OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

pki-tc message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: FW: New PKI Resources Page and ROI paper - REVIEW DRAFT

Hi,
Please review the two work efforts from the Education Sub-committee and
forward any comments to me by the end of day Jan 24/05.
Thanks for your assistance.
June

June Leung
PKI Department
FundSERV Inc.
1700 - 130 King Street West
Toronto ON 
M5X 1E5
T. 416.350.2516
F. 416.362.6668 


<!-- TO DO -->

<!-- (1) Replace the notes BENEFITS, APP etc. with little colored graphics -->

<div>
<h1>PKI Resources</h1>

<p>The Oasis PKI Resources page provides definitive information about PKI for a range of different categories readers, and links to other online PKI sources. 
This page is a living resource, continually growing and changing as the state-of-the-art evolves and more PKI material becomes available. 
Please send comments about this page or suggest links to <a href="mailto:swilson@lockstep.com.au";>swilson@lockstep.com.au</a>.</p>

</ul>

<h2>Index</h2>

<li><a href="#wp">White Papers</a> 
<li><a href="#bodies">PKI Policy Bodies and other Authentication Frameworks</a> 
<li><a href="#stds">PKI Technical Standards</a> 
<li><a href="#laws">Electronic signature Laws and Regulations</a> 
<li><a href="#assurance">Certification Authority Assurance Programs</a> 
<li><a href="#other">Other information</a> 


</ul></p><hr></div>

<a name="wp"></a>
<h2>White Papers</h2>

<i><h3>Short cuts to white papers by category</h3>
<li><a href="#intro">Introductions to Public Key Security and PKI</a> 
<li><a href="#gloss">Glossaries</a> 
<li><a href="#idm">Fundamentals in Authentication and Identity Management</a> 
<li><a href="#biz">Assorted PKI Business Issues</a> 
<li><a href="#verticals">Vertical Industry Experiences</a> 
<li><a href="#strategy">Contemporary PKI strategy</a> 
<li><a href="#implement">Implementation Guidelines</a> 
<li><a href="#techtopics">Assorted PKI Technology Topics</a> 
<li><a href="#gov">PKI Governance and legal issues</a> 
<li><a href="#international">International experience and developments</a> </i>


<a name="intro"></a>
<h3>Introductions to Public Key Security and PKI</h3>

<li><a href="pdfs/PKI_Basics-A_technical_perspective.pdf">PKI Basics - A business perspective</a></li>
An original PKI Forum introduction 
<b>BENEFITS</b> <b>APP</b>
<li><a href="http://www.campus-technology.com/article.asp?id=7626";>Public Key Cryptography Demystified</a></li>
Robert J. Brentrup, Campus Technology May 2003 
<b>BENEFITS</b> <b>APP</b>
<li><a href="http://iase.disa.mil/pki/faq-pki-pke-may-2004.doc";>DoD PKI and Public Key-Enabling FAQ</a></li> May 2004	
<li><a href="http://www.rsasecurity.com/rsalabs/node.asp?id=2152";>RSA Labs Crypto FAQ</a></li> 
<li><a href="http://www.abanet.org/scitech/ec/isc/dsg-tutorial.html";> ABA Digital Signatures Tutorial</a></li>
American Bar Association

<a name="gloss"></a>
<h3>Glossaries</h3>

<li><a href="http://www.rsasecurity.com/rsalabs/node.asp?id=2373";>RSA Laboratories Cryptography Glossary </a></li>
<li><a href="http://www.garlic.com/~lynn/secgloss.htm";>Lynne Wheeler's Glossary	</a></li>

<a name="idm"></a>
<h3>Fundamentals in Authentication and Identity Management</h3>

<li><a href="http://estrategy.gov/smartgov/information/scottlowry_files/frame.htm#slide0026.htm ">
The Identification Process Deconstructed</a></li> July 2003 NIST Smart Card Workshop

<a name="biz"></a>
<h3>Assorted PKI Business Issues</h3>

<li><a href="pdfs/Lockstep-Oasis PKI ROI White Paper (1.0).pdf">PKI and Financial Return on Investmen UPDATED</a></li>	The updated Oasis PKI TC white paper January 2005 
ROI
<li><a href="http://www.verisign.com/stellent/groups/public/documents/white_paper/005320.pdf";>ROI for PKI investment</a></li> Verisign and Blue Bridge Feb 2002.  Includes a particularly good, detailed examination of digital signature applications. 
ROI APPS
<li><a href="pdfs/Financial_Return_on_Investment.pdf">PKI and Financial Return on Investment</a></li>	An original PKI Forum white paper August 2003 
ROI

<a name="verticals"></a>
<h3>Vertical Industry Experiences</h3>

<h4>Government Service Delivery</h4>

<li><a href="http://www.entrust.com/success/index_uspto.htm";>The United States Patent and Trademark Office</a></li> 
An Entrust Success Story
BENEFITS ROI APPS 
<li><a href="http://www.estrategy.gov/smartgov/information/fdic_case_study_full.pdf";>FDIC deploys smart cards and PKI</a></li> 
BENEFITS ROI APPS
<li><a href="http://middleware.internet2.edu/pki03/presentations/01.pdf ">An Overview of Public Key Certificate Support for Canada's Government On-Line</a></li> Mike Just, Treasury Board of Canada, 2003, presented to the 2nd Annual PKI Research Workshop. 


<h4>Healthcare</h4>

<li><a href="http://www2.dcita.gov.au/__data/assets/file/31893/ITOL-SmartPatient.pdf";>Smart Patient Data</a></li>Case study report from a part government funded R&D project.  Smart Patient Data is a simple, user friendly and secure system that uses Public Key Infrastructure and secure tokens to access records and share patient summaries over the Internet.
BENEFITS APPS
<li><a href="http://www.tunitas.com/pages/PKI/docs/PKIBusinessCase.zip";>Business Planning for Healthcare Enterprise PKI</a></li>
BENEFITS ROI APPS
<li><a href="pdfs/healthcarenote.pdf">US Healthcare PKI Note</a></li>	An original PKI Forum white paper, March 2001 
<li><a href="http://www.cs.dartmouth.edu/~pki02/Alterman/paper.pdf ">EDUCAUSE - NIH PKI Interoperability Pilot Project</a></li>Peter Alterman et al 2002
<li><a href="http://www.fda.gov/ora/compliance_ref/part11/";>21 CFR Part 11 Electronic Records; Electronic Signatures</a></li>  Food & Drug Administration
<li><a href="http://www.tunitas.com/pages/PKI/docs/PKIConcernsinHealthcare.pdf ">PKI Concerns In Healthcare Settings</a></li> Kaiser Permanente, 2000
<li><a href="http://www.healthkey.org/docs/Drummond/table-of-contents.htm";>PKI in Healthcare: Recommendations and Guidelines - Table of Contents</a></li> 2000.  
The full report can be downloaded in sections from <a href="http://www.healthkey.org/library.htm";>download</a>

<p></p>
See also the Tunitas Group's <i>Perspectives on Information Technology for the Health Care Industry </i> at	<a href="http://www.tunitas.com/pages/PKI/pki.htm";>health PKI</a>.

<h4>Financial Services</h4>

<li><a href="http://www.thales-esecurity.com/CaseStudies/Documents/BACS_Case_Study.pdf";>BACSTEL-IP Secure Payment Submission Case Study</a></li> One of the largest banking sector PKIs to date.  
<li><a href="http://www.ncipher.com/company/case_studies/bacs.html";>Success Story: BACS</a></li>
<li><a href="http://www.identrus.com/knowledge_center/pub/DCS_whitepaper_final.pdf";>Delegated Certificate Services White Paper</a></li> Hypovereinsbank, a member of Identrus. 
BENEFITS APPS
<li><a href="http://www.identrus.com/knowledge_center/pub/RBSLombardCaseStudy.pdf";>Royal Bank of Scotland Identrus Case Study</a></li>
<li><a href="http://www.btglobalservices.com/en/products/trustservices/inform/scot.html";>Prudential / British Telecom Managed PKI Case Study</a></li> 2002
<li><a href="www.hkpkiforum.org.hk/docs/Patrick_McLaughlin_PKI_at_Work_Sept_15.PDF">PKI at Work</a></li> Baltimore Technologies presentation to Hong Kong PKI Forum 2003
BENEFITS ROI APPS
<li><a href="http://www.iso.ch/iso/en/commcentre/isobulletin/articles/2002/pdf/pki02-05.pdf";>A milestone for the financial services security - Cert Extensions</a></li>
<li><a href="http://www.mbaa.org/library/isp/2003_3/03-11.pdf";>Issue Paper: PKI, Digital Signature and eMortgages</a></li> Mortgage Bankers Association of America  Feb 2003
BENEFITS RISK APPS

<h4>Education</h4>

<li><a href="http://www.dartmouth.edu/~deploypki/presentations/20040508_EDUCAUSE_Live.ppt";>PKI: A Technology Whose Time Has Come in Higher Education </li></a>
Peter Alterman EDUCAUSE July 2004
BENEFITS RISKS

<a name="strategy"></a>
<h3>Contemporary PKI strategy</h3>

<li><a href="http://symposium.pki.or.kr/01%20Keynote%20Speech%20-%20Stephen%20Kent.pdf";> 
PKIX Standards Status & PKI Directions </a></li>  Dr. Stephen Kent 3rd International Symposium of the Asia PKI Forum, Korea, 2003 
An excellent commentary on alternate PKI models, and the unnecessary complication of "trust" in many PKI applications. 
BENEFITS APPS
<li><a href="http://asia-pkiforum.org/july_shanghai/2004July/(4)Challenge.ppt"> 
Challenges to PKI Development </a></li> Dr. Stephen Kent 4th International Symposium of the Asia PKI Forum, China, 2004 
Another excellent exposition of the problems faced by traditional single TTP large scale CAs 
BENEFITS RISK APPS
<li><a href="http://www.aitsf.aeema.asn.au/resources/doc/documents_10.pdf";> 
PKI Position Statement of the Australian Security Industry </a></li> Nov 2003 Australian IT Security Forum 
BENEFITS RISK APPS

<a name="implement"></a>
<h3>Implementation Guidelines</h3>

See also the comprehensive lists of PKI technical standards below. 

