PKI Operational Records
v. PKI Electronic
Recordkeeping Requirements
Recommendation
2
PKI
Case Study: Overview
Not a PKI tutorial
Work for the National Archives and Records Administration
Opportunity for records managers/archivists
3
Digital communication
Closed and secure (national defense,
VPN)
Open and secure (SSL)
Open and non-secure (PKI)
4
PKI
a “hot technology”
E-Commerce
E-Governance
State of Illinois
5
What is PKI?
A PKI is an asymmetric
cryptography security environment that supports the transmission, delivery, and
receipt of digital communications over a non-secure communications channel.
PKI administrative records v.
PKI transaction records
Little or no good practice guidance
10
Certificate Policy (CP) for Access Certificates for Electronic Services
General Provisions
Identification and Authentication
Operational Requirements
Physical, Procedural, and Personnel Security Controls
Technical Security Controls
Certificate and CRL Profiles
Policy Administration
11
CP Operational Requirements
Certificate Issuance & Acceptance
Certificate Suspension & Revocation
Computer Security Audit Procedures
Records “Archival”
Compromise & Disaster Recovery
12
Certificate Practice Statement (CPS)
To Be Discussed Later
Under PKI Operational and
Electronic Recordkeeping
Requirements
13
PKI
Records
14
PKI
Administrative Records
15
PKI
Administrative Records Guidance Constraints
PKI records are not
unique
PKI operational system
v. PKI recordkeeping system
Some PKI records are
paper-based
16
PKI functions
Plan/define PKI
Establish, startup, install
Operate
Audit/monitor
Reorganize/dismantle
17
PKI Functions,
Activities, and EXAMPLE Records
18
Example Operate Functions and Related Records
19
PKI
Requirements Overview
PKI Operational and
Recordkeeing Requirements
Operational Systems
Recordkeeping Systems
1. Records Capture
X
X
2. Records Metadata
X
X
3. Records Retreval
X
X
4. Records Classification
X
5. Records Disposition
X
X
6. Records Integrity
X
X
1. Records Storage*
X
1. Vital Records
X
9. Records Audit/History Log
X
X
10. Records Privacy
X
X
11. Records Security
X
X
12. Records Freezes
X
X
13. Records Transfer to ERS
X
14. Records Preservation*
X
15. Records Transfer to Archives
X
* Records storage in an operational system is substantially different from records
preservation in an electronic recordkeeping system. Some of the specific requirements
for records preservation include those of records storage.
20
PKI Record capture
Operational
Accurate and complete at or near the time of the event
Event log that trachs all activities associated with capture
Automatic population of record series title, disposition, and
vital records status.
Recordkeeping
As database tables or as “rendered for viewing”
Technology neutral formats
Paper-based records
Document transfer of recurds to
ERS
Confirm integrity of transferred records
Complete and accurate transfer of metadata
21
PKI records metadata
Operational
Augment event log data with series title, retention period, vital
record status
For each unique event:
Common name
Certificate number
Date of event
Distinguished name
Restrict changes in metadata to authorized persons
Recordkeeping
Minimum attributes specified in operational requirements
For CP and
CPS use
registered Object ID
View/print complete metadata
Computer generated unique id for each record
Record location of electronic and paper records
Human readable bar code for all paper records
Restrict changes to authorized persons
22
Recommendations
Become knowledgeable about X.509
Get involved in PKI
discussions NOW
Understand the differences between operational
PKI systems and
PKI recordkeeping requirements
Adopt/implement federal government guidance
Don’t accept “we can’t do that“ from
IT and
PKI vendors
“Standards are documented agreements containing technical specifications or other
precise criteria to be used consistently as rules, guidelines, or definitions or other
characteristics to ensure that materials, products, processes, and services are fit for
their purpose.” International Standards Organization
2
Standard Principles
Consensus
Industry-wide
Voluntary
3
Types of Standards
De jure (sanctioned standards organizations)
De facto (industry practice)
Proprietary (specific company practice)
4
What Makes A Standard Succeed?
Addresses a real need
Market place penetration
Transparent
Successful and failed standards
5
Strengths and Weaknesses of Standards
Stengths
Stability
Interoperability
Interconnectivity
Portability
Supports migration
Weaknesses
Lag behind technology
Not necessarily the best technical solution
Vendor compliance
Change over time
Unending migration
6
Standards and Migration
7
Selected Standards that Affect long-Term Access to Electronic Records
![[Diagram of the process in which a transmitted message goes from
Originator to Recipient]](img/Trans_Message.gif)
![[photo of the serial numbers on a One-Hundred Dollar bill]](img/100_Dollars.gif)
![[Hierarchy of All PKI Records which includes Administrative Records and
Transaction Records subgroups]](img/PKI_Records1.gif)
![[Hierarchy of Administrative Records which includes Unique Administravtive Records
and Supporting Administrative Records subgroup]](img/PKI_Records2.gif)
![[Box list of Function, Activites, and Example Records for Plan/Define, Establish,
Operate, Audit/Monitor, and Reorganize categories]](img/PKI_Functions.gif)
![[Description of Functions to Records procedure Diagram]](img/Function_Records.gif)
![[Standard Changes over time diagram]](img/Over_Time.gif)