V.  Accreditation - The Right Combination
B.  Draft Certificate Policies (CPs) and Certification Practice Statements (CPSs)

A Certificate Policy is "a named set of rules that indicates the applicability of a certificate to a particular community and/or class of application with common security requirements."  X.509

  1/4/99 - Final Government of Canada PKI Certificate Policies (see 8/14/98 below).

  10/27/98 -  The CARAT (Certification Authority Rating and Trust Guidelines) Draft PKI Guidelines of the Internet Council of NACHA (National Automated Clearing House Association)

  Sep 98 -   "25 Steps to the Successful Implementation of a Corporate Public Key Infrastructure."
A concise and readable "how-to" pamphlet by veteran PKI consultant Francois Marinier of Labcal Technologies, Inc. in Quebec, designed to focus attention on the essential elements of a corporate PKI, defined by Marinier as ". . .a PKI that is used by an organization to support its own processes, which may be of a business nature, a corporate nature, or both." (Copyright 1998 Labcal Technologies, Inc., All Rights Reserved. By Permission).  Francois Marinier, J.F. Sauriol, and David Cramm of Labcal are all active in the ABA Information Security Committee PKI Accreditation WorkGroup.

  8/14/98 - Government of Canada PKI Draft Certificate Policies. (see update 1/4/99 above)
The attached e-mail from Jay Garden of the GoC Communications Security Establishment August 14, 1998 announces that the GoC PKI Policy Management authority's Policy and Legal subcommittee has released and requests external comment on a set of eight different GoC PKI draft certificate policies, arranged in matrix format. Here is an html version of the draft certificate policies.  Word 2.0, RTF, and WordPerfect versions are available upon request by e-mail. For background on the Government of Canada PKI initiative, see http://www.cse.dnd.ca/cse/english/gov.html

8/12/98 - Health and Human Services (HHS) Proposed Regs under HIPAA
On August 12, 1998, the U.S. Dept of Health and Human Services published proposed regulations under the Health Insurance Portability and Accountability Act (Public Law 104-91, 110 Statutes 1936 (1996) as 45 CPR Part 142 at 63 Federal Register 43241 (Aug 12, 1998),  implementing Security and Electronic Signature Standards to protect the privacy of health information.  The Proposed Regs strongly endorse PKI digital signatures as the approved electronic signature technology for these purposes:

"Currently there are no technically mature techniques that provide
the security service of nonrepudiation in an open network environment,
in the absence of trusted third parties, other than digital signature-
based techniques. Therefore, if electronic signatures are employed, we
would require that digital signature technology be used." 63 F.R. 43241 at 43257 (Aug 12, 1998)
Attached is an excellent six-page summary of the Proposed Regs, prepared and e-mailed to us by John Christiansen of the Seattle office of Miller Nash Wiener Hager & Carlsen LLP.  Here is a link to the full text of the proposed regulations. You can download a PDF copy by browsing the  National Archives and Records Administration's online database of the federal register at  http://www.access.gpo.gov/su_docs/aces/aces140.html

  7/8/98 - U.S. Federal PKI Steering Committee, Legal Policy Working Group - GITS "Model Certificate Policy"
On July 8, 1998, the FPKI Steering Committee issued a second draft of the Government Information Technology Services "Model Certificate Policy" for U.S. federal agencies.  Part A (Introduction and Approach) is at http://gits-sec.treas.gov/model_cert_policy_intro.htm and Part B (the Certificate Policy itself) is at http://gits-sec.treas.gov/model_cert_policy_cert.htm.  The March 25, 1998 first draft of this document, by Tom Smedinghoff, Esq. of McGuire, Baker & Coles, is at http://www.mbc.com/modelcp.html.

  Spring 1998 - Wu, Steven S.  <VeriSign, Inc., swu@verisign.com>, "Incorporation by Reference and Public Key Infrastructures: Moving the Law Beyond the Paper-Based World,"  38 Jurimetrics 317 (ABA Section of Science & Technology Spring 1998)

  Spring 1998 - Mitrakas, Andreas  <Erasmus University, Rotterdam, Holland, a.mitrakas@fac.fbk.eur.nl>  and Bos, Janjaap <Data Management Security Consult, Netherlands, jjb@dsemco.com>, "The ICC ETERMS Repository to Support Public Key Infrastructure," 38 Jurimetrics 473(ABA Section of Science & Technology Spring 1998)

Jan 98 - "Delta Certificate Policies to Fulfill Specific Application Requirements -- or how to eliminate the proliferation of distinct certificate policies,"  an elegant paper by veteran PKI consultant J.F. Sauriol of Labcal Technologies, Inc. in Quebec,simple enough to be understood by a PKI novice, explaining how certificate policies can be designed by incremental changes without re-inventing the wheel.  Includes a concise and readable summary of the IETF PKIX4 Framework by Santosh Chokhani and Warwick Ford.   (Copyright 1998 Labcal Technologies, Inc., All Rights Reserved. By Permission). Francois Marinier, J.F. Sauriol, and David Cramm of Labcal are all active in the ABA Information Security Committee PKI Accreditation WorkGroup.