<h4>Policy or Compliance related Guidelines</h4>

<li><a href="pdfs/pki_policy.pdf">PKI Policy Note</a></li>
An original PKI Forum white paper describing the important policy elements of a PKI, such as the CP and CPS, 
and explaining why policy is such an important topic.  
<li><a href="http://www.whitehouse.gov/omb/memoranda/m00-15.html";> 
Guidance on Implementing the ESIGN Act</a></li>  Office of Management and Budget  2000
<li><a href="http://www.archives.gov/records_management/policy_and_guidance/electronic_signature_technology.html";> 
Records Management Guidance for Agencies Implementing E-Signatures</a></li> National Archives & Records Administration

<h4>Project Management Guidelines</h4>

<li><a href="http://www.cit.cornell.edu/services/identity/pki/workshop-jan2002.html";> 
PKI Workshop Summary and Recommendations</a></li> Burton Group 2002.  The Burton Group was retained by Cornell 
University to conduct a workshop into Cornell's enterprise PKI requirements and develop a set of recommendations. 
RISK APPS

<h4>Technology Guidelines</h4>

See also Standards below. 

<li><a href="http://www.dartmouth.edu/%7Epkilab/pages/Web_Access_Control.html";>Web Page Access Control Using PKI</a></li> Dartmouth PKI Labs 2004
<li><a href="http://www.dartmouth.edu/%7Edeploypki/materials/modules/using/smartcard_logon/PKISmartcardLogon.htm";>Using a Non-Microsoft CA with Smartcard Logon</a></li> Dartmouth College PKI Lab Oct 2004
<li><a href="http://www.dartmouth.edu/%7Epkilab/pages/ShibbAuthwithPKI.html";>Using PKI Authentication with Shibboleth</a></li> Dartmouth College PKI Lab 2003
<li><a href="pdfs/PKI_Basics-A_technical_perspective.pdf">	PKI Basics - A Technical Perspective</a></li> An original PKI Forum white paper 
<li><a href="http://csrc.nist.gov/cryptval/140-1/1401val.htm";>FIPS 140-1 and FIPS 140-2 Cryptographic Modules Validation List</a></li>
BENEFITS APPS
<li><a href="http://csrc.nist.gov/pki/twg/y2004/Presentations/twg-04-04.pdf";>Password security and entropy</a></li> NIST E-Authentication Technical Guidance 2004 
APPS
<li><a href="pdfs/Understanding_Path_construction-DS2.pdf">	Understanding Certification Path Construction</a></li> An original PKI Forum white paper, September 2002  
<li><a href="pdfs/AKID_SKID1-af3.pdf">	Authority Key Identifier & Subject Key Identifier Guideline </a></li> An original PKI Forum white paper, September 2002
<li><a href="http://w1.181.telia.com/~u18116613/A.R.AppliedPKI-Lesson-1.pdf ">Applied PKI - Lesson 1</a></li> A 'synthetic' case study implementing a purchasing system.  
RISK APPS
<li><a href="http://w1.181.telia.com/~u18116613/A.R.AppliedPKI-Lesson-2.pdf";>Applied PKI - Lesson 2</a></li> A continuation of the above 'synthetic' case study examining issues of message versus transport level encryption, and fat client vs thin client. 
RISK APPS

<h4>Advanced Engineering Resources</h4>

<li><a href="http://csrc.nist.gov/cryptval/140-1/FIPS1402IG.pdf";>Implementation Guidance for FIPS PUB 140-2 
and Crypto Module Validation Program</a></li>
<li><a href="http://csrc.nist.gov/publications/nistpubs/800-21/800-21.pdf";>Special Publication 800-21: Guideline for 
Implementing Cryptography in the Federal Government</a></li>  
<li><a href="http://ospkibook.sourceforge.net/docs/OSPKI-2.4.7/OSPKI-html/ospki-book.htm";>The Open-source PKI Book</a></li> 
A guide to PKIs and Open-source Implementations
<li><a href="http://www.hsc.fr/ressources/ipsec/ ">Ipsec Resources</a></li>Hervé Schauer Consultants (a French company specialising in information security, closely involved with Ipsec developments)
<li><a href="http://www.openssl.org";>OpenSSL Project Home Page</a></li>  
<li><a href="http://www.drh-consultancy.demon.co.uk/pkcs12faq.html";>OpenSSL PKCS#12 FAQ</a></li>  
<li><a href="http://www.symlabs.com/Offerings/Net_SSLeay/";>Net::SSLeay.pm Home Page</a></li>  
<li><a href="http://www2.psy.uq.edu.au/~ftp/Crypto/";>SSLeay FAQ</a></li> Note: last updated 1998. 	
<li><a href="http://bmrc.berkeley.edu/people/chaffee/ssleay/ssleay.html";>Patches for SSLeay</a></li>
<li><a href="http://www.columbia.edu/~ariel/ssleay/";>SSLeay Documentation</a></li> Note: last updated 1999. 	
<li><a href="http://www.digitalnet.com/knowledge/sfl_home.htm";>S/MIME Freeware Library</a></li>
<li><a href="http://www.cs.eku.edu/faculty/styer/460/Encrypt/JS-MD5.html";>MD5 online hash calculator</a></li> 
Type data into a dialog box, and the hash is computed online

<h4>Cryptography papers of special interest in practical PKI</h4>

<li><a href="http://csrc.nist.gov/pki/twg/y2004/Presentations/twg-04-14.pdf ">
	Hash Functions Implications</a></li> November 2004 Recent cryptanalytic results have raised concerns regarding currently popular hash algorithms; this NIST presentation outlines the practical implications. Concludes that MD5 must no longer be used, but that SHA-1 continues to be safe.

	<a name="techtopics"></a>
<h3>Assorted PKI Technology Topics</h3>

<li><a href="www.apectelwg.org/apecdata/telwg/eaTG/pki.html">Asymmetric Cryptography - Public Key Authentication </a></li> APEC E-Security Task Group, 2001 
<li><a href="www.pwcglobal.com/Extweb/pwcpublications.nsf/docid/C185AF2B5E83A80685256B1B0054B2E1">Making Sense of your Authentication Options in e-Business </a></li> Stephen Wilson, Journal of the PricewaterhouseCoopers Cryptographic Centre of Excellence, October 2001 A comprehensive comparison of PKI (in various forms) against all other authentication technologies, with rankings of various attributes, including ease of use, availability, cryptographic properties, and resistance to theft.  
BENEFITS RISK APPS

<h4>Product specific guidelines</h4>

<li><a href="http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/maintain/operate/ws3PKIBP.asp";>Best Practices for Implementing a Microsoft Windows Server 2003 PKI</a></li> 
APPS
<li><a href="http://www.dartmouth.edu/%7Epkilab/pages/oracle-config.html";> Using Oracle/IAS with PKI</a></li> Dartmouth PKI Labs 
<li><a href="http://www.dartmouth.edu/%7Edeploypki/deploying/Concentrator_with_PKI.htm";>Setting up the Cisco VPN 3000 Concentrator for PKI Authentication</a></li> Dartmouth PKI Labs


<h4>Smartcards and PKI</h4>

<li><a href="http://www.smartcard.gov/information/bahfinal18apr01.doc";>Business Case for PKI on smartcards</a></li> "Approach for Business case analysis of using PKI on smart cards for Government-wide applications" by the CIO PKI/Smartcard Project, April 2001
BENEFITS RISK ROI APPS
<li><a href="http://www.smartcard.gov/information/smartcardhandbook.pdf";>US Government Smart Card Handbook</a></li> US General Services Administration 
BENEFITS APPS
<li><a href="pdfs/smartcard-two_color.pdf">Smart Cards</a></li>	An original PKI Forum white paper, April 2002 
BENEFITS APPS

<h4>Biometrics and PKI</h4>

<li><a href="pdfs/biometricsweb.pdf">Biometrics PKI Note</a></li>	
APPS
<li><a href="www.abanet.org/scitech/eblast/may01/2may01.html#Bio">Will Biometrics Obsolete PKI? A Special Report </a></li> June 2001 American Bar Association, Bulletin of Law/Science & Technology.  This short paper discusses unique properties of PKI not provided by biometrics, including the ability to revoke when compromised, persistent signatures, and the ability to build open authentication systems. 
BENEFITS RISK

<h4>Wireless PKI</h4>

<li><a href="http://www.japanpkiforum.jp/symposium/presentation/session_4/Ses4-6Ou.pdf";> Current Development of Wireless PKI in Chinese Taipei </li></a>

<h4>Miscellaneous Applications</h4>

<li><a href="http://netlab18.cis.nctu.edu.tw/html/paper/2002_08_27/00888474.pdf";>A Wearable PKI </li></a>

<a name="gov"></a>
<h3>PKI Governance and legal issues</h3>

<h4>Governance principles</h4>

<li><a href="http://www.aitsf.aeema.asn.au/resources/doc/documents_10.pdf";>PKI Position Statement of the Australian Security Industry</a></li> 
Australian IT Security Forum November 2003.  Discusses practical experience of PKI demand drivers, "killer applications", 
and the implications for PKI governance and interoperability.  
BENEFITS RISK APPS
<li><a href="http://www.apectelwg.org/apecdata/telwg/26tel/estg/estg04.doc";>Electronic Authentication: Issues Relating to Its Selection and Use</a></li> 
2002 A major publication of the APEC eSecurity Task Group, canvassing all major policy, compliance, implementation and even cultural issues of electronic authentication across the Asia Pacific and the Americas. 
BENEFITS RISK 
<li><a href="http://www.cio.gov/fpkisc/library/gao-01-277pkireport.pdf";>Advances and Remaining Challenges to Adoption of PKI</a></li> 
United States General Accounting Office Feb 2001
RISK APPS
<li><a href="www.cfa.aeema.asn.au/pdfdocs/CFA%5F%2D%5Fwhite%5Fpaper%2Epdf">Audit based public key infrastructure</a></li> 
Certification Forum of Australia November 2000.  This paper details a new approach to building large, decentralised and flexible PKIs, using existing international systems for standards conformance accreditation.   
RISK APPS
<li><a href="http://www.oecd.org/dataoecd/16/22/15582260.pdf ">OECD Security Guidelines</a></li> 
Organisation for Economic Co-operation and Development's Guidelines for the Security of Information Systems and Networks: Towards a culture of security
6 August 2002
BENEFITS RISK

