Re: certification for pki

["Farrukh Ahmad" <fahmad@xxxxxxxxxxxxx>]

FYI, under the CEN/ETSI standards work currently being carried out for use
with the European Directive on Digital Signatures, trustworthy system
standards are being written which include in their annex CC PPs for CAs and
RAs. These may be used by a Certification Service Provider (CSP) issuing
Qualified Certificates for compliance assessment. A public draft will be
available sometime in September and a complete standard by the end of the
year.

Regards
Farrukh Ahmad
----- Original Message -----
From: <pgut001@cs.auckland.ac.nz>
To: <ietf-pkix@imc.org>
Sent: Thursday, June 22, 2000 5:47 AM
Subject: Re: certification for pki


> ghilborn@csc.com writes:
>
> >It is not a choice of CC vs. FIPS.  The FIPS 140-1 testing pertains
> narrowly
> >to crypto modules.  The CC evaluation/"torture" process is about the
> >system/components for certificate issuance and management meeting its
> security
> >specification (security target and claimed PP(s)).
>
> Oh, so the interest is in certifying the PKI process rather than
> machinery
> which makes it possible?  In that case there's a whole host of standards
> to
> choose from, from ISO there's ISO 15782-1, Banking - Certificate
> Management,
> from ANSI theres X9.57 Certificate Management and ANSI X9.79, PKI
> Practices and
> Framework, and from vendors there's both VISA and MC's SET PKI
> requirements
> (which, while in some cases SET-specific), are well thought out.  Would
> any of
> those be usable as a PP?
>
> Peter.
>