Guiding Principles for PKI-Based Approaches to Electronic Authentication
APEC member economies are encouraged to take the following Principles into consideration when establishing either voluntary or regulated PKI schemes. They are intended to facilitate inter-jurisdictional acceptance of foreign certification authorities (CAs) and the development of cross-jurisdictional recognition arrangements for this purpose. In this regard, they provide only the basis however, as a detailed mapping of all policy, legal and technical aspects is required in order for cross-certification to occur.
These Principles are also intended to help provide guidance to member economies in establishing their authentication policies and assist those with existing policies to identify and address potential deficiencies in their approach.
Finally, it should be noted that, while these Principles have been developed for the PKI environment, they should not be interpreted as advocating any one technology solution over another. Rather, they focus attention on considerations in the PKI environment in view of the predominant role played by public-key cryptography in the electronic authentication marketplace.
I. Legislative/Legal Framework
The development of frameworks that set out parameters for the establishment and operation of certification authorities (CAs) can facilitate cross-jurisdictional acceptance of the services they provide.
Such frameworks should allow for the acceptance of services originating in other jurisdictions.
The establishment of legislative and legal frameworks that give legal effect to documents and signatures in electronic form produced by both domestic and foreign CAs will facilitate legal predictability on a cross-jurisdictional basis.
Such frameworks should not unduly require the use of particular technologies. In addition, they should allow for changing market standards, developments in existing technology and the introduction of new technology.
II. Policy Framework
Requirements for the institutional standing of CA service providers (including capital and financing requirements for the establishment and operation of CAs) can generate public trust and confidence and facilitate cross-jurisdictional recognition of certificates issued by those CAs.
Assessment schemes that utilise recognised standards and best practice to ensure technical interoperability between participants can facilitate cross-jurisdictional recognition of certificates.
The implementation of widely accepted technical standards and management in PKI assessment schemes can allow for CAs to be assessed.
Policies and procedures for cross-jurisdictional recognition of PKI assessment schemes can facilitate legal predictability and certainty in respect of certificates issued under those schemes.
III. Operational Framework (Pertaining To Ca Operations)
General
The use of the widely adopted Internet X.509 framework IETF/ RFC 2527 for the Certificate Policy (CP) and Certification Practice Statement (CPS) will facilitate cross-jurisdictional recognition.
Certificate Registration and Validation
The establishment of processes for registration and initial identity validation that are fit for purpose and take into account those processes used in other jurisdictions will facilitate cross-jurisdictional recognition of certificates.
Key Management
The use of key escrow of signature keys can undermine user confidence and impede cross-jurisdictional recognition of certificates.
The use of best practices derived from internationally recognized sources when performing key generation will facilitate cross-jurisdictional recognition of certificates.
The adoption of international best practice that confidentiality and signature key pairs should be different will improve user confidence and facilitate cross-jurisdictional recognition of certificates.
Cryptographic Engineering
The use of internationally recognized cryptographic algorithms of sufficient cryptographic length and strength will facilitate interoperability and cross-jurisdictional recognition of certificates.
Ensuring that cryptographic keys and algorithms are sufficiently strong to protect the cryptographic result from attack for the term of validity of the certificate (e.g. should not exceed 5 years) will increase security and facilitate the cross-jurisdictional recognition of certificates.
The assessment of cryptographic processes to a minimum level of FIPS 140-1 Level 3 or equivalent will facilitate cross-jurisdictional recognition of certificates.
Distinguished Names
The use of accepted best practice for standardizing the contents of Distinguished Names Components in the certificate will facilitate interoperability.
In particular, the use of standard X.509 extensions such as the Policy OID to represent the intended applicability of the digital certificate will facilitate cross-jurisdictional recognition.
Directory Standards
The use of the most commonly used international directory standards such as the X.500 Directory Service or LDAP (lightweight directory access protocol) v3 will facilitate interoperability of PKI applications
Systems and Operations
The use of international best practices for personnel security control and physical security control will enhance security and facilitate the cross-jurisdictional recognition of certificates.
The use of at least dual controls for the operation of CA services and processes (e.g. CA private key control and management) will facilitate cross-jurisdictional recognition of certificates.
The use of guidelines for systems and software integrity and control that are compliant with FIPS, the Common Criteria or equivalent recognised standards will enhance security and facilitate the cross-jurisdictional recognition of certificates.
Establishment of archival policies that ensure the retention of relevant material for a sufficient minimum duration (e.g. a minimum of 7 years) will facilitate the cross- jurisdictional recognition of certificates.
The use of time stamps and security mechanisms to prevent any intentional changes to archival records such as the use of hashes should be advocated to facilitate cross- jurisdictional recognition of certificates
Ensuring that the general-purpose repository and certificate revocation list (CRL) are generally available when required will develop user confidence and facilitate cross-jurisdictional recognition of certificates.
Ensuring that facilities are generally maintained to receive and act on requests for suspension when required will develop user confidence and facilitate cross-jurisdictional recognition of certificates.
Management Guidelines
Establishment of business continuity and disaster recovery planning provisions will develop user confidence and facilitate cross-jurisdictional recognition of certificates.
The establishment of provisions or guidance in the event that a CA discontinues will develop user confidence and facilitate cross-jurisdictional recognition of certificates.
The use of compliance audits/assessments by an independent party as part of security best practice for accreditation or licensing will develop user confidence and facilitate cross-jurisdictional recognition of certificates.