<h4>Interoperability and Recognition</h4>

<li><a href="http://www.apectelwg.org/apecdata/telwg/29tel/estg/estg_21.pdf";>PAA PKI Cross Border Interoperability</a></li> The Pan Asian E-Commerce Alliance Mutual Recognition Scheme
BENEFITS APPS
<li><a href="http://www.apii.or.kr:8080/document/DocumentLst.jsp#e-Security%20Task%20Group";>Download</a></li> "Guidelines for Schemes To Issue Certificates Capable of Being Used in Cross Jurisdiction eCommerce" APEC eSecurity Task Group September 2004
RISK
<li><a href="http://webapp.etsi.org/workprogram/Report_WorkItem.asp?WKI_ID=17214";>International Harmonization of Policy Requirements for CAs issuing Certificates</a></li> This Technical Report presents the results of ongoing work to harmonize existing European electronic signature technical specification on policy requirements for CAs with other internationally recognized standards and related activities. 
<li><a href="http://www.cs.dartmouth.edu/~pki02/Alterman/paper.pdf";>EDUCAUSE - NIH PKI Interoperability Pilot Project</a></li> Peter Alterman et al 2002.  A paper presented to the 1st Annual PKI Research Workshop at Dartmouth College April 2002
APPS
<li><a href="http://www.cs.dartmouth.edu/~pki02/Alterman/slides.pdf";>EDUCAUSE PKI Interoperability Project</a></li>  Electronic Grant Application With Multiple Digital Signatures, Peter Alterman 2002
APPS
<li><a href="pdfs/PKIInteroperabilityFramework.pdf">PKI Interoperability Framework White Paper</a></li><li><a href="pdfs/ca-ca_interop.pdf">CA-CA Interoperability White Paper</a></li>	
<li><a href="www.law.gov.au/agd/seclaw/Wilson_paper.html">Leveraging external accreditation to achieve PKI cross-recognition</a></li> Stephen Wilson, paper presented to the Attorney Generals Privacy & Security Conference, Melbourne 2001   
BENEFITS RISK APPS 
<li><a href="http://www.apectelwg.org/apecdata/telwg/25tel/estg/estg05.ppt";>Achieving PKI Interoperability - Japan, Korea and Singapore </a></li> APEC eSecurity Task Group, March 2002

<h4>Regulatory and legislative issues</h4>

See also the collection of links to state, federal and international electronic signature laws below. 

<li><a href="http://www.ftc.gov/os/2001/06/esign7.htm";> 
The consumer consent provision in ESIGN  </a> OR <a href="http://www.ftc.gov/os/2001/06/esignreport.pdf";>pdf </a></li>  Report to Congress, June 2001
RISK APPS
<li> <i>PKI Assessment Guidelines</i> (PAG) American Bar Association Information Security Committee 
<ul>
<li><a href="http://www.abanet.org/webapp/wcs/stores/servlet/ProductDisplay?storeId=10251&productId=-18350&categoryId=-3525";>BUY 
</a></li>  To purchase a copy of the PAG online, quote Product Code 5450032
<li><a href="http://www.abanet.org/scitech/ec/isc/pag/pag.html";>Public Comment Draft V0.30	</a></li>  A recent version of the PAG available for free download. 
<li><a href="http://www.abanet.org/scitech/ec/isc/dsgfree.html";>Digital Signature Guidelines </a></li>   These guidelines, available for free, were subsumed into the full blown PAG.  
</ul>	
<li><a href="http://www.privacy.gov.au/publications/pki.rtf";>Privacy and PKI</a></li>"Guidelines for Agencies using PKI to communicate or transact with individuals"  by the Office of the Federal Privacy Commissioner (Australia) Includes a rich set of recommendations relevant to any jurisdiction with an OECD-style privacy regime, including Europe and the US. 
RISK
<li><a href="http://www.ilpf.org/groups/analysis_IEDSII.htm";>Analysis of International Electronic and Digital Signature Initiatives </a></li>  Report prepared for the Internet Law & Policy Forum (ILPF) September, 2000
RISK
<li><a href="http://profs.lp.findlaw.com/signatures/";>Electronic Signature Legislation as a Vehicle for Advancing E-commerce</a></li>  An extract from the article "Moving With Change: Electronic Signature Legislation as a Vehicle for Advancing E-commerce" in The John Marshall Journal of Computer and Information Law , Vol. XVII, No. 3, Spring 1999
<li><a href="http://www.uncitral.org/english/workinggroups/wg_ec/wp-95e.pdf";> 
UNCITRAL e-contracting </a></li>  "Legal aspects of electronic commerce - Electronic contracting: Provisions for a Draft Convention" 20 September 2001
<li><a href="http://www.olis.oecd.org/olis/2003doc.nsf/43bb6130e5e86e5fc12569fa005d004c/a5ffa4e119b08b55c1256ed200289f2c/$FILE/JT00167912.PDF";> 
OECD Authentication Survey</a></li>  "Summary of Responses to the Survey of Legal and Policy Frameworks for Electronic Authentication Services and E-Signatures in OECD Member Countries" Organisation for Economic Cooperation and Development  
3 August 2004,
<li><a href="http://europa.eu.int/scadplus/leg/en/lvb/l24204.htm";>Legal aspects of electronic commerce</a></li>A summary of the European Parliamentary Directive on e-commerce. August 2003
<li><a href="http://www.nga.org/cda/files/000922ESIGN.PDF";>What Governors Need to Know About E-SIGN </a></li>  National Governors Association, 2000
<li><a href="http://www.ilpf.org/groups/digapp.pdf";>Survey of State Electronic & Digital Signature Laws </a></li>  Internet Law & Policy Foundation (somewhat out of date now).


<a name="international"></a>
<h3>International experience and developments</h3>

<li><a href="http://lists.oasis-open.org/archives/pki-education/200405/ppt00000.ppt";>PKI Lessons from Australia</a></li> Australian IT Security Forum presentation to World eBusiness Forum, Geneva, Dec 2003
BENEFITS APPS
<li><a href="http://www.apectelwg.org/apecdata/telwg/29tel/estg/estg_22.ppt";>PKI Activities in Chinese Taipei</a></li> Presentation to APEC TEL eSecurity Task Group March 2004
<li><a href="http://www.apectelwg.org/apecdata/telwg/28tel/estg/telwg28-ESTG-13.doc";>Consolidated Mapping of PKI Schemes Part 1 </a></li> APEC eSecurity Task Group 2003 
<li><a href="http://www.apectelwg.org/apecdata/telwg/28tel/estg/telwg28-ESTG-13-R1.doc";>Consolidated Mapping of PKI Schemes Part 2 </a></li> APEC eSecurity Task Group 2003
<li><a href="http://www.apectelwg.org/apecdata/telwg/26tel/estg/estg12.htm and http://www.apectelwg.org/apecdata/telwg/26tel/estg/estg13.doc";>APEC CA survey 2002 </a></li>"Survey of Legislative/Legal Framework, Certificate Policies and Certification Practices  of Recognised/Accredited/Licensed Certification Authorities in APEC member economies" APEC eSecurity Task Group, August 2002 
RISK APPS
<li><a href="http://symposium.pki.or.kr/04%20WG%20Presentation%20I%20-%20Evelyn%20Ong.pdf ">Final report on legal issues in cross-border e-commerce</a></li> Evelyn Ong, PKI Forum Singapore, 3rd International Symposium of the Asia PKI Forum, 2003
RISK



</ul></p><hr></div>
<a name="bodies"></a>
<h2>PKI Policy Bodies and other Authentication Frameworks</h2>

This section presents a number of large scale infrastructure initiatives, 
typically deployed by government or by vertical industry groups for the benefit of defined user groups, in order to 
provide technology and legal support for secure e-business programs.    

<h3>PKI Policy Bodies</h3>

These are a mixture of "official" policy authorities, and industry development groups. 

<li><a href="http://www.ictsb.org/EESSI_home.htm";>European Electronic Signature Standardisation Initiative</a></li>
<li><a href="www.eema.org"> Security pages</a></li> formerly the <i>European CA Forum</i>
<li><a href="http://asia-pkiforum.org/";>Asia PKI Forum</a></li>
<li><a href="http://www.chinapkiforum.org.cn/english/index.asp";>China PKI Forum</a></li> 
<li><a href="http://www.pki.org.tw/";>Chinese Taipei PKI Forum</a></li> 
<li><a href="http://www.hkpkiforum.org.hk/index.htm";>Hong Kong PKI Forum</a></li>
<li><a href="http://www.japanpkiforum.jp/E/index.htm";>Japan PKI Forum</a></li> 
<li><a href="http://eng.pki.or.kr/";>Korea PKI Forum</a></li>
<li><a href="http://www.pkiforumsingapore.org.sg/home.asp";>Singapore PKI Forum</a></li>
<li><a href="http://www.bacstel-ip.com/home/index.php";>BACSTEL-IP</a></li> a major IP based re-engineering of the UK banking clearance system, involving one or Europe's biggest PKIs to date. 
<li><a href=" www.apectelwg.org">APEC eSecurity Task Group</a></li> the Telecommunications Working Group (TEL) of the Asian Pacific Economic Cooperation (APEC) hosts an e-Security Task Group.  The eSTG has been historically focussed on PKI and e-authentication.  The group meets twice a year and all committee papers are freely available on the web.    
<li><a href="http://www.agimo.gov.au/infrastructure/gatekeeper";>Australian Government Gatekeeper</a></li> the regulatory body for Australian B2G users of PKI
<li><a href="http://www.aeema.asn.au/groupings/divs_info.cfm?divisionID=3";>Australian IT Security Forum</a></li> an industry association covering all information security users and providers, with a focus on PKI

<h3>Authentication Frameworks (including PKI enabled National IDs)</h3>

<h4>North America</h4>
<li><a href="http://www.cio.gov/fpkisc/";>US Federal PKI Steering Committee </a></li>
<li><a href="http://www.gsa.gov/aces/about.htm";>Access Certificates for Electronic Service (ACES) </a></li>
<li><a href="http://www.smartcard.gov/";>US Government Smartcards</a></li> Homepage for all US government smartcard activities, including a database of rollout projects.
<li><a href="http://estrategy.gov/presentations/nasa_pki_program1_v95/index.htm";>NASA PKI</a></li>
<li><a href="http://iase.disa.mil/pki/";>US Dept of Defence PKI Homepage</a></li>
<li><a href="http://www.cio-dpi.gc.ca/cio-dpi/index_e.asp";>Canadian Chief Information Officer Branch</a></li> Home page for the agency which owns Canada's PKI and authentication efforts.  As of Dec 2004, PKI materials were yet to be updated.  

