The Inner Circle

NIST Withdraws three Crypto publications - SP 800-15, SP 800-25 and SP 800-32 related to PKI

  • 1.  NIST Withdraws three Crypto publications - SP 800-15, SP 800-25 and SP 800-32 related to PKI

    Posted Sep 14, 2021 12:52:00 AM
    Hi All,

    In May 2021, NIST initiated a review of several publications, including the following NIST Special Publications (SP):

    SP 800 15, MISPC Minimum Interoperability Specification for PKI Components, Version 1,
    SP 800-25, Federal Agency Use of Public Key Technology for Digital Signatures and Authentication, and
    SP 800-32, Introduction to Public Key Technology and the Federal PKI Infrastructure.
    In response, NIST received public comments on SP 800-15 and on SP 800-32.

    NIST withdraws all three publications.

    The Rational for the Decision
    SP 800-15, Minimum Interoperability Specification for PKI Components (MISPC), Version 1, was published in January 1998 and was developed in cooperation with industry through a Cooperative Research and Development Agreement (CRADA). The document specifies information about the contents of certificates and CRLs and also specifies protocols for transactions between Public-Key Infrastructure (PKI) components. All of the information provided is now out-of-date.

    SP 800-25, Federal Agency Use of Public Key Technology for Digital Signatures and Authentication, published in October 2000, was written at a time when the adoption of public-key technology within agencies was far more limited than it is today. The document was written before the issuance of Homeland Security Presidential Directive 12 (HSPD-12), which led to the development of the PIV Card, and before OMB issued directives for agencies to buy PKI services rather than operating their own certification authorities. The document is similarly now out-of-date.

    SP 800-32, Introduction to Public Key Technology and the Federal PKI Infrastructure, published in February 2001, has some overlap with SP 800-25. As with SP 800-25, the information in SP 800-32 is out-of-date. The Federal PKI has changed substantially over the past 20 years, and as previously mentioned, this document predates the issuance of HSPD-12 and OMB directives for agencies to outsource PKI services. The document is similarly now out-of-date.

    The initial public comments include various, insightful suggestions for SP 800-15 and SP 800-32. However, rather than developing up-to-date revisions or replacements for the three publications, NIST instead recommends https://idmanagement.gov as an alternative source of information.

    ------------------------------
    Michael Roza CPA, CISA, CIA, MBA, Exec MBA
    ------------------------------