Future Issues

The following issues do not fall within the scope of the authentication work, but will be applicable when the work is expanded to include encryption certificates and digital signatures.

Encryption PKI recovery

If the keying material associated with the encrypted data becomes lost or unusable for any reason, then that data will be effectively lost unless some means exists to recover the keying material. Accordingly, agencies will need to establish policies on escrowing and distributing the keying material necessary to recover such data.

Digital signatures / non-repudiation

Agencies will need to develop policies for electronically archiving digitally signed documents possibly for long periods of time. Public key certificates, even very old ones, will be maintained in association with electronic documents for the long term, and the ability to properly process the security information and maintain the level of assurance will also have to be preserved.

Agencies may have to produce these business documents as evidence, thus requiring a process for tamper-proof audit trails to show that the integrity of the data is assured. In addition to digital signature verification, agencies will also have to address other related issues, such as maintaining the validity and security of transaction time stamps and other requirements for legal proof.