<h4>Europe</h4>
<li><a href="www.e-envoy.gov.uk">UK eEnvoy</a></li>
<li><a href="http://www.id.ee/pages.php/0303";>Estonia National ID smartcard</a></li>

<h4>Asia</h4>
<li><a href="http://www.ogcio.gov.hk/eng/infra/evcars.htm";>	Hong Kong Recognition of CAs</a></li>  
<li><a href="http://www.smartid.gov.hk/en/";>	Hong Kong Smart ID Card</a></li>
<li><a href="http://www.smartcard.teco.com.tw/en_version/c_iccard01.htm";>	Taiwan IC National Health Insurance Card</a></li>
<li><a href="http://www.e-government.govt.nz/authentication/index.asp";>New Zealand Authentication Framework</a></li>  
<li><a href="http://www.e-government.govt.nz/see/pki/index.asp";>New Zealand Secure Electronic Environment</a></li>  
<li><a href="http://www.agimo.gov.au/infrastructure/authentication";>Australian Government Authentication Framework</a></li>  
<li><a href="http://www.transport.qld.gov.au/new_driver_licence";>New Queensland Driver License (Australia) </a></li>  
<li><a href="http://www.hic.gov.au/yourhealth/our_services/medicare_smartcard.htm";>Medicare smartcard (Australia) </a></li>

<h4>Private Sector</h4>
<li><a href="www.identrus.com">Identrus</a></li> the worldwide private PKI for the banking industry
<li><a href="http://www.paa.net/";>Pan Asia Alliance</a></li> an association of commercial CAs in North Asia focused on PKI for securing international trade documentation
<li><a href="www.emvco.com">EMV</a></li> The Europay-MasterCard-Visa consortium develops and administers technology standards for credit cards worldwide, including the current initiative to transition from magnetic stripe to chip. 
<li><a href="http://www.chipandpin.co.uk/";>Chip & PIN</a></li> a nationwide rollout of smartcards for credit and debit in the UK, with 65 million card son issue at Nov 2004
<li><a href="http://www.globalplatform.org/";>Global Platform</a></li>

<h3>Related security policy bodies, interest groups and promotional associations</h3>

<h4>Identity Theft</h4>

<li><a href="http://www.antiphishing.org";>Anti-Phishing Alliance</a></li>

<h4>Privacy, Security & "Trust"</h4>

<li><a href="http://www.projectliberty.org/";>Liberty Alliance</a></li> developing federated identity standards
<li><a href="https://www.trustedcomputinggroup.org/home";>Trusted Computing Group</a></li> 
<li><a href="http://shibboleth.internet2.edu/";>Shibboleth</a></li> single sign on software initiative
<li><a href="http://www.teletrust.de/default.asp?sw=3&Sprache=E_&HomePG=0";>TeleTrusT</a></li> Non-profit organization for the promotion of trustworthiness of information and communication technology
<li><a href="http://www.istpa.org/";>International Security Trust & Privacy Alliance</a></li>

<h4>Wireless security</h4>

<li><a href="http://radicchio.org/";>Radicchio</a></li> "Global Initiative for Wireless eCommerce"
<li><a href="http://www.openmobilealliance.org/";>Open Mobile Alliance</a></li>

</ul></p><hr></div>
<a name="stds"></a>
<h2>PKI Technical Standards</h2>

What follows is a comprehensive set of lists of applicable PKI standards.  
<p></p>
<b>Notes</b>
<p></p>
<li>Standards tend to migrate from one body to another, as they mature and become ratified and adopted by steadily 
bigger groups.  Over time this can lead to redundant standards documents.  For instance, most of the RSA Laboratories' 
PKCS series have been adopted by the IETF now; such standards can appear more than once in the lists below.  
<li>A nearly complete compendium of information security standards was produced by APEC and is available from the Federal 
PKI Steering Committe website: <a href="http://www.cio.gov/fpkisc/library/apec_tel26_v113.pdf";>APEC Standards Handbook</a>. 

<h3>Important PKI Standards Organisations</h3>

<li><a href="http://www.ietf.org/html.charters/pkix-charter.html";>PKIX </a></li> the public key working group of the IETF
<li><a href="http://web.mit.edu/network/ietf/sa/";>IETF Security Area </a></li>
<li><a href="http://www.rsasecurity.com/rsalabs/node.asp?id=2124";>RSA PKCS </a></li> Standards Series 
<li><a href="http://grouper.ieee.org/groups/1363/index.html";>IEEE Standards for Public Key Cryptography </a></li>
<li><a href="http://portal.etsi.org/esi/el-sign.asp";>European Telecommunications Standards Institute</a></li>
<li><a href="http://www.ietf.org/html.charters/ipsec-charter.html";>IPSEC </a></li> (IETF)
<li><a href="http://www.ietf.org/html.charters/smime-charter.html";>S/MIME Mail Security </a> (IETF).  See also <a href="http://www.imc.org/ietf-smime/index.html";>Internet Mail Consortium S/MIME site</a></li>.
<li><a href="http://www.ietf.org/html.charters/tls-charter.html";>Transport Layer Security (TLS) </a></li> (IETF)
<li><a href="http://csrc.nist.gov/pki/";>NIST PKI Program </a></li> i.e. the National Institute of Standards and Technology. 
<li><a href="http://csrc.nist.gov/pki/twg/";>NIST Federal PKI Technical Working Group </a></li>
<li><a href="http://csrc.nist.gov/pki/twg/welcome.html#documents";>NIST PKI Program Document registers </a></li>
<li><a href="http://www.x9.org/committees.shtml#x9f";>ANSI X9 </a></li> Financial Industry Standards 
<li><a href="http://www.imc.org/";>Internet Mail Consortium</a></li>
<li><a href="http://www.ietf.org/html.charters/openpgp-charter.html";>Open Specification for Pretty Good Privacy</a></li>  

<h3>The major PKI related RFCs</h3>

The chair of the IETF's PKIX Working Group once named these as the most important of their RFCs to do with public 
key security.  All other PKI related RFCs are listed further below. 

<li><a href="ftp://ftp.rfc-editor.org/in-notes/rfc3820.txt";>RFC3820 </a></li>Internet X.509 Public Key Infrastructure (PKI) Proxy Certificate Profile 
<li><a href="ftp://ftp.rfc-editor.org/in-notes/rfc2560.txt";>RFC2560 </a></li>X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP 
<li><a href="ftp://ftp.rfc-editor.org/in-notes/rfc2527.txt";>RFC2527 </a></li>Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework. <b>Superseded by RFC 3647.</b>
<li><a href="ftp://ftp.rfc-editor.org/in-notes/rfc3647.txt";>RFC3647 </a></li>Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework.  <b> Supersedes RFC 2527.</b> 	
<li><a href="ftp://ftp.rfc-editor.org/in-notes/rfc2511.txt";>RFC2511 </a></li>Internet X.509 Certificate Request Message Format
<li><a href="ftp://ftp.rfc-editor.org/in-notes/rfc2797.txt";>RFC2797 </a></li>Certificate Management Messages over CMS
<li><a href="ftp://ftp.rfc-editor.org/in-notes/rfc3039.txt";>RFC3039  </a></li>Internet X.509 Public Key Infrastructure Qualified Certificates Profile
<li><a href="ftp://ftp.rfc-editor.org/in-notes/rfc3161.txt";>RFC3161  </a></li>Internet X.509 Public Key Infrastructure Time-Stamp Protocol (TSP)
<li><a href="ftp://ftp.rfc-editor.org/in-notes/rfc3281.txt";>RFC3281 </a></li>An Internet Attribute Certificate Profile for Authorization

<h3>Other PKI related RFCs</h3>

<li><a href="ftp://ftp.rfc-editor.org/in-notes/rfc2510.txt";>RFC2510 </a></li>Internet X.509 Public Key Infrastructure Certificate Management Protocols 
<li><a href="ftp://ftp.rfc-editor.org/in-notes/rfc2585.txt";>RFC2585 </a></li>Internet X.509 Public Key Infrastructure Operational Protocols: FTP and HTTP 
<li><a href="ftp://ftp.rfc-editor.org/in-notes/rfc2587.txt";>RFC2587 </a></li>Internet X.509 Public Key Infrastructure LDAPv2 Schema 

