Commerce plans panel on key use

The Commerce Department will form an advisory committee to set up a Federal Information Processing Standard (FIPS) to support the development of a federal key management infrastructure, another important step toward realizing a recent White House plan for a key escrow encryption infrastructure.

"The administration has proposed in its white paper that there be an international key infrastructure that balances the ability to have a public key infrastructure and to give law enforcement key recovery abilities," a senior administration official said.

Issued in May, this white paper articulated a plan for a key management infrastructure allowing government and private users to exchange encrypted information using sets of public and private keys [FCW, May 27]. Under this plan, law enforcement could gain access to private keys in order to "wiretap" communication streams during an investigation.

The FIPS would provide technical specifications for KMI functions. In such a system, a set of keys for decrypting encrypted communications is held by the user's company or agency, or by a third party.

Recommending a FIPS to support a federal encryption key management infrastructure may prove a challenging task for the committee. No FIPS or broad-based technical standards exist for public key management in the civilian government.

A key management infrastructure would support the generation and distribution of public key certificates as well as technical guidelines for key recovery.

The infrastructure also would provide for a Policy Approving Authority, which would act as a central node that all users trust and could validate the authenticity of certificates, certificate authorities and other entities in the key management infrastructure.

Commerce does not always name an advisory council when it plans to develop a FIPS. The committee's recommendations "could be highly technical protocol specifications, or they could be just identifying a need for a federal standard," said Anne Enright Shepherd, a spokeswoman for the National Institute of Standards and Technology.

No one has been named to the committee yet, which will be made up of government and private representatives. It will hold a maximum of 24 people. A slate of potential committee members has been given to the secretary of Commerce.

In addition, the administration is expected to release a report by the end of this month describing a series of key management pilots in various stages of planning within the federal government, according to the administration source.

In April, the General Services Administration circulated a draft of a public key encryption policy for comment.

In a public key encryption system, users register their public keys with a certificate authority, an organization that verifies that a public key belongs to an individual with the matching private key. Only a user with the right private key can read a message that is encrypted this way.


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.