DISA/D211, 5113 Leesburg Pike, Room 428, Falls Church, VA 22041

D -- DOD MEDIUM ASSURANCE PUBLIC KEY INFRASTRUCTURE PROPOSAL FOR EXTERNAL CERTIFICATE AUTHORITIES (ECAS) POC Ms. Happy Barranco, DISA INFOSEC Program Management Office, (703) 681-7943 or Mr. Peter G. Smingler, Contracting Officer, (703) 681-0526 E-MAIL: Click here to contract the DISA INFOSEC Program Management, barranch@ncr.disa.mil. The Defense Information Systems Agency (DISA)/Defense Information Technology Contracting Organization (DITCO) herewith issue a Request for Information (RFI) for potential pilots of an ECA Model. THE GOVERNMENT DOES NOT INTEND TO AWARD A CONTRACT ON THE BASIS OF THE RFI OR TO OTHERWISE PAY FOR INFORMATION RECEIVED IN RESPONSE TO THE RFI. Interested parties should respond with comments no later than 27 August 1998. Subsequently, the DOD will determine a date to begin accepting applications. INTRODUCTION: For external business transactions using a PKI, the DOD must operate with non-DOD entities and establish a policy for third party trust relationships. In a public key system, the public key must be freely accessible and the user must have a reliable way of verifying the authenticity of public keys. An infrastructure for managing and certifying public keys can be based on a hierarchy or network of mutually "trusted" certification authorities. PURPOSE: This document focuses on the DOD's current implementation of the medium assurance PKI and the plan to operate with parties outside the DOD. Non-DOD entities doing business electronically with DOD must take steps to ensure that any use of the PKI achieves a level of assurance equivalent to the DOD PKI medium assurance, as defined in the draft U.S. DOD Certificate Policy, thereby ensuring a satisfactory trust relationship for DOD and non-DOD electronic transactions. Non-DOD entities, including DOD contractors, vendors, and other government organizations, achieve this level of assurance, in part, by utilizing the services of ECAs to ensure the integrity of their electronic business. EXTERNAL CERTIFICATE AUTHORITY: In the near-term, DOD's intention is to support interoperability by making available to the ECA community a test and certification process. This process will ensure that ECAs using the DOD's PKI on behalf of Non-DOD subscribers will operate at a level of assurance equivalent to the DOD PKI medium assurance. The DOD will certify ECAs to support interoperability with users outside the DOD. The DOD will maintain, continuously update, and publish a list of all certified ECAs so that contractors and vendors may make informed decisions for ECAs to employ for their electronic business transactions. ECAs are not required to be certified. However, non-DOD entities who use uncertified ECAs face a risk that the integrity of electronic transactions will be compromised thereby. Contract clauses will be developed to ensure that contractors are aware that any damages incurred as a result of using an ECA, certified or not, cannot be shifted to the Government. This document describes procedures for testing and certifying an ECA, including assurances that must be provided by such organizations. To permit secure interoperability between DOD and non-DOD users, a common certification path must exist. BECOMING A DOD-RECOGNIZED ECA: The establishment of a DOD-certified ECA will be based on compliance with DOD policy and certification criteria. Testing and certification will be performed by or under the direction and control of the DOD. Since users of the DOD PKI already trust the Root, certificates issued by the ECA will be trusted and verifiable by DOD relying parties. Non-DOD relying parties will also need to trust the DOD Root in order to recognize certificates issued by the DOD PKI. ECAs that meet the established DOD requirements will receive certificates digitally signed by the DOD Medium Assurance Root. The DOD Medium Assurance Root will also maintain an accurate and current list of all certified ECAs. This listing will be publicly available to any current or prospective DOD contractor or vendor. Acceptance of a candidate ECA by the DOD will be based primarily, but not exclusively, on the applicant's ability, at a minimum, to meet the medium assurance level criteria defined in the Draft U.S. DOD Certificate Policy, 9 March 1998. Adherence to this policy is required as a condition of continued acceptance of ECA issued