<h3>Other cryptography related RFCs</h3>

<li><a href="ftp://ftp.rfc-editor.org/in-notes/rfc3779.txt";>RFC3779 </a></li>X.509 Extensions for IP Addresses and AS Identifiers
<li><a href="ftp://ftp.rfc-editor.org/in-notes/bcp/bcp86.txt";> BCP0086  </a></li>Determining Strengths For Public Keys Used For Exchanging Symmetric Keys
<li><a href="ftp://ftp.rfc-editor.org/in-notes/rfc3739.txt";>RFC3739  </a></li>Internet X.509 Public Key Infrastructure: Qualified Certificates Profile
<li><a href="ftp://ftp.rfc-editor.org/in-notes/rfc3709.txt";>RFC3709  </a></li>Internet X.509 Public Key Infrastructure: Logotypes in X.509 Certificates
<li><a href="ftp://ftp.rfc-editor.org/in-notes/rfc3647.txt";>RFC3647  </a></li>Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework
<li><a href="ftp://ftp.rfc-editor.org/in-notes/rfc3628.txt";>RFC3628  </a></li>Policy Requirements for Time-Stamping Authorities (TSAs)
<li><a href="ftp://ftp.rfc-editor.org/in-notes/rfc3447.txt";>RFC3447  </a></li>Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1
<li><a href="ftp://ftp.rfc-editor.org/in-notes/rfc3379.txt";>RFC3379  </a></li>Delegated Path Validation and Delegated Path Discovery Protocol Requirements
<li><a href="ftp://ftp.rfc-editor.org/in-notes/rfc3280.txt";>RFC3280  </a></li>Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
<li><a href="ftp://ftp.rfc-editor.org/in-notes/rfc3279.txt";>RFC3279  </a></li>Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
<li><a href="ftp://ftp.rfc-editor.org/in-notes/rfc3278.txt";>RFC3278  </a></li>Use of Elliptic Curve Cryptography (ECC) Algorithms in Cryptographic Message Syntax (CMS)
<li><a href="ftp://ftp.rfc-editor.org/in-notes/rfc3029.txt";>RFC3029  </a></li>Internet X.509 Public Key Infrastructure Data Validation and Certification Server Protocols
<li><a href="ftp://ftp.rfc-editor.org/in-notes/rfc2986.txt";>RFC2986  </a></li>PKCS #10: Certification Request Syntax Specification Version 1.7
<li><a href="ftp://ftp.rfc-editor.org/in-notes/rfc2985.txt";>RFC2985  </a></li>PKCS #9: Selected Object Classes and Attribute Types Version 2.0
<li><a href="ftp://ftp.rfc-editor.org/in-notes/rfc2898.txt";>RFC2898  </a></li>PKCS #5: Password-Based Cryptography Specification Version 2.0
<li><a href="ftp://ftp.rfc-editor.org/in-notes/rfc2847.txt";>RFC2847  </a></li>LIPKEY - A Low Infrastructure Public Key Mechanism Using SPKM
<li><a href="ftp://ftp.rfc-editor.org/in-notes/rfc2693.txt";>RFC2693  </a></li>SPKI Certificate Theory
<li><a href="ftp://ftp.rfc-editor.org/in-notes/rfc2692.txt";>RFC2692  </a></li>SPKI Requirements
<li><a href="ftp://ftp.rfc-editor.org/in-notes/rfc2559.txt";>RFC2559  </a></li>Internet X.509 Public Key Infrastructure Operational Protocols - LDAPv2
<li><a href="ftp://ftp.rfc-editor.org/in-notes/rfc2528.txt";>RFC2528  </a></li>Internet X.509 Public Key Infrastructure Representation of Key Exchange Algorithm (KEA) Keys in Internet X.509 Certificates
<li><a href="ftp://ftp.rfc-editor.org/in-notes/rfc2510.txt";>RFC2510  </a></li>Internet X.509 Public Key Infrastructure Certificate Management Protocols
<li><a href="ftp://ftp.rfc-editor.org/in-notes/rfc2459.txt";>RFC2459  </a></li>Internet X.509 Public Key Infrastructure Certificate and CRL Profile
<li><a href="ftp://ftp.rfc-editor.org/in-notes/rfc2437.txt";>RFC2437  </a></li>PKCS #1: RSA Cryptography Specifications Version 2.0
<li><a href="ftp://ftp.rfc-editor.org/in-notes/rfc2314.txt";>RFC2314  </a></li>PKCS #10: Certification Request Syntax Version 1.5
<li><a href="ftp://ftp.rfc-editor.org/in-notes/rfc2313.txt";>RFC2313  </a></li>PKCS #1: RSA Encryption Version 1.5
<li><a href="ftp://ftp.rfc-editor.org/in-notes/rfc2025.txt";>RFC2025  </a></li>The Simple Public-Key GSS-API Mechanism (SPKM)
<li><a href="ftp://ftp.rfc-editor.org/in-notes/rfc1824.txt";>RFC1824  </a></li>The Exponential Security System TESS: An Identity-Based Cryptographic Protocol for Authenticated Key-Exchange (E.I.S.S.-Report 1995/4)

<h3>Other Security and Crypto Standards </h3>

<li><a href="http://www.itl.nist.gov/fipspubs/";>Federal Information Processing Standards Publications </a></li> (FIPS PUBS)
<li><a href="http://csrc.nist.gov/cryptval/140-2.htm";>FIPS PUB 140-2</a></li> Security Requirements for Cryptographic Modules.  Note that this page includes links to the standard as well as its Annexes, plus testing requirements and lists of current validated products.
<li><a href="http://csrc.nist.gov/publications/nistpubs/800-29/sp800-29.pdf";> Special Publication 800-29</a></li>: A Comparison of the Security Requirements in Cryptographic Modules in FIPS 140-1 and FIPS 140-2
<li><a href="http://csrc.nist.gov/cryptval/140-1.htm";> FIPS PUB 140-1</a></li> Security Requirements for Cryptographic Modules (now superseded by FIPS 140-2)
<li><a href="http://www.csrc.nist.gov/cc/";> ISO/IEC 15408:2000</a></li> Common Criteria; see also <a href="http://www.commoncriteria.nl/";>Dutch Common Criteria site</a>

<h3>ANSI Financial Industry PKI standards</h3>

<li><a href="http://www.x9.org/catalog2.cfm?item_no=%24%23%20%2B%2942D%2A%0A&pub_item=%2334%2A%3B%0A";>X9.30 Part 1:1997</a></li> Public Key Cryptography Using Irreversible Algorithm: Digital Signature Algorithm (DSA) 
<li><a href="http://www.x9.org/catalog2.cfm?item_no=%24%23%20%2B%294%22D%2A%0A&pub_item=%2334%2A%3B%0A";>X9.30 Part 2:1997</a></li> Public Key Cryptography Using Irreversible Algorithms for the Financial Services Industry, Part 2: The Secure Hash Algorithm
<li><a href="http://www.x9.org/catalog2.cfm?item_no=%24%23%20%2B%295SL%2A%0A&pub_item=%2334%2A%3B%0A";>X9.31:1998</a></li> Digital Signatures Using Reversible Public Key Cryptography for the Financial Services Industry (rDSA)
<li><a href="http://www.x9.org/catalog2.cfm?item_no=%24%23%20%2B%295CL%2A%0A&pub_item=%2334%2A%3B%0A";>X9.42:2003</a></li> Public Key Cryptography for Financial Services Industry: Agreement of Symmetric Keys Using Discrete Logarithm Cryptography
<li><a href="http://www.x9.org/catalog2.cfm?item_no=%24%23%20%2F%204CL%2A%0A&pub_item=%2334%2A%3B%0A";>X9.55:1997</a></li> Certificate Extensions for Multi-Domain Operations
<li><a href="http://www.x9.org/catalog2.cfm?item_no=%24%23%20%2F%2043L%2A%0A&pub_item=%2334%2A%3B%0A";>X9.57:1997</a></li> Public Key Cryptography For the Financial Services Industry: Certificate Management
<li><a href="http://www.x9.org/catalog2.cfm?item_no=%24%23%20%2F%204%23L%2A%0A&pub_item=%2334%2A%3B%0A";>X9.62:1998</a></li> Public Key Cryptography: The Elliptic Curve Digital Signature Algorithm (ECDSA)
<li><a href="http://www.x9.org/catalog2.cfm?item_no=%24%23%20%2F%205SL%2A%0A&pub_item=%2334%2A%3B%0A";>X9.63:2001</a></li> Key Agreement and Key Management Using Elliptic Curve-Based Cryptography
<li><a href="http://www.x9.org/catalog2.cfm?item_no=%24%23%20%2F%2053L%2A%0A&pub_item=%2334%2A%3B%0A";>X9.68 Part 2:2001</a></li> Digital Certificates for High Transaction Volume Financial Systems
<li><a href="http://www.x9.org/catalog2.cfm?item_no=%24%23%20%2F%205%23L%2A%0A&pub_item=%2334%2A%3B%0A";>X9.69:1998</a></li> Framework for Key Management Extensions
<li><a href="http://www.x9.org/catalog2.cfm?item_no=%24%23%20%2F%2173L%2A%0A&pub_item=%2334%2A%3B%0A";>X9.73:2003</a></li> Cryptographic Message Syntax
<li><a href="http://www.x9.org/catalog2.cfm?item_no=%24%23%20%2F%217%23L%2A%0A&pub_item=%2334%2A%3B%0A";> 	X9.79:2001</a></li> PKI Practices and Policy Framework for the Financial Services Industry.  <b>Important standard upon which WebTrust for CAs was developed.</b>


<h3>ANSI Financial Industry PKI standards IN DEVELOPMENT</h3>

<li><a href="http://www.x9.org/catalog.cfm";>X9.77:200X</a></li> Public Key Infrastructure Protocols <b>Withdrawn</b>
<li><a href="http://www.x9.org/catalog2.cfm?item_no=%24%23%20%2F%214RD%2A%0A&pub_item=%232EZ%29%0A";>X9.79 Part 2:200X</a></li> Protection Profiles for Certificate Issuing and Management Systems.  Committee Voting
<li><a href="http://www.x9.org/catalog.cfm";>X9.88:200X</a></li> Long Term Non-Repudiation Using Digital Signatures<b>Withdrawn</b>
<li><a href="http://www.x9.org/catalog.cfm";>X9.89-200X</a></li> Management Protocols for Short Certificates<b>Withdrawn</b>

<h3>ISO PKI standards</h3>

<li><a href="http://www.iso.org/iso/en/CatalogueListPage.CatalogueList?COMMID=2193&scopelist=PROGRAMME";>ISO/CD 11568 </a></li> Financial services -- Key management (retail) Parts 1, 3, 4 and 5
<li><a href="http://www.iso.org/iso/en/CatalogueListPage.CatalogueList?COMMID=2193&scopelist=PROGRAMME";>ISO 13491-1:1998 </a></li> Banking -- Secure cryptographic devices (retail) -- Part 1: Concepts, requirements and evaluation methods
<li><a href="http://www.iso.org/iso/en/CatalogueListPage.CatalogueList?COMMID=2193&scopelist";>ISO 15782-1:2003 </a></li> Banking -- Certificate management for financial services -- Part 1: Public key certificates
<li><a href="http://www.iso.org/iso/en/CatalogueListPage.CatalogueList?COMMID=2193&scopelist";>ISO 15782-2:2001 </a></li> Banking -- Certificate management -- Part 2: Certificate extensions 
<li><a href="http://www.iso.org/iso/en/CatalogueListPage.CatalogueList?COMMID=4720&scopelist";>	ISO/TS 17090-1:2002  </a></li> Health informatics -- Public key infrastructure -- Parts 1-3: Framework and overview, Certificate profile, and Policy management of certification authority
<li><a href="http://www.iso.org/iso/en/CatalogueListPage.CatalogueList?COMMID=2193&scopelist=PROGRAMME";> ISO/CD 21188 </a></li> Public key infrastructure for financial services -- Practices and policy framework

