
Minutes of the November 17-19, 1998 Meeting of the 
Technical Advisory Committee 
to Develop a Federal Information Processing Standard 
for the Federal Key Management Infrastructure



The twelfth meeting of the Committee was called to order at 9:10 a.m. by the Chairman, 
Dr. Stephen Kent, at the Radisson Conference Center, Orlando, Florida, on September 22, 
1998.  As with all other TAC meetings, all sessions were open to the public, although no 
members of the public attended.  In addition to the Chairman, members present were: Joe 
Alexander, Josh Benaloh, Dave Carman, Santosh Chokhani, Paul Clark, Jack Edwards, 
Mark Etzel, Roger French, Russ Housley, Mike Markowitz, and Mike Matyas.  A quorum 
was present for all actions taken at this meeting.  Government liaisons in attendance were 
Elaine Barker, John Sabo, Dick Sweeney and Martin Tevelow.  The FBI, which was 
unable to attend, provided a letter to the Secretary (see references).  

The Secretary, Ed Roback, briefly reviewed the Department’s activities to renew the 
Committee’s charter.  He also welcomed Mr. Tevelow, a new federal liaison from the 
Department of Energy. 

The Chairman reviewed his objectives for the meeting, which were to review: (1) the 
level 0 requirements for self-recovery for the key recovery requestor (KRR) function; (2) 
the inclusion of key recovery information generation function for level 1; (3) the recovery 
request information issue (arising from discussions at the September meeting); and (4) the 
assurance section to clarify the scope of the key recovery requestor.  After discussion as 
to how to proceed, it was agreed that the most critical issues would be addressed first 
(vice a serial review). 

There was considerable discussion about the draft non-repudiation requirements for level 
0 KRR Function.  The Committee decided to remove the requirements for the provision 
of time stamps (for use in transactions with the KRA function) and for the generation of 
evidence of origin for key recovery requests.  The requirement for evidence of origin was 
then added at level 1.  

Discussion then turned to the question of whether it was a goal to require that a level 1 
KRA be configurable (as a local policy matter) to support a level 0 key recovery request.  
The Committee was not in favor of doing this.  

Next, the Committee focused on (old) requirement #156 (“The product shall verify 
evidence of origin for key recovery requests and for KRI[RRI?] transactions, for requests 
from a Level 1 or..”)  The Committee discussed whether to tie this requirement to self-
recovery or to a level 0 KRR.  The Committee voted to tie this to level 0.  In the course of 
the discussion, it was agreed to replace the term “evidence of origin” with “proof of 
origin” throughout the document.  

The Committee agreed to remove the level 1 KRI Validation function, and propagated 
conforming changes throughout the text.   In discussions regarding the term “recovery 
request information (RRI),” the Committee agreed to remove that term, believing RRI to 
be a subset of KRI.

Following a lengthy discussion of old requirement #36 (“The product shall generate KRI 
to allow the KRI Validation Function to verify that the KRI can be successfully used to 
recover the target key,”) it was agreed to scope it down to circumstances when KRI is 
generated that is destined for a cryptographic end system.  Clarifying language was 
drafted by Dr. Kent and will be added following the requirement.  

The Committee discussed whether to reword (old) requirement #28 to levy a 
confidentiality requirement on the key recovery generation function and KRA function 
(not just for communications with the KRA).  The Committee voted against doing so.  
The Committee also considered whether to add a level 0 KRA Function.  It declined to do 
so.  A proposal was made to eliminate Appendix C and Requirement #17; neither was 
accepted.  

Another lengthy discussion was held involving the level 2 KRI Validation Function.  
Before dropping the level 1 KRI Validation Function, the level 2 requirements allowed 
for meeting the level 1 requirements, if the level 2 validation function could not be 
accomplished.  With the removal of level 1, this “fall-back” option was no longer 
available, raising concerns about interoperability.  After much back-and-forth and various 
votes, the Committee agreed to integrate the old level 1 requirements into level 2, as a 
fall-back option for validation (thus furthering the concerns of interoperability). The KRI 
validation function at level 2 was also made configurable.  

A proposal was made to remove the “low,” “medium,” and “high” security descriptors for 
levels 0, 1, and 2 respectively.  The Committee decided not to do so.  

The Committee made numerous minor edits to the document.  It was agreed that, due to a 
technical failure of the PC used for editing at the meeting, the document would be 
circulated to the TAC members for a final editorial review prior to sending it forward.  
Due to the provisions of the Federal Advisory Committee Act, no substantive changes are 
permissible during this editorial-only review.   NIST has the lead action.

The Committee also composed and approved a transmittal letter to the Secretary of 
Commerce to accompany the draft standard.  

There being no further business, the meeting was adjourned at 5:10 p.m. on November 
19, 1998.

References

1. TAC document dated 11/98 (starting document for 11/98 meeting)
2. Red-lined draft document (at end of 11/98 meeting).  (Note that this draft was receive 
minor editorial correction before preparation for transmittal by the Chairman to the 
Secretary of Commerce)  
3. Text of approved transmittal letter to the Secretary of Commerce
4. Agenda
5. Federal Register Meeting announcement 
6. Letter to the Chairman from Mr. Gilmore (federal liaison to the TAC from the FBI).