Skip to content.
|Networking government in New Zealand.

Annex 2

Requirements to Be Adopted by New Zealand Government Agencies with Respect to the Use or Deployment of Trusted Computing Technologies

Draft for Consultation Purposes

Agencies should not use trusted computing technologies, unless they can be satisfied that the following criteria will be met:

Transparency and disclosure of interfaces and specifications

Documentation should be available for all the functionality within the Trusted Platform Module (TPM). The application scenarios for the expected use of the TPM should be documented in an easy-to-understand manner. They should illustrate the effects of the TPM in practical use and should identify the end applications concerned.

The algorithms and key lengths used for encryption and signature functions should be documented. They should be approved by GCSB for IN-CONFIDENCE material.

Certification of the security system

The TPM should be certified at least to Common Criteria EAL4. The security and strength of the mechanisms used to generate keys should also be independently validated.

System security, data backup and migration

The TC solution should allow transfer of the information stored in an existing security module to a new hardware platform in such a manner that users can continue using their software and data on the new hardware platform. It must be possible to migrate any cryptographic keys of the TPM from one hardware platform to another.

Any TC applications considered - including DRM solutions - should cater for the user's right to copy data and programs for private purposes.

If data that is not copyrighted is processed with the involvement of the TPM, it must be possible to transfer and use that data on other systems which do not include a security module.

System check by the user

System owners and/or users must be able to decide whether the TC functions are to be used. This means that it must be possible to fully deactivate the security module. Deactivation of the security module should not affect the functionality of any hardware and software components that do not use the TC functions.

System owners must have full control of their TC keys, and they should be able to delete these keys and to generate new keys when necessary. They must be able to
re-initialise any keys other than those that serve the unambiguous identification of the security module (such as the endorsement keys). It should be possible to delete any information previously stored in the TPM and to cancel its functionality (for example, when scrapping the PC).

Where possible, the use of personalised programs, data and online services should be linked to a personalised smartcard rather than the TPM. This will enable more flexible user-related access to data and significantly reduce migration problems.

The TPM should not hinder the use of any software by requiring validation by an external online service once initial one-off licensing requirements for the software have been satisfied.

If the use of a certification authority is offered or required, users should have a choice as to which CA they wish to use. Government users should only use government-approved CAs.

Using the security functions of the TPM must be possible even without an online connection (Internet).

User awareness and consent of data protection and transmittal

Data protection functions must be transparent so that users can at all times exercise their right of freedom of information and deactivate these functions for the information and files that they 'own'.

If personal data is transmitted in conjunction with the use of the TC, the user must have the possibility to consent to such transmission in each and every case.

The user must be informed of the type and extent of data transmitted to the application vendor or any other third party, if any, in connection with the use of the TC.


[ Previous ]