<h3>PKCS Series</h3>
The PKCS series of cryptographic standards is managed by RSA Security Inc.  The PKCS standards have moved 
beyond being proprietary and have equivalent standing in most of the PKI community as IETF or IEEE standards.  
<p></p>
<li><a href="http://www.rsasecurity.com/rsalabs/node.asp?id=2125";>PKCS #1</a></li> RSA Cryptography Standard
<li><a href="http://www.rsasecurity.com/rsalabs/node.asp?id=2126";>PKCS #3</a></li> Diffie-Hellman Key Agreement Standard
<li><a href="http://www.rsasecurity.com/rsalabs/node.asp?id=2127";>PKCS #5</a></li> Password-Based Cryptography Standard
<li><a href="http://www.rsasecurity.com/rsalabs/node.asp?id=2128";>PKCS #6</a></li> Extended-Certificate Syntax Standard
<li><a href="http://www.rsasecurity.com/rsalabs/node.asp?id=2129";>PKCS #7</a></li> Cryptographic Message Syntax Standard
<li><a href="http://www.rsasecurity.com/rsalabs/node.asp?id=2130";>PKCS #8</a></li> Private-Key Information Syntax Standard
<li><a href="http://www.rsasecurity.com/rsalabs/node.asp?id=2131";>PKCS #9</a></li> Selected Attribute Types
<li><a href="http://www.rsasecurity.com/rsalabs/node.asp?id=2132";>PKCS #10</a></li> Certification Request Syntax Standard
<li><a href="http://www.rsasecurity.com/rsalabs/node.asp?id=2133";>PKCS #11</a></li> Cryptographic Token Interface Standard
<li><a href="http://www.rsasecurity.com/rsalabs/node.asp?id=2138";>PKCS #12</a></li> Personal Information Exchange Syntax Standard
<li><a href="http://www.rsasecurity.com/rsalabs/node.asp?id=2139";>PKCS #13</a></li> Elliptic Curve Cryptography Standard
<li><a href="http://www.rsasecurity.com/rsalabs/node.asp?id=2141";>PKCS #15</a></li> Cryptographic Token Information Format Standard

<h3>Smartcard Standards & Guidelines</h3>

<li><a href="http://www.iso.org/iso/en/ISOOnline.frontpage";>ISO 7810 and ISO 7816 </a></li> Peak international physical, mechanical and electronic standards for plastic cards with embedded chips.
<li><a href="http://www.pcscworkgroup.com/";>PC/SC</a></li> Smart card reader architecture specification for PCs.  See also <a href="http://www.pcscworkgroup.com/specifications/overview.php";>specs</a>
<li><a href="http://smartcard.nist.gov/";>NIST Smartcards standards and research </a></li> Home page for the National Institute of Standards and Technology smartcard related activities
<li><a href="http://www.iso.org/iso/en/ISOOnline.frontpage";>ISO 14443 </a></li> defines  RFID proximity smart card standard (two types with different modulation specs)
<li><a href="http://www.smartcard.gov/information/smartcardhandbook.pdf";>US Government Smart Card Handbook </a></li> by the US General Services Administration


<h3>European Electronic Signature Standards</h3>
A comprehensive list of relevant standards including certificate profiles is available at <a href="http://portal.etsi.org/esi/el-sign.asp";>ETSI</a>. 
See also <a href="http://portal.etsi.org/esi/esi_faq.asp";>ETSI FAQ</a>. 
<p></p>
<li><a href="http://webapp.etsi.org/workprogram/Report_WorkItem.asp?WKI_ID=19806";>TS 101 862 v.1.3.1</a></li> Qualified Certificate Profile, based on RFC 3679  X.509 Public Key Infrastructure Qualified Certificates Profile
<li><a href="http://pda.etsi.org/pda/home.asp?wki_id=ctD1N0J3k.DFDIGGso5VL";>TS 101 903 v.1.2.2</a></li> XML Advanced Electronic Signatures (XAdES); specifies the XML format for Advanced Electronic Signatures satisfying the requirements defined in the European Directive for Electronic Signatures. 


<h3>PKI based Protocols</h3>

<li><b>IPSEC</b> A comprehensive list of IPSEC related RFCs and Internet Drafts is available at the 
Working Group Home Page: <a href="http://www.ietf.org/html.charters/ipsec-charter.html";>IPSEC Charter</a></li>.  
See also Advanced Engineering Resources above. 
<li><b>SSL</b> <a href="http://wp.netscape.com/eng/ssl3/";>SSL v3.0 Specification</a>. See also Advanced Engineering Resources above. 
<li><b>TLS</b> <a href="http://ietf.org/rfc/rfc2246.txt";>RFC 2246</a> the TLS Protocol Version 1.0. See also Advanced Engineering Resources above. 
<li><b>S/MIME</b> A comprehensive list of S/MIME related RFCs and Internet Drafts is available at the 
Working Group Home Page: <a href="http://www.imc.org/ietf-smime/index.html";>S/MIME Home</a>.  
Further links to related e-mail fundamentals (such as MIME, IMAP and POP) are collected at <a href="http://www.utoronto.ca/webdocs/Official/email.html";>Web docs</a>. See also Advanced Engineering Resources above.   


<h3>Alternative, Novel, Developmental and Historical public key management systems </h3>

<h4>PGP - Pretty Good Privacy</h4>
The latest technical developments on PGP standards are at <a href="http://www.ietf.org/html.charters/openpgp-charter.html";>Open PGP</a>.  
For information about products, see <a href="www.pgp.com">commercial PGP</a> and for PGP shareware, see <a href="http://www.pgpi.org";>free PGP</a>.  
<li><a href="http://www.ietf.org/html.charters/openpgp-charter.html";>OpenPGP Message Format </a></li> All information needed to develop interoperable applications based on the OpenPGP format. It is not a step-by-step cookbook for writing an application. It describes only the format and methods needed to read, check, generate, and write conforming packets crossing any network. It does not deal with storage and implementation questions. It does, however, discuss implementation issues necessary to avoid security flaws.
<li><a href="http://www.ietf.org/rfc/rfc3156.txt";>RFC 3156 </a></li>MIME Security with OpenPGP.  This document specifies an Internet standards track protocol for the    Internet community, and requests discussion and suggestions for improvements.  Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol

<h4>PEM - Privacy Enhanced Email</h4>

<li><a href="http://ietf.org/rfc/rfc1424.txt";>RFC 1424 </a></li><i> Privacy Enhancement for Internet Electronic Mail: Part IV: Key Certification and Related Services (Standard).  </i>This document describes three types of service in support of Internet Privacy-Enhanced Mail (PEM) [RFC 1421-1424]: key certification, certificate- revocation list (CRL) storage, and CRL retrieval. Such services are among those required of an RFC 1422 certification authority.
<li><a href="http://ietf.org/rfc/rfc1423.txt";>RFC 1423 </a></li><i> Privacy Enhancement for Internet Electronic Mail (PEM): Part III: Algorithms, Modes, and Identifiers.  </i>This document provides definitions, formats, references, and citations for cryptographic algorithms, usage modes, and associated identifiers and parameters used in support of Privacy Enhanced Mail (PEM) in the Internet community.
<li><a href="http://ietf.org/rfc/rfc1422.txt";>RFC 1422 </a></li><i> Privacy Enhancement for Internet Electronic Mail (PEM): Part II: Certificate-Based Key Management.  </i>This document defines a supporting key management architecture and infrastructure, based on public-key certificate techniques, to provide keying information to message originators and recipients. RFC 1424 provides additional specifications for services in conjunction with the key management infrastructure described herein.
<li><a href="http://ietf.org/rfc/rfc1421.txt";>RFC 1421 </a></li><i> Privacy Enhancement for Internet Electronic Mail (PEM): Part I: Message Encryption and Authentication Procedures.  </i>This document defines message encryption and authentication procedures, in order to provide privacy-enhanced mail (PEM) services for electronic mail transfer in the Internet.



<h4>Simple PKI</h4>
See <a href="http://www.ietf.org/html.charters/spki-charter.html";>SPKI Charter</a>.   
"The IETF Simple Public Key Infrastructure [SPKI] Working Group is tasked with producing a certificate structure and operating procedure to meet the needs of the Internet community for trust management in as easy, simple and extensible a way as possible."
Note that the last update to the SPKI Goals and Milestones was in 1997, and the latest RFC dates from 1999. 
<p></p>
<li><a href="http://www.ietf.org/rfc/rfc2692.txt";>RFC 2692 </a></li><i> SPKI Requirements. </i> The SPKI Working Group first established a list of things one might want to do with certificates (attached at the end of this document), and then summarized that list of desires into requirements. This document presents that summary of requirements.
<li><a href="http://www.ietf.org/rfc/rfc2693.txt";>RFC 2693 </a></li><i> SPKI Certificate Theory.</i> This memo defines an Experimental Protocol for the Internet community.  It does not specify an Internet standard of any kind. Discussion and suggestions for improvement are requested.


</ul></p><hr></div>

<a name="laws"></a>
<h2>Electronic signature Laws and Regulations</h2>

<h3>Useful legal resources</h3>

<li><a href="http://www.bakerinfo.com/ecommerce/";>Baker & McKenzie E-Commerce Law Resources</a></li>	
<li><a href="http://www.mbc.com/ecommerce.html";>McBride Baker & Coles <i>Spotlight on e-commerce</i></a></li> Easy to use and comprehensive directory of international legislation and regulations.  A little out of date in places. 
<li><a href="http://www.pkilaw.com/";>PKI and the Law</a></li>	Out of date by four or five years, but nevertheless a rich source of historical documents and references. 

