well perhaps listed
independently for quick reference and 2) a list of mandatory options for
affirmation that a product may provide an option and still be FIPS
compliant.  An agreement was reached that Section 1.4 will be pared down
and include an outline for policy that government and agencies would make
use of and made into an appendix to the FIPS.    Dr. Benaloh stressed the
need for the FIPS to clearly state that products may have many other
options and still be FIPS-compliant.  Members are to provide comments on
section 1.4 to Dr. Benaloh as soon as possible and he will develop a draft
appendix.  (ACTION - Members)

Prior to the lunch break, Dr. Etzel observed that the TAC is doing a good
job of starting to tackle the major issues, but not all of them have yet
been identified or resolved.  This led to a discussion of whether the TAC
will be ready for a vote in February for delivery of a product to the
Secretary.  Dr. Kent indicated his desire to meet that goal, since the
Secretary clearly desires the TAC's work by then, as Mr. Bohannon indicated
earlier; however, a show of hands expressed unanimity among TAC members
that this would be impossible to achieve.  Concerns were discussed about
the quality and completeness of the technical work which could be delivered
in February.  

Discussion then moved on to review of section 1.5 on Interoperability.   It
was agreed that private key escrow is an acceptable approach to having FIPS
compliant products.   Dr. Matyas discussed his key recovery enablement
process vugraph [Figure 1 in Section l.2] and stated that the recovery
information medium could be the same in the many different mediums, and
does not have to be directly associated.  There was concern on the part of
members as to the inclusiveness of the current model.  Further discussion
lead to the editing of this diagram and additional text to be added to
section 1.2 to clarify the terminology used to refer to the key recovery
process.

The Chairman asked each of the document section authors to prepare their
sections in appropriate MS Word format with appropriate numbering to
facilitate ease of consistent editing of future versions.   It was also
suggested that those members who plan to attend the RSA conference in
January think about the possibility of holding informal working groups
meetings while there. The committee voted that there should be no
requirements on end systems interoperability as part of this FIPS.    

Dr. Benaloh asked the federal liaisons how important interoperability is to
this FIPS.  He feels that there is a good bit of work to be done on this
section of the report and the amount of time required to do a good job and
meet the time frame that the Secretary of Commerce has requested for a
deliverable.  The remainder of the afternoon session was spent discussing
the interpretation of what was meant by the terms interoperability.
Chairman Kent volunteered to draft some requisite characteristics for
interoperability and send distribute copies to the members for discussion
at the next meeting.  (ACTION - Dr. Kent) 

No members of the public wished to address the TAC during the designated
period.  

The Secretary will look into the possibility of having the next meeting
dates extended in order to accomplish more work.  (ACTION - Ed Roback)

After expressing his appreciation for the continuing participation of the
members and liaisons, Dr. Kent adjourned the meeting at 3:45 p.m.
 
References (on file with the Secretariat)
#1 - Agenda & Federal Register Announcement
#2 - Mr. Bohannon's prepared presentation
#3 - Framework WG materials (WG #1)
#4 - Security Model WG, including "Security Requirements" matrix (WG#2)
#5 - Interoperability WG (WG #5) Draft
#6 - Documentation and Assurance WG materials (WG #8)
#7 - Dr. Chokhani's e-mail note of 12/10/97
#8 - Draft "Overview" section