certificates by the DOD. ECAs are required to meet certain technical and procedural criteria as defined in the DOD PKI Draft Functional Specification (11 May 98). This specification references the profile of the DOD certificate. It is essential that certificates issued by ECAs comply with the DOD certificate profile requirements. The ECA will also provide directory services for its clients and a Lightweight Directory Access Protocol (LDAP) interface to its repository. The ECA must demonstrate adequate arrangements to protect private encryption of keys held by the ECA from improper disclosure and use. The ECA must demonstrate adequate arrangements for protecting the hierarchical keys upon which the secrecy of client keys or system keys are dependent. Each potential ECA will submit an application in the form of a Certification Practice Statement (CPS) in the Internet Engineering Task Force Public Key Infrastructure X.509 (IETF/PKIX) part 4 format to the DOD PKI Policy Management Authority (PMA) Sub-Committee for approval. Prospective ECAs can visit the IETF web site at <ftp://ftp.ietf.org/internet-drafts/draft-ietf-pkix-ipki-part4-03.t xt> to reference the format. CANDIDATE ECA REVIEW PROCESS: Candidate ECAs seeking DOD certification shall submit to the DOD PKI Policy Management Authority (PMA) Sub-Committee the application consisting of a CPS in the IETF/PKIX part 4 format (reference the IETF web site for the format) and a system design/architecture, in particular, CA configuration parameters. The applications will be processed and reviewed individually in the order in which they are received by the DOD PKI PMA Sub-Committee, composed of representatives from the National Security Agency (NSA), the Defense Information Systems Agency (DISA), the military services, and the DOD agencies. If the application is determined unacceptable, the DOD PKI PMA Sub-Committee will provide written notice with the reason for the rejection. At its discretion, the DOD PKI PMA Sub-Committee may allow subsequent modifications or corrections from the candidate ECA for immediate reconsideration or may require the candidate to resubmit an application to be processed after the applications on hand at the time of resubmission. If the application is determined acceptable, the DOD PKI PMA Sub-Committee will conduct site inspections and interviews. Following the site inspections and interviews, the DOD PKI PMA Sub-Committee will either submit comments in writing to the candidate ECA for re-evaluation or will recommend the candidate ECA to the DOD PKI PMA. The DOD PKI PMA reserves the right to grant exceptions for approval at any stage in the process. The DOD PKI PMA, with senior representatives from NSA and DISA, will review the findings and recommendations of the DOD PKI PMA Sub-Committee and will approve or disapprove the candidate ECA. Following approval by the DOD PKI PMA, a Memorandum of Agreement will be generated between the DOD and the ECA. A list of approved ECAs will be published for public information. This procedure is not intended to create any rights or privileges for candidate ECAs, adverse decisions may not be appealed above the DOD PKI PMA, and judicial review is not available. Since use of a certified ECA will not be required by contract, certification does not create any right of action against the Government in the contractors or vendors who subscribe to the services of an ECA. LIABILITY: It is DOD's intent to provide a service for non-DOD entities wishing to use PKI for business transactions. In the case of private industry users, specifically DOD Contractors, the Contractors must be informed in the contract that the ECA testing and certification process does not create any rights in the candidate ECA or the non-DOD entity. Matters of liability for damages from a failure of the ECA's PKI service are properly to be covered in the agreement between the private industry users and the ECAs. The point of contact for technical issues concerning this announcement is Ms. Happy Barranco, DISA at (703) 681-7943, <barranch@ncr.disa.mil>. DOD PKI documents referenced in this RFI can be obtained by sending an electronic request to Ms. Barranco. The point of contact for contractual issues is Mr. Peter G. Smingler, Contracting Officer, DISA/D211 at (703) 681-0526.***** LLLL Posted 07/27/98 (W-SN228891). (0208)

Loren Data Corp. http://www.ld.com (SYN# 0021 19980729\D-0005.SOL)