<p></p> 

<b>The following sections list US state and international e-signature legislation, organised according to the type of 
law -- <i>Technology Neutral</i>, <i>Prescriptive</i>, or <i>Two Tier</i>.</b>  

<h3>Technology Neutral E-Signature Laws</h3>

<i>Technology-neutral</i> (aka <i>Light Touch</i>) laws have little or nothing to say on the merits of particular security 
technologies, but instead tend to bestow broad equivalence on documents, whether in electronic or paper form. 
Technology neutrality puts the onus on users, designers and service providers to select authentication technology 
on a risk-managed basis, agreeing on what is fit for purpose. The United Nations Commission on International Trade 
Law (UNCITRAL) developed a Model Electronic Commerce Law which has informed technology-neutral legislation around 
the world. Some analysts bemoan a lack of legal certainty under these types of laws, although in most jurisdictions, 
contract law allows for 'scheme rules' to adequately manage e-commerce risks without any real need for overarching 
e-signature sanctions. Examples include the U.S., Canada and Australia.
<p></p> 
The technology neutral UNCITRAL definition of "electronic signature" is: <i>data in electronic form in, affixed to 
or logically associated with, a data message, which may be used to identify the signatory in relation to the data 
message and to indicate the signatory's approval of the information contained in the data message.</i> 

<h4>UNCITRAL</h4>

The United Nations Commission on International Trade Law (UNCITRAL) develops "model laws" or templates upon 
which governments can develop their own particular legislation. 

<li><a href="http://www.uncitral.org/english/texts/electcom/ml-ecomm.htm";>UNCITRAL Model Law on Electronic Commerce</a></li> with Guide to Enactment 1996. The peak model law for technology neutral electronic signature legislation.
<li><a href="http://www.uncitral.org/english/texts/electcom/ml-elecsig-e.pdf";>UNCITRAL Model Law on Electronic Signatures </a></li> with Guide to Enactment 2001

<h4>US Federal Acts</h4>

<li><a href="http://www.dir.state.tx.us/standards/S761.pdf";>E-SIGN </a></li> Electronic Signatures in Global and National Commerce Act 2000
<li><a href="http://www.law.upenn.edu/library/ulc/uecicta/eta1299.htm";>UETA</a></li> Uniform Electronic Transactions Act, a model law for US states. 

<h4>Asian Nations</h4>

<li><a href="http://www.ag.gov.au/agd/WWW/securitylawHome.nsf/Page/e-commerce_Electronic_Transactions_Act_-_Advice_for_Commonwealth_Departments";>	Australia: Electronic Transactions Act </a></li> 2000
<li><a href="http://www.ecommerce.govt.nz/legislation/index.html";>	New Zealand: Electronic Transactions Act </a></li>  2003
<li><a href="http://www.ida.gov.sg/idaweb/pnr/infopage.jsp?infopagecategory=regulation:pnr&infopageid=I1934&versionid=1";>Singapore: Electronic Transactions Act </a></li>  1998

<h4>US State Legislation</h4>

<b>Note that further work is needed to check our classifications of US state laws against more authoritative sources 
such as the <a href="http://www.ilpf.org/groups/digapp.pdf";>ILPF E-Signature Law Survey</a>.</b>
<p></p>

<li><a href="http://www.touchngo.com/lglcntr/akstats/Statutes/Title09/Chapter25/Section510.htm";>Alaska</a></li> AS 09.25.510. Electronic Records and Signatures
<li><a href="http://www.delcode.state.de.us/title6/c012a/index.htm";>Delaware</a></li>TITLE 6 Commerce and Trade SUBTITLE II Other Laws Relating to Commerce and Trade CHAPTER 12A. Uniform Electronic Transactions Act
<li><a href="http://dccouncil.dc.gov/images/00001/20010720165913.pdf";>District of Columbia</a></li> 2001 Uniform Electronic Transactions Act
<li><a href="http://www.capitol.hawaii.gov/hrscurrent/Vol11_Ch0476-0490/HRS0489E/HRS_0489E-.htm";>Hawaii</a></li>Chapter 489E Uniform Electronic Transaction Act
<li><a href="http://www.capitol.hawaii.gov/hrscurrent/Vol11_Ch0476-0490/HRS0489E/HRS_0489E-.htm";>Idaho</a></li>Title 28 Commercial Transactions Chapter 50 Uniform Electronic Transactions Act
<li><a href="http://www.state.in.us/legislative/bills/2000/HE/HE1395.1.html";>Indiana</a></li>Chapter 8. Uniform Electronic Transactions Act
<li><a href="http://data.opi.state.mt.us/bills/2001/LcHtml/LC1037.htm";>Montana</a></li>"An Act Adopting The Uniform Electronic Transactions Act"  <b>Note that this draft bill was cancelled.  More research needed into current status.</b>
<li><a href="http://www.oft.state.ny.us/esra/Guidelines_files/index.htm";>New York</a></li>Electronic Signatures and Records Act
<li><a href="http://www.lsb.state.ok.us/house/hb3287.htm";>Oklahoma 1998</a></li>Electronic Records and Signature Act 
<li><a href="http://www.legis.state.pa.us/WU01/LI/BI/BT/1999/0/SB0555P1555.HTM";>Pennsylvania</a></li> 1999 Senate Bill 555 Regulating electronic transactions Act
<li><a href="http://www.rilin.state.ri.us/PublicLaws/law00/law00259.htm";>Rhode Island</a></li> 2000 Chapter 127.1 The Uniform Electronic Transactions Act. This Act superseded the previous Chapter 42-127 of the General Laws "Electronic Signatures and Records Act". 
<li><a href="http://www.leg.state.vt.us/docs/legdoc.cfm?URL=/docs/2004/acts/ACT044.HTM";>Vermont </a></li>Chapter 20.  Uniform Electronic Transactions Act
<li><a href="http://leg1.state.va.us/cgi-bin/legp504.exe?ses=011&typ=bil&val=hb2412";>Virginia</a></li>HB 2412 Computer Information Transactions Act
<li><a href="http://www.wvsos.com/common/wvcesignatures.htm#Article%203";>West Virginia</a></li>Chapter 39A. Electronic Commerce Article 1. Uniform Electronic Transactions Act

<h3>Prescriptive E-Signature Laws</h3>

Prescriptive legislation seeks to somehow constrain the types of signature technologies that are acceptable.  
These types of laws can go so far as to deny legal rights to electronic transactions unless they are secured using 
an approved technology, typically government-licensed PKI. Further, there can be legal sanctions against operating 
unlicensed certificate authorities in these places. Critics say prescriptive legislation can stifle innovation and 
restrict free trade. Examples include the U.S. state of Utah, Malaysia, Italy, Korea and India.

<h4>Asian Nations</h4>

<li><a href="http://www.mit.gov.in/ngnitact.asp";>India: Information Technology Act</a></li>  2000 
<li>Malaysia: Digital Signatures Act 1997

<h4>US State Legislation</h4>

The pieces of legislation listed below are classified as "prescriptive" even though they exhibit a range of 
degrees of prescriptiveness.  If a law is seen to deviate from the accepted international UNCITRAL definition 
of electronic signature, then it is classified here as prescriptive.  <b>Note that further work is needed to check our classifications of US state laws against more authoritative sources 
such as the <a href="http://www.ilpf.org/groups/digapp.pdf";>ILPF E-Signature Law Survey</a>.</b>
<p></p>
<li><a href="http://www.arkleg.state.ar.us/ftproot/bills/1999/htm/SB418.pdf";>Arkansas</a></li> The definition of "electronic signature" in the bill is not standard, as it requires changes to signed data to invalidate the signature.  This clause is absent in internationally accepted technology neutral formulations. The Arkansas law also puts constraints on "electronic signature verification companies".
<li><a href="http://www.ss.ca.gov/digsig/digsigfaq.htm#why";>California</a></li>  
<li><a href="http://gsulaw.gsu.edu/gsuecp/Act/ActContents.htm";>Georgia</a></li> 1997 Georgia Electronic Records and Signatures Act
<li><a href="http://www.michigan.gov/cis/0,1607,7-154-10573_11549_17760-45860--,00.html";>Michigan</a></li> Senate Bill 204. The link provides some discussion about the Bill prior to its passing.  Status unknown.  Language is indicative of a prescriptive digital signature approach.
<li><a href="http://www.sos.state.mn.us/business/digital/gl.html";>Minnesota</a></li> Permanent Rules Governing Electronic Authentication Chapter 8275. Detailed rules for the licensing of CAs in Minnesota.
<li><a href="http://www.senate.state.mo.us/98info/bills/SB708.htm";>Missouri</a></li> SB 0708 Digital Signatures Act
<li><a href="http://www.leg.state.nv.us/nac/nac-720.html";>Nevada</a></li> Chapter 720 - Digital Signatures
<li><a href="http://www.legis.state.nm.us/Sessions/99%20Regular/bills/senate/SB0146.pdf";>New Mexico</a></li> 1999 SB0146 Electronic Authentication of Documents Act. Involves a centralised service for authenticating digitally signed documents.
<li><a href="http://landru.leg.state.or.us/ors/192.html";>Oregon</a></li> 1997 Digital Signature Act. See also <a href="http://www.oregondfcs.org/digsig.htm";>dig sig</a>
<li><a href="http://arcweb.sos.state.or.us/rules/OARS_400/OAR_441/441_780.html";>Oregon</a></li> Division 780 Electronic Signatures Act
<li><a href="http://info.sos.state.tx.us/pls/pub/readtac$ext.ViewTAC?tac_view=4&ti=1&pt=10&ch=203";>Texas</a></li> Chapter 203 Management Of Electronic Transactions And Signed Records
<li><a href="http://www.le.state.ut.us/~code/TITLE46/46_02.htm";>Utah</a></li> Title 46 - Chapter 03 - Utah Digital Signature Act Note that Utah has also enacted a version of UETA.  It is not know at this time how Utah's <li><a href="http://www.le.state.ut.us/~code/TITLE46/46_03.htm";>"UETA"</a> relates to its prescriptive Digital Signatures Act.  
<li><a href="http://www.legis.state.wi.us/1997/data/acts/97Act306.pdf";>Wisconsin</a></li> 1997 Act 306.  While the definition of Electronic Signature is neutral, the Act qualifies the use of Electronic Signatures requiring them to be invalidated if the signed data changes (see para 137.06(d)).

