[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Key Escrow Agent Criteria [Draft]
- To: [email protected]
- Subject: Key Escrow Agent Criteria [Draft]
- From: [email protected] (Anonymous)
- Date: Fri, 8 Dec 1995 17:19:12 +0100
- Organization: RePLaY aND CoMPaNY UnLimited
- Sender: [email protected]
- Xcomm: Replay may or may not approve of the content of this posting
- Xcomm: Report misuse of this automated service to <[email protected]>
[From NIST 12-08-95]
The following draft discussion paper was distributed at the
12/5/95 meeting at NIST on draft criteria for 64-bit software
key escrow exportability.
DRAFT
(12/1/95)
Key Escrow Agent Criteria
Introduction
An often heard concern regarding key escrow encryption is that
users of such encryption are vulnerable to abuse of the
escrowed key by the escrow agents or others. Many have
suggested that changes in the law are needed that
specifically, criminalize any such abuses. We agree that such
laws will be beneficial in deterring acts by anyone to access
escrowed keys without authority or to undermine the integrity
of the escrow key system.
However, the availability of criminal prosecution is not alone
sufficient. Key escrow agents must be selected not only with a
view toward assuring the availability of escrowed keys for
properly authorized government officials, but also to assure
that the escrow agents have the commitment and means to
protect the confidentiality and integrity of the keys they
escrow and the escrow system. This will be particularly
important if, as we expect will occur, some key escrow
products will be designed such that the escrow agent could
discern the identity of the user from the keys and other
information that is escrowed with them.
The following criteria were drafted with these principles in
mind. We have not yet addressed conditions under which users
can be the sole repository of the keys for their system. We
recognize that some organizations or people do not want anybody
but themselves to escrow their keys. However, since an
important reason for escrowing is to preserve effective law
enforcement, we must assure authorized officials can reliably
and timely obtain access to escrowed keys through entities
independent of the subject of electronic surveillance. Thus
we welcome suggestions on how best to meet this range of
interests.
In considering the criteria appropriate for approving escrow
agents, we considered whether the government needs to assure it
has timely and reliable access when authorized and what key
escrow encryption users would want to ensure that the escrowing
of keys does not undermine their security. Of course, the
government is also a user of key escrow encryption products and
shares with other users an interest to ensure the integrity
and security of the escrow system. Similarly, organizations
interested in data recovery share the government's interest to
have a system through which access to escrowed key is enabled
under appropriate circumstances. With these considerations in
mind, we developed criteria in two categories, "Escrow System
Integrity and Security" and "Key Access Requirements." We
expect that prospective escrow agents that meet criteria such
as these would be considered as "approved" escrow agents for
export purposes, to hold keys for government systems, etc.
Note that keys and/or key components for devices that may
process classified information shall be escrowed with escrow
agent entities selected by the U.S. government, and that those
escrow agent entities may be required to meet more stringent
requirements.
Escrow System Integrity and Security
1. Escrow agent entities shall devise and institutionalize
policies, procedures, and mechanisms to ensure the
confidentiality, integrity, and availability of key escrow
related information.
a. Escrow agent entities shall be designed and operated
so
that a failure by a single person, procedure, or
mechanism does not compromise the confidentiality,
integrity or availability of the key and/or key
components (e.g., two person control of keys, split
keys, etc.)
b. Unencrypted escrowed key and/or key components that
are
stored and/or transmitted electronically shall be
protected (e.g., via encryption) using approved
means.
c. Unencrypted escrowed key and/or key components stored
and/or transferred via other media/methods shall be
protected using approved means (e.g., safes).
2. Escrow agent entities shall ensure due form of escrowed
key
access requests and authenticate the requests for escrowed
key and/or key components.
3. Escrow agent entities shall protect against disclosure of
information regarding the identity of the person/
organization whose key and/or key components is requested,
and the fact that a key and/or key component was requested
or provided.
4. Escrow agent entities shall enter keys/key components into
the escrowed key database immediately upon receipt.
5. Escrow agent entities shall ensure at least two copies of
any key and/or key component in independent locations to
help ensure the availability of such key and/or key
components due to unforeseen circumstances.
6. Escrow agent entities that are certified by the U.S.
government shall work with developers of key escrow
encryption products and support a feature that allows
products to verify to one another that the products' keys
have been escrowed with a U.S.-certified agent.
Key Access Requirements
7. An escrow agent entity shall employ one or more persons
who
possess a SECRET clearance for purposes of processing
classified (e.g., FISA) requests to obtain keys and/or key
components.
8. Escrow agent entities shall protect against unauthorized
disclosure of information regarding the identity of the
organization requesting the key or key components.
9. Escrow agent entities shall maintain data regarding all
key
escrow requests received, key escrow components released,
database changes, system administration accesses, and
dates
of such events, for purposes of audit by appropriate
government officials or others.
10. Escrow agent entities shall maintain escrowed keys and/or
key components for as long as such keys may be required to
decrypt information relevant to a law enforcement
investigation.
11. Escrow agent entities shall provide key/key components to
authenticated requests in a timely fashion and shall
maintain a capability to respond more rapidly to emergency
requirements for access.
12. Escrow agent entities shall possess and maintain a
Certificate of Good Standing from the State of
incorporation
(or similar local/national authority).
13. Escrow agent entities shall provide to the U.S. government
a
Dun & Bradstreet/TRW number or similar credit report
pointer
and authorization.
14. Escrow agent entities shall possess and maintain an Errors
&
Omissions insurance policy.
15. Escrow agent entities shall provide to the U.S. government
a
written copy of, or a certification of the existence of a
corporate security policy governing the key escrow agent
entity's operation.
16. Escrow agent entities shall provide to the U.S. government
a
certification that the escrow agent will comply with all
applicable federal, state, and local laws concerning the
provisions of escrow agent entity services.
17. Escrow agent entities shall provide to the U.S. government
a
certification that the escrow agent entity will transfer
to
another approved escrow agent the escrow agent entity's
equipment and data in the event of any dissolution or
other
cessation of escrow agent entity operations.
18. Escrow agent entities for products sold in the U.S. shall
not be a foreign country or entity thereof, a national of
a
foreign country, or a corporation of which an alien is an
officer or more than one-fourth of the stock which is
owned
by aliens or which is directly or indirectly controlled by
such a corporation. Foreign escrow agent entities for
products exported from the U.S. will be approved on a case
by case basis as law enforcement and national security
agreements can be negotiated.
19. Escrow agent entities shall provide to the U.S. government
a
certification that the escrow agent entity will notify the
U.S. government in writing of any changes in the forgoing
information.
20. Fulfillment of these and the other criteria are subject to
periodic recertification.
12/1/95
*****************************************************
Elaine Frye
Computer Security Division
National Institute of Standards and Technology Bldg. 820, M.S.
Room 426
Gaithersburg, MD 20899-0001
Voice: 301/975-2819 Fax: 301/948-1233
*****************************************************