Proposal to Withdraw Special Publications 800-15, 800-25, and 800-32

0

In May 2021, NIST initiated a review of several publications, including the following NIST Special Publications (SP):

  • SP 800 15, MISPC Minimum Interoperability Specification for PKI Components, Version 1,
  • SP 800-25, Federal Agency Use of Public Key Technology for Digital Signatures and Authentication, and
  • SP 800-32, Introduction to Public Key Technology and the Federal PKI Infrastructure.

In response, NIST received public comments on SP 800-15 and on SP 800-32.

NIST proposes to withdraw all three publications. Public comments on this proposal may be submitted to cryptopubreviewboard@nist.gov by September 3, 2021.

Rationale for Proposed Decision

SP 800-15Minimum Interoperability Specification for PKI Components (MISPC), Version 1, was published in January 1998 and was developed in cooperation with industry through a Cooperative Research and Development Agreement (CRADA). The document specifies information about the contents of certificates and CRLs and also specifies protocols for transactions between Public-Key Infrastructure (PKI) components. All of the information provided is now out-of-date.

SP 800-25Federal Agency Use of Public Key Technology for Digital Signatures and Authentication, published in October 2000, was written at a time when the adoption of public-key technology within agencies was far more limited than it is today. The document was written before the issuance of Homeland Security Presidential Directive 12 (HSPD-12), which led to the development of the PIV Card, and before OMB issued directives for agencies to buy PKI services rather than operating their own certification authorities. The document is similarly now out-of-date.

SP 800-32Introduction to Public Key Technology and the Federal PKI Infrastructure, published in February 2001, has some overlap with SP 800-25. As with SP 800-25, the information in SP 800-32 is out-of-date. The Federal PKI has changed substantially over the past 20 years, and as previously mentioned, this document predates the issuance of HSPD-12 and OMB directives for agencies to outsource PKI services. The document is similarly now out-of-date.

The initial public comments include various, insightful suggestions for SP 800-15 and SP 800-32. However, rather than developing up-to-date revisions or replacements for the three publications, NIST instead recommends https://idmanagement.gov as an alternative source of information, in particular, https://www.idmanagement.gov/manage/https://fpki.idmanagement.gov/, and https://www.idmanagement.gov/topics/fpki/.

The Review Process

In NISTIR 7977, NIST affirmed its commitment to the periodic review of its cryptographic standards and guidelines. Information about the review process is available at  https://csrc.nist.gov/projects/crypto-publication-review-project.

Share.