<h3>Two Tier E-Signature Laws</h3>

Two-tier laws recognize that the intrinsic characteristics of some authentication technologies provide for better 
risk management; these laws, therefore, provide stronger legal presumptions to users of approved technologies. 
UNCITRAL's Uniform Rules on Electronic Signatures characterize <i>qualified signature</i> technologies in terms of 
their ability to ensure integrity of content as well as identity of origin. Today, only public key technologies 
qualify. Users under these laws remain free to agree on any other authentication technology that suits their 
purposes, and to manage their legal risks via contract. Two-tier laws have been enacted by the European Commission, 
Japan, Hong Kong and Singapore.

<h4>European Nations</h4>

<li><a href="http://europa.eu.int/eur-lex/pri/en/oj/dat/2000/l_013/l_01320000119en00120020.pdf";>EU Directive 1999/93/EC </a></li> of the European Parliament: Community framework for electronic signatures
<li><a href="http://europa.eu.int/information_society/eeurope/2005/all_about/security/esignatures/index_en.htm";>EU Notification Procedure</a></li> whereby EU member states provide information to the European Commission on voluntary national PKI accreditation schemes under Directive 1999/93/EC. 
<li><a href="http://portal.etsi.org/esi/esi_faq.asp";>FAQ</a></li> for European Electronic Signature Standards.
<li><a href="http://www.hmso.gov.uk/acts/acts2000/20000007.htm";>UK: Electronic Communications Act </a></li> 2000 Chapter c.7
<li><a href="http://www.legislation.hmso.gov.uk/si/si2002/20020318.htm";>UK: Electronic Signatures Regulations</a></li> 2002
<li>Germany: Law Governing Framework Conditions for Electronic Signatures (Signatures Law - SigG) 2001</li>	
<li><a href="http://www.signatur.rtr.at/en/legal/sigg.html";>Austria: Federal Electronic Signature Act</a></li> (SigG), BGBl I 1999/190.<b> NB: In German.</b> See also <a href="http://www.signatur.rtr.at/en/legal/";>in English</a>  Austria claimed to be the first EU member state to comply with Directive 1999/93/ED. 
<li> Finland: Act on Electronic Signatures (14/2003)</li>	

<h4>Asian Nations</h4>

<li>Hong Kong: Electronic Transactions Ordinance</li>

<h4>US State Legislation</h4>

<b>Note that further work is needed to check our classifications of US state laws against more authoritative sources 
such as the <a href="http://www.ilpf.org/groups/digapp.pdf";>ILPF E-Signature Law Survey</a>.</b> The states of 
Illinois, Kansas and New Jersey all boast state-wide PKIs but it is not clear if these states' legislation is 
prescriptive; that is, we do not know if the states mandate the use of their PKIs. <b>More research is needed in these areas.</b>
<p></p>

<li><a href="http://www.azsos.gov/pa/Approved-CA-List.html";>Arizona</a></li> The Arizona Secretary of State maintains a list of <i>Approved CAs</i> which would indicate some sort of second tier of control.  
<li><a href="http://www.illinois.gov/pki/default.cfm";>Illinois</a></li> 
<li><a href="http://da.state.ks.us/itab/PKIMain.htm";>Kansas</a></li> 
<li><a href="https://pkice.state.nj.us/";>New Jersey</a></li> 
<li><a href="http://www.secstate.wa.gov/ea/ea.aspx";>Washington</a></li> Chapter 19.34 RCW Washington Electronic Authentication Act.  The Definitions in the Act distinguish Electronic and Digital Signatures, suggestive of a two tier approach.  More research needed to be sure.


</ul></p><hr></div>
<a name="assurance"></a>
<h2>Certification Authority Assurance Programs</h2>

<h3>Industry operated assurance schemes</h3>

<li><a href="http://www.webtrust.org/CertAuth_fin.htm";>WebTrust for CAs</a></li> of the American Institute of Certified Public Accountants.

<h3>European voluntary accreditation schemes under Directive 1999/93/CE</h3>

<li><a href="http://www.tscheme.com/";>UK's tScheme </a></li> is an independent, not-for-profit company providing assessment of trust service providers against Approval Profiles.  
<li><a href="http://www.regtp.de/en/tech_reg_tele/start/in_06-02-00-00-00_m/fs.html";>Germany's Regulatory Authority for Telecommunications and Posts </a> (Reg TP). See also the <a href="http://www.regtp.de/en/tech_reg_tele/start/in_06-02-05-00-00_m/index.html";> list of approved products</a></li>  
<li>Belgium's Service de la Signature électronique (BE.SIGN)</li> 
<li><a href="http://www.signatur.rtr.at/en/supervision/index.html";>Austria's Telekom-Control Commission</a></li>
<li><a href="http://www.cnipa.gov.it/site/it-IT/In_primo_piano/Elenco_certificatori/Normativa/";>Italy</a></li> NOTE: In Italian

<h3>Other assurance schemes</h3>

<li><a href="http://www.agimo.gov.au/infrastructure/gatekeeper";>Project Gatekeeper</a></li> is an accreditation scheme applied by the Australian Government to all PKI service providers who wish to supply to government agencies.
<li><a href="http://www.e-government.govt.nz/see/pki/accreditation-guide.asp";>New Zealand Government SEE</a></li> i.e. Secure Electronic Environment. 

<h3>Proprietary assurance schemes</h3>

<li><a href="http://www.cygnacom.com/services/certification.htm";>Cygnacom Inc. </a></li>



</ul></p><hr></div>
<a name="other"></a>
<h2>Other information</h2>

<h3>PKI research laboratories</h3>

<li><a href="http://www.rsasecurity.com/rsalabs/";>RSA Laboratories</a></li>
<li><a href="http://middleware.internet2.edu/pkilabs/";>Internet2 PKI Labs</a></li> Internet2 is a consortium being led by over 190 universities working in partnership with nearly 100 industry vendors and government to develop and deploy advanced network applications and technologies
<li><a href="http://www.dartmouth.edu/~pkilab/About.html";>Dartmouth College PKI Lab</a></li>.  See also Dartmouth's <a href="http://www.dartmouth.edu/~deploypki/deploying/";>deployment</a> notes.  


<h3>PKI link farms</h3>

<li><a href="http://www.pki-page.org";>The PKI Page </a></li> comprehensive collection of links to commercial CAs 
<li><a href="http://csrc.nist.gov/pki/twg/links.htm";>NIST's PKI Related Links </a></li>	from the National Institute of Standards and Technology 
<li><a href="http://theory.lcs.mit.edu/~rivest/crypto-security.html";>Ron Rivest </a></li> one of the founders of cryptography as we know it today. 
<li><a href="http://www.cs.auckland.ac.nz/~pgut001/links.html";>Peter Gutman </a></li> is a New Zealand based academic noted for his criticisms of onventional PKI.  The links to CAs and PKI programs are somewhat dated. 


<h3>PKI Conferences (with publicly available proceedings</h3>

<li><a href="http://www.cs.dartmouth.edu/~pki02/";>1st Annual PKI Research Workshop</a></li> Dartmouth College April 2002
<li><a href="http://middleware.internet2.edu/pki03/PKI03-proceedings.html";> 2nd Annual PKI Research Workshop</a></li> NIST Gaithersburg MD April 2003 
<li><a href="http://middleware.internet2.edu/pki04/proceedings/";>3rd Annual PKI Research Workshop</a></li> NIST Gaithersburg MD April 2003
<li><a href="http://middleware.internet2.edu/pki05/";>4th Annual PKI Research Workshop</a></li> NIST Gaithersburg MD April 2003
<li><a href="http://www.japanpkiforum.jp/symposium/english/index_e.htm";>2nd Asia PKI Forum Symposium</a></li> Japan 2002 
<li><a href="http://symposium.pki.or.kr/02program.html";>3rd Asia PKI Forum International Symposium</a></li> Korea 2003
<li><a href="http://asia-pkiforum.org/july_shanghai/Symposium.htm";>4th Asia PKI Forum International Symposium</a></li> Shanghai 2004
<li><a href="http://dsns.csie.nctu.edu.tw/iwap/lecture_notes.htm";>3rd International Workshop on Applied PKI</a></li> Taipei 2003
<li><a href="http://itslab.csce.kyushu-u.ac.jp/iwap04/Final_Program_of_IWAP04.html";>4th International Workshop on Applied PKI</a></li> Japan 2004
<li><a href="http://www.dartmouth.edu/~deploypki/summit04/proceedings.html";>PKI Unlocked Summit and Workshop for Deploying PKI to End Users in Higher Education</a></li> Dartmouth College July 2004

<h3>Vendor white paper libraries</h3>

<li>Entrust	<a href="http://www.entrust.com/resources/whitepapers.cfm";>white papers</a></li> 
<li>Verisign <a href="http://www.verisign.com/resources/wp/";>white papers</a> and <a href="http://www.verisign.com/resources/success/index.html";>success stories</a></li> 
<li>RSA Security <a href="http://www.rsasecurity.com/content_library.asp";>content library</a> and <a href="http://www.rsasecurity.com/success_stories.asp?id=1233&node=14";>success stories</a></li>  

<h3>General IT security organisations</h3>

<li><a href="http://www.iacr.org/";>International Association for Cryptologic Research</a></li>  	
<li><a href="http://www.digitalidworld.com/";>Digital Id World	 </a></li> 
<li><a href="www.sans.org">SANS Institute	 </a></li> 
<li><a href="www.isaca.org">Information Systems Audit and Control Association	</a></li> 
<li><a href="http://www.biometrics.org/";>The Biometric Consortium	</a></li> 
<li><a href="http://www.abanet.org/scitech/ec/isc/home.html";>American Bar Association Information Security Committee	</a></li>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]