The NIST Public Key Infrastructure Program

The National Institute of Standards and Technology (NIST), part of the U.S. Department of Commerce, is developing specifications for Public Key Infrastructures for the internal use of the U.S. government electronic infrastructure. These efforts do not aim to duplicate existing work of PKI vendors, rather than to ease the integration of the use of public-key technology from possibly inoperable implementations.

This work is being developed with the help of industry partners, using agreements called CRADAs (Cooperative Research and Development Agreements) in the sense that companies and the government work together to specify the PKI products to be produced that the latter will buy as a consumer. In this sense, since the U.S. government is a big buyer, one can expect that the work of the NIST somehow specifies the future of the PKI products that will be used worldwide.

Among the publicly available documents is the MISPC specification that provides a basis for interoperation between PKI components from different vendors. Vendor willing to get contracts for U.S. Federal agencies should be able to provide compatible PKI components. Possible open-source PKI implementations would obviously need to comply with those specifications. The MISPC specification is the basis for the NIST reference implementation, also described in the Section called MISPC Reference Implementation in Chapter 7. It is available as NIST Special Publication 800-15 from the NIST WWW site.

Another interesting document is the Proposed Federal PKI Concept of Operation.

Among the highlights of the above document is the clear description of available PKI types. The PKI that the browsers implement is described as the trust-list PKI. This is a somehow flat type of PKI in the sense that there is only one level of trust. The other two types are the hierarchical and the network (or mesh) PKIs. The former is the typical X.500 PKI while the latter is the mesh type with no single root. One can find analogies of the hierarchical PKI with the structure of the Domain Name Service. The network PKI is like the interconnection of the routers on the Internet.

Another important issue is the same document, is the use the Bridge Certification Authority concept, a CA that bridges different trust domains. This bridging is established upon agreement of the interested parties and its purpose is to limit the propagation of unnecessary trust.

A pilot program is planned to test the bridge CA concept. From the information provided at the NIST PKI Root CA Testbed page, the Bridge CA will be implemented by the NIST and commercial CAs will be tested by being bridged by this Bridge CA. The plan is to have twelve CAs and 4 X.509 Directory servers operational. Information to be sought from this pilot operation has to do with performance and scalability. Finally, the X.509 certification path building and validation will be tested.

The author of these documents (either main author or in co-operation) is William E. Burr.