[ABA2] American Bar Association, PKI Assessment Guidelines, v0.30,
Public Draft For Comment, June 2001.
[BAU1] Michael. S. Baum, Federal Certification Authority Liability
and Policy, NIST-GCR-94-654, June 1994, available at
[ETS] European Telecommunications Standards Institute, "Policy
Requirements for Certification Authorities Issuing Qualified
Certificates," ETSI TS 101 456, Version 1.1.1, December 2000.
[GOC] Government of Canada PKI Policy Management Authority, "Digital
Signature and Confidentiality Certificate Policies for the
Government of Canada Public Key Infrastructure," v.3.02, April
[IDT] Identrus, LLC, "Identrus Identity Certificate Policy" IP-IPC
Version 1.7, March 2001.
[ISO1] ISO/IEC 9594-8/ITU-T Recommendation X.509, "Information
Technology - Open Systems Interconnection: The Directory:
Authentication Framework," 1997 edition. (Pending publication
of 2000 edition, use 1997 edition.)
[PEM1] Kent, S., "Privacy Enhancement for Internet Electronic Mail:
Part II: Certificate-Based Key Management", RFC 1422, February
[PKI1] Housley, R., Polk, W. Ford, W. and D. Solo, "Internet X.509
Public Key Infrastructure Certificate and Certificate
Revocation List (CRL) Profile", RFC 3280, April 2002.
[CPF] Chokhani, S. and W. Ford, "Internet X.509 Public Key
Infrastructure, Certificate Policy and Certification Practices
Statement Framework", RFC 2527, March 1999.
1. A paper copy of the ABA Digital Signature Guidelines can be
purchased from the ABA. See http://www.abanet.com for ordering
details. The DSG may also be downloaded without charge from the
ABA website at
2. A draft of the PKI Assessment Guidelines may be downloaded
without charge from the ABA website at
3. The term "meaningful" means that the name form has commonly
understood semantics to determine the identity of a person and/or
organization. Directory names and RFC 822 names may be more or
4. The subject may not need to prove to the CA that the subject has
possession of the private key corresponding to the public key
being registered if the CA generates the subject's key pair on
the subject's behalf.
5. Examples of means to identify and authenticate individuals
include biometric means (such as thumb print, ten finger print,
and scan of the face, palm, or retina), a driver's license, a
credit card, a company badge, and a government badge.
6. Certificate "modification" does not refer to making a change to
an existing certificate, since this would prevent the
verification of any digital signatures on the certificate and
cause the certificate to be invalid. Rather, the concept of
"modification" refers to a situation where the information
referred to in the certificate has changed or should be changed,
and the CA issues a new certificate containing the modified
information. One example is a subscriber that changes his or her
name, which would necessitate the issuance of a new certificate
containing the new name.
7. The n out of m rule allows a private key to be split in m parts.
The m parts may be given to m different individuals. Any n parts
out of the m parts may be used to fully reconstitute the private
key, but having any n-1 parts provides one with no information
about the private key.
8. A private key may be escrowed, backed up, or archived. Each of
these functions has a different purpose. Thus, a private key may
go through any subset of these functions depending on the
requirements. The purpose of escrow is to allow a third party
(such as an organization or government) to obtain the private key
without the cooperation of the subscriber. The purpose of back
up is to allow the subscriber to reconstitute the key in case of
the destruction or corruption of the key for business continuity
purposes. The purpose of archives is to provide for reuse of the
private key in the future, e.g., use to decrypt a document.
9. WebTrust refers to the "WebTrust Program for Certification
Authorities," from the American Institute of Certified Public
Accountants, Inc., and the Canadian Institute of Chartered
10. See <http://www.aicpa.org>.
11. All or some of the following items may be different for the
various types of entities, i.e., CA, RA, and end entities.
11. List of Acronyms
ABA - American Bar Association
CA - Certification Authority
CP - Certificate Policy
CPS - Certification Practice Statement
CRL - Certificate Revocation List
DAM - Draft Amendment
FIPS - Federal Information Processing Standard
I&A - Identification and Authentication
IEC - International Electrotechnical Commission
IETF - Internet Engineering Task Force
IP - Internet Protocol
ISO - International Organization for Standardization
ITU - International Telecommunications Union
NIST - National Institute of Standards and Technology
OID - Object Identifier
PIN - Personal Identification Number
PKI - Public Key Infrastructure
PKIX - Public Key Infrastructure (X.509) (IETF Working Group)
RA - Registration Authority
RFC - Request For Comment
URL - Uniform Resource Locator
US - United States
12. Authors' Addresses
Orion Security Solutions, Inc.
3410 N. Buchanan Street
Arlington, VA 22207
Phone: (703) 237-4621
Fax: (703) 237-4920
6 Ellery Square
Cambridge, MA 02138
Phone: (617) 642-0139
Randy V. Sabett, J.D., CISSP
Cooley Godward LLP
One Freedom Square, Reston Town Center
11951 Freedom Drive
Reston, VA 20190-5656
Phone: (703) 456-8137
Fax: (703) 456-8100
Charles (Chas) R. Merrill
McCarter & English, LLP
Four Gateway Center
100 Mulberry Street
Newark, New Jersey 07101-0652
Phone: (973) 622-4444
Fax: (973) 624-7070
13. Full Copyright Statement
Copyright (C) The Internet Society (2003). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assignees.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Funding for the RFC Editor function is currently provided by the