[NIS] Digital Certificates APIM Proposal

Vanessa Mastros vanessa.mastros at sae-itc.org
Mon Jan 18 08:17:28 EST 2016 

Greetings everyone,

The Network Infrastructure and Security (NIS) Subcommittee has prepared a draft APIM to open ARINC Report 842, "Guidance for Usage of Digital Certificates".

ARINC Report 842 was originally published in 2012 with Supplement 1 released shortly following in 2013.  ARINC Report 842 was developed as a companion document to ATA Specification 42.

Spec 42 provides guidance on common processes, tools and practices for securely transmitting, storing and exchanging commercial aviation data.
*         Considerations for protecting data from corruption or manipulation while at rest or during transmission between an airplane and back office systems.
*         Methods of positively identifying a person or device electronically using digital security.
*         Guidance on continuous operations from the perspective of both the airline operator and the system designer.

ARINC Report 842 provides additional information to a level not available in Spec 42. Specifically,
*         Guidance detail from an airline perspective on implementation of certificate manage infrastructure
*         Guidance to developers of other AEEC specifications recommending that any external-entity-to-aircraft communications requiring security or message-sender authentication use existing industry standards.

Spec 42 has been revised twice since the last publish of ARINC Report 842.  The most recent revision published by A4A includes:
*         New guidance for non-PKI Electronic Signatures
*         New guidance for selecting Certificate and Attribute Authorities
*         Updated credential assurance strength recommendations
*         Added typical use cases for Digital Signature in airline operations
*         New guidance for use of PKI Card Management Systems
*         New appendix for XML Digital Signature Profiles
*         New appendices for non-PKI operational and credential provider policies
*         Deprecated SHA1 in the ATA Reference Certificate Policy
*         Reorganized the specification to provide more clarity, improve the flow, and better distinguish between PKI and non-PKI guidance.

In October 2015, US NIST released Special Publication (SP) 800-152, which provides general requirements/guidance for key management systems.  This document expands upon the key management framework in NIST SP 800-130, which is referenced in ARINC Report 842.  The general key management guidance within the new NIST document could be adapted to ARINC Report 842 with an aircraft approach.

With the significant changes described above, it is necessary to update ARINC Report 842 to include:

*         Updates to references to Spec 42
*         Incorporate appropriate additions from Spec 42 (technology) from an airline perspective.
*         Review NIST 800-152 to develop additional guidance
*         Incorporate any technology/business model/business process updates
*         Incorporate any applicable updates in support of ATN IPS
*         Gather and incorporate lessons learned from new aircraft programs and experiences with key management implementation/deployment
*         Review and incorporate current certificate management processes and real world application of digital certificates.

The NIS Subcommittee would appreciate your feedback and support by January 29.  Your feedback can be added to the attached document in track changes.  If your organization supports this activity and/or is willing to commit for draft and participation, please add your company name to the Section 2.2 and 2.3 as appropriate.

If you have any questions, please feel free to contact me.  I am here to help and am happy to do so.

Best regards,
Vanessa



Nothing in this message is intended to constitute an electronic signature unless a specific statement to the contrary is included in this message. Confidentiality Note: This message is intended only for the person or entity to which it is addressed. It may contain confidential and/or proprietary material. Any review, transmission, dissemination or other use, or taking of any action in reliance upon this message by persons or entities other than the intended recipient is prohibited. If you received this message in error, please contact the sender and delete it from your computer.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.sae-itc.org/pipermail/nis/attachments/20160118/61671321/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: DigitalCertificatesApimProposal.docx
Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
Size: 41064 bytes
Desc: DigitalCertificatesApimProposal.docx
URL: <http://mailman.sae-itc.org/pipermail/nis/attachments/20160118/61671321/attachment-0001.docx>

More information about the NIS mailing list