Section 1— IntroductionExhibit 1–1. EEOC 1999 BudgetApplications1.1.1 Employer Information Report (EEO1)Government Attorney correspondenceCitizen complaints1.2 Government Legal Mandates for E-Government1.2.1 Government Paperwork Elimination Act1.2.2 Electronic signatures in global national commerce act 1.3 PKI RequirementsCitizen Complaint System1.3.2 Secure Messaging and ArchivalIndustry EEO-1 Form applicationSection 2— Certificate Policy2.1 EEOC Certificate Classes2.2 Certification Authority Policies2.2.1 Scope of EEOC CA Certification Services2.2.2 Registration Authority2.2.3 Certificate Application2.2.3.1 Application for Medium Assurance Certificate2.2.3.2 Application for High Assurance Certificate2.2.3.3 Rejection of Certificate Application2.2.4 Certificate Validity and Operational Periods2.2.4.1 Reasons for Revocation2.2.4.2 Revocation at Certificate Owner’s Request2.2.5 Certificate Expiry2.2.6 Certificate Renewal2.2.7 Rights and obligations of Certificate OwnersRights and obligations of EEOC CA2.2.9 Liabilities of EEOC CA2.3 Subscriber Policies2.3.1 Private Key Safeguarding2.3.1.1 Key Activation2.3.1.2 Key storage2.3.2 Application2.3.2.1 Enrollment / Proof of Possession2.4 Relying Party Policies2.4.1 Certificate Validity Period2.4.2 Certificate Status Checking2.4.3 Signature VerificationSection 3—PKI Architecture and PKI-Aware applicationsExhibit 3–1. Advantages and Disadvantages of PKI AlternativeProposed ArchitectureApplicationsEEO-1 Filing3.2.2 Citizen Complaint Web Site3.2.3 Internal PKI (Messaging, secure archival)3.2.3.1 EEOC Internal PKI Product Evaluation Matrix3.2.3.2 PKI Product Analysis3.2.3.3 Recommendation – Entrust PKIStandardsX.509 v3 Certificates3.3.2 Certificate Revocation List (CRL)3.3.3 Online Certificate Status Checking Protocol (OCSP)3.3.4 SSL ProtocolSection 4—ConclusionsAppendix A—Referenceshttp://csrc.nist.gov/cryptval/ - NIST Cryptographic Module Validation (CMV ProgramGovernment PKI Factors Influencing Certificate Policy and System Architecture ECE 546/646 Cryptography and Computer Network Security December 15, 2000 Steve Bruck Francis Yuan Khurram ChaudryGovernment PKI Section 1— Introduction The Equal Employment Opportunity Commission’s (EEOC) mission is to promote equal opportunity in employment through administrative and judicial enforcement of the federal Civil Rights laws and through education and technical assistance. The EEOC receives over 100,000 complaints of employment related discrimination nationwide. Currently, the process is performed manually. Citizens with complaints must visit the EEOC to fill out paper forms that must be hand signed. In addition, every company or institute in the U.S. with over 100 employees has to file an employment report to EEOC every year. The number of companies is about 180,000 not including Federal Government agencies. The contents of the report are confidential and must be signed by company official. This process is also handled manually by sending out blank forms to companies, company officials then complete the form and sign them, and finally EEOC contractors re-key the information into EEOC databases. It is a time consuming, error-prone and expensive process. In addition, there are hundreds of attorneys and investigators in EEOC, who need such services as authentication, non-repudiation and confidentiality when communicating legal correspondence within or outside EEOC (possibly court of law or federal agencies). All of the above business processes may be automated by taking advantages of the Internet and PKI (Public Key Infrastructure) system. PKI can not only securely automate our business but also save us financially by eliminating the need for manual processes. The EEOC employs approximately 2,544 staff based on latest estimates. The EEOC’s budget in 1999 was 242 Billion. As shown in Exhibit 1–1, only 10% of the budget was allocated to litigation support, technology, and staff training. Salaries, RentLitigation Support,IT Exhibit 1–1. EEOC 1999 Budget ECE 543 Page 2 December 15, 2000Government PKI 1.1 Applications The EEOC accomplishes its mission by collecting employment data and by investigating and prosecuting acts of employee discrimination. The following sections identify the internal/external correspondence that is performed by the EEOC and identifies this 1.1.1 Employer Information Report (EEO1) The EEO-1 form is required to be submitted annually by those businesses that employ over 50 people. Exhibit 1–2 shows page 1 of the EEO-1 form. Exhibit 1–2. EEOC’s EEO-1 Form ECE 543 Page 3 December 15, 2000Government PKI Information Type Relative confidentiality Employer ID # Low Dun and Bradstreet ID Number Low Job Categories types and staff totals Medium Company’s Minority/Gender composition Medium Exhibit 1–3. Information provided on EE0-1 Form 1.1.2 Government Attorney correspondence EEOC employs hundreds of investigators and attorneys. Once a case is taken, the communications between involved parties is confidential and in many cases signatures are required. Those involved can be internal investigators, EEOC attorneys, complaint filers, witnesses, co-councilors, defense attorneys, technical experts, analysts, and psychologists. During those communications, the services of confidentiality, authentication, and non-repudiation are all required. The assurance level must be high; otherwise it could lead to a lawsuit in the case of a leak of sensitive information. 1.1.3 Citizen complaints Rather than coming in person to an EEOC office, citizens can fill out an online form to begin the formal complaint process. Although SSL is sufficient to encrypt the data, a digital certificate must be provided to the citizen because the form has to be legally signed. The security level at this stage can be considered either low or medium. 1.2 Government Legal Mandates for E-Government The following laws serve as government mandates for the EEOC to take steps to automate their business processes and to utilize PKI for supporting trust services. 1.2.1 Government Paperwork Elimination Act The Government Paperwork elimination act (http://ec.fed.gov/gpedoc.htm) signed into law in October of 1988) requires federal agencies to provide for the use and acceptance of electronic signatures when practicable. The Office of Management and Budget (OMB) published guidelines on implementing GPEA. These guidelines recognize PKI as providing the strongest assurance of
View Full Document
Unlocking...