11 August 1997
Source: Commerce Business Daily: http://www.r6.gsa.gov/cbd/cbdmain.htm 


d -- governmentwide commercially available automated security services

August 11, 1997


Commerce Business Daily
SOL TIB97016
DUE 082297
POC Jon D. Faye, Senior Contract Specialist, 202-708-6099

The Federal government is using the recent advances in information technology to lower operational costs, to increase efficiency and productivity, and to analyze and make available far more information than was possible in the past. Furthermore, some of the emerging electronic government applications, particularly those focused on making government services more accessible to the citizen, present new challenges regarding the accuracy, privacy, and security of such information. The people require that the government provide trustworthy and useful information that can be easily accessed. However, the public also needs to be convinced that access to an individual's personal information is restricted to the individual in question and that the information is protected in a confidential and secure fashion when transiting public networks like the Internet.

There are five basic security services offered to end users and their applications:

Authentication

Access Control

Data Integrity

Non-repudiation, and

Confidentiality.

As a practical matter, these services cannot be delivered in an inter-networked world without a Public Key Infrastructure (PKI). The Federal Government believes that a PKI, centered around a viable commercial certificate authority, is the essential enabling technology for accomplishing business objectives in a secure fashion.

The broad introduction and application of this technology requires a security infrastructure having the service integrity and assurances required to support the distribution and verification of public key certificates. This service must incorporate the necessary policies, personnel, software, and information-processing resources required to generate, issue, and revoke certificates. This suite of security services is critical to the success of an electronic government.

In order to make this advance in information technology, the General Services Administration, Federal Telecommunication Service is seeking input from both our customers and our industry partners for commercial PKI certificate services. Any formal solicitation will be announced separately. This synopsis is for planning purposes only and is not to be construed as a commitment by the Government, nor will the Government pay for information solicited.

For planning purposes, the following constitutes the concept for these services:

A Certificate Authority (CA) with the capability to:

Protect the CA private key in hardware;

Authenticate certificate requests from registration authorities;

Generate and store X.509 v3 certificates;

Sign certificates using the CA private key;

Perform on-line (Internet) validation of certificates;

Authenticate validation requests from users or applications;

Audit the source of validation requests;

Distinguish type of certificate through policy identification field;

Accept certificate revocation requests electronically;

Authenticate certificate revocation requests;

Ensure certificate uniqueness;

Inter-operate with commercial and Government PKI systems.

A Registration Authority (RA) acting as an agent of the Certificate Authority will provide the following capabilities:

Perform ID proofing of users based upon a predefined set of credentials for each class of certificate;

Generate and sign certificate request transactions;

Generate and sign certificate revocation transactions;

Investigate certificate revocation requests;

Distribute certificates to hardware or software.

Certificates, identified with unique CA ids, will be available in two levels of assurance:

Classic -- This certificate, as defined by its contained policy id, is intended to be used for access control to privacy protected information for citizens. Digital signatures generated with keys associated with this Certificate could be used for authenticating lower value procurements and transactions (e.g. $2500 and lower) and electronic mail messages. Generation and storage of an asymmetric key pair can be accomplished via software. On-line/out-of-band or in-person ID proofing is acceptable.

Gold -- This certificate, as defined by its contained policy id, is intended to be used for privacy information requiring a level of assurance higher than that of the classic certificate. Digital signatures generated with keys associated with this certificate could be used for authenticating higher value procurements/transactions (e.g. >$2500).

Generation and storage of asymmetric key pairs must be performed and protected in hardware. In-person ID proofing is mandatory. All certificates issued by this service will be considered invalid by users or applications until an on-line validation request is performed with the CA. The CA, through its local or distributed database will respond to these requests with signed/time-stamped "certificate status" transactions. If the certificate status is invalid, users can optionally accept or reject transactions associated with that certificate based upon acceptable levels of risk. The CA will update certificate revocation status immediately based upon certificate revocation requests. Federal agencies receiving certificates vouching for an individual's identity will perform a validation request to the CA to determine transaction validity. The CA will authenticate the source of the request via the Agency certificate (Gold), audit the validation transaction, and respond with the signed 'certificate status' transaction. The CA will generate billing invoices to the agencies based upon the number of validation transaction audits per agency.

Parties having interest in providing these capabilities, or commenting on its content, should respond to this notice with their comments, level of interest, capabilities, and resources available to support such efforts at the office listed above not later than August 22, 1997. Each response is restricted to eight double spaced typed pages. Comment and concerns should be separated from statements of capability in the response.

FAX your response to 202-708-7027 or mail to GSA, FTS, Ofc. Of Information Security, 7th & D. Sts., SW; Room 5060; Washington, DC 20407, Attention Jon D. Faye.

EMAIL ADDRESS jon.faye@GSA.GOV Office of Information Security (D-218 SN106914)