V. Accreditation - The Right
Combination
A. The Process of Accreditation
In the search for interoperability, "accreditation"
in the PKI industry is seen as an alternative to licensing or regulation
of PKI. In the emerging global vocabulary, CAs and PKIs are "assessed"
by those who "evaluate standards" before the fact, and by auditors who
"audit compliance with standards" after the fact. Accrediting
bodies "accredit" the evaluators and auditors as competent to serve in
these capacities.
Dec 13, 1999
- The So-Called "EU Electronic Signature Directive,"
Directive 1999/93/EC of the European Parliament and of the Council of 13
December 1999 on a Community framework for electronic signatures. (Document
399L0093, OJ L 013, 19/01/2000 p. 0012 - 0020).
Sep 16, 1999
Official
Version (June 28, 1999) of the European Electronic Signature Directive,
the "Common Position" . Courtesy of Hans Hilsson (updating June
22, 1999 posting).
July
22, 1999 Update - Final Approved Report
(7/20/99) of the EESSI Expert Team. Courtesy of Hans Nilsson,
Chairman.
June
22, 1999 - The June 18, 1999 Final
Draft of the EESSI Expert Team Report, for the European
Electronic Signature Standardization Initiative, for discussion July 1,
1999 at the EESSI Open Meeting in Brussels. Implementation of the
European
Commissioni's Directive to provide a common framework for electronic signatures.
The Project Leader of the Expert Team is Hans
Nilsson, iD2 Technologies, Sweden, and other members of the team are
Patrick Van Eecke, ICRI-K.U.Leuven, Belgium, Manuel Medina, Univ of Catalunya,
Spain, Denis Pinkas, Bull, France, and Nick Pope, Security and Standards
Consultancy, UK. A clear compilation and synthesis of the existing
universe of relevant technical and legal standards (with a wealth of links)
by seasoned expert to provide a focussed path forward for PKI in the EU.
In EESSI terminology, the equivalent of PKI digital signatures are "enhanced
electronic signatures," which become "qualified electronic signatures"
if they are based on qualified certificates and are created by a secure
signature creation device.
June
2, 1999 -The
PKI Assessment Guidelines (PAG) are a major project
in process of the
American
Bar Association Information Security Committee, chaired by Michael
Baum, Esq. of VeriSign, Inc.
The most recent meeting was in Palo Alto Jun 1-2, 1999. The next
meeting is in Ottawa Aug 26-28, 1999. Access to the current draft
of the PAG is restricted to those who are working on it. A public
"request for comment" draft is expected to be released on the Internet
at the end of 1999. The Co-Reporters are Charles
R. Merrill and Randy Sabett.
1999
Edition of BS 7799 British
Standard intended for use as a reference docuemnt by managers and employees
who are responsible for information security within their organization.
Commonly accepted policy and best practices for information security.
Requirements/ guidance on procedural and technical controls. Part
1: 1995 is The Code of Practice. Part 2:1998 is The Requirements
Specification.
Spring 1998 - Merrill,
Charles R., McCarter
& English LLP, "The Accreditation Guidelines: A Progress Report
on a Work in Process of the ABA Information Security Committee,"
38 Jurimetrics 345 (ABA Section of Science & Technology Spring
1998)