Commerce plans panel on key use

The Commerce Department will form an advisory committee to set up a Federal Information Processing Standard (FIPS) to support the development of a federal key management infrastructure, another important step toward realizing a recent White House plan for a key escrow encryption infrastructure.

"The administration has proposed in its white paper that there be an international key infrastructure that balances the ability to have a public key infrastructure and to give law enforcement key recovery abilities," a senior administration official said.

Issued in May, this white paper articulated a plan for a key management infrastructure allowing government and private users to exchange encrypted information using sets of public and private keys [FCW, May 27]. Under this plan, law enforcement could gain access to private keys in order to "wiretap" communication streams during an investigation.

The FIPS would provide technical specifications for KMI functions. In such a system, a set of keys for decrypting encrypted communications is held by the user's company or agency, or by a third party.

Recommending a FIPS to support a federal encryption key management infrastructure may prove a challenging task for the committee. No FIPS or broad-based technical standards exist for public key management in the civilian government.

A key management infrastructure would support the generation and distribution of public key certificates as well as technical guidelines for key recovery.

The infrastructure also would provide for a Policy Approving Authority, which would act as a central node that all users trust and could validate the authenticity of certificates, certificate authorities and other entities in the key management infrastructure.

Commerce does not always name an advisory council when it plans to develop a FIPS. The committee's recommendations "could be highly technical protocol specifications, or they could be just identifying a need for a federal standard," said Anne Enright Shepherd, a spokeswoman for the National Institute of Standards and Technology.

No one has been named to the committee yet, which will be made up of government and private representatives. It will hold a maximum of 24 people. A slate of potential committee members has been given to the secretary of Commerce.

In addition, the administration is expected to release a report by the end of this month describing a series of key management pilots in various stages of planning within the federal government, according to the administration source.

In April, the General Services Administration circulated a draft of a public key encryption policy for comment.

In a public key encryption system, users register their public keys with a certificate authority, an organization that verifies that a public key belongs to an individual with the matching private key. Only a user with the right private key can read a message that is encrypted this way.