NIST, Industry Partners to Develop Specifications for Public Key Infrastructure

In an effort to support U.S. industry in a global information marketplace, the Commerce Department's National Institute of Standards and Technology is joining with several companies to take steps toward developing the elements of a public key infrastructure (also known as PKI), which will make it possible to send and receive digitally signed documents among organizations and individuals who may never have met.

NIST has established cooperative research and development agreements with AT&T; Government Markets; BBN Corp.; Certicom Corp.; Cylink Corp.; DynCorp Information & Engineering Technology, Inc.; Information Resource Engineering, Inc.; Motorola; Northern Telecom Ltd. (Nortel); SPYRUS, Inc. and VeriSign, Inc. Each company brings specialized experience in providing products or services related to PKI components.

"NIST is not here to reinvent the wheel," said Donna Dodson, computer scientist at NIST. "We're hoping that by combining our technical skill with the expertise of these seasoned industry players and working on this together, we can help make a public key infrastructure a reality."

The partnerships aim to develop a minimum interoperability specification—sort of a least common denominator for the technical pieces of a public key infrastructure—to be publicly available for organizations to use in building PKI components. By working with NIST, the companies are helping to ensure that future PKI components will be able to communicate with each other, much as today's fax machines can receive transmissions from each other regardless of brand name or manufacturer.

A public key infrastructure is necessary to enable large-scale use of digital signatures and other forms of public key cryptography by both government and private-sector users. The current federal Digital Signature Standard, for example, relies on public and private digital keys to verify both the integrity of electronic messages and forms, and the signer's identity. The sender's public key, used by the receiver of a signed message to verify the digital signature, must be certified by a reliable third party. The public key infrastructure will feature certification authorities to manage the issuance and revocation of public key certificates. The minimum interoperability specification and other NIST work focus on "root," or primary, certification authorities.

Although this preliminary PKI work will use the federal Digital Signature Standard to test signature capabilities, the PKI by design will not rely on one signature method so that in the future the infrastructure may support additional cryptographic technologies.

NIST researchers will set up a PKI laboratory consisting of the products provided by each of the CRADA partners to begin finding commonalities among them. The interoperability specification will be based on this analysis as well as discussions with representatives of each company.

After the interoperability specification has been finalized, NIST plans to build a reference implementation, or sample prototype, that embodies all of the characteristics named in the specification. NIST then plans to incorporate the implementation into an interoperability test suite to be used by companies to see if the products they are developing will communicate with other PKI components.

The results of this partnership will be shared not only with the companies participating but also with appropriate standards bodies, federal government groups and industry organizations that are working on other aspects of PKI development.

This activity is part of a larger federal government effort to design a PKI based on standards and interoperable commercial products that can serve the federal government's large and diverse customer community. The Government Information Technology Services Working Group monitors dozens of federal agency pilot projects involving digital signature technology, which eventually could map into a PKI. In addition, the Federal Public Key Infrastructure Steering Committee oversees design of the infrastructure itself.

A non-regulatory agency of the Commerce Department's Technology Administration, NIST promotes U.S. economic growth by working with industry to develop and apply technology, measurements and standards.