National Cybersecurity Center of Excellence (NCCoE) Domain Name System-Based Security (DNS) for Electronic Mail Building Block, 60363-60365 [2015-25304]
Download as PDF
<![CDATA[
Federal Register / Vol. 80, No. 193 / Tuesday, October 6, 2015 / Notices
identification card for access to federal
facilities if such license or identification
card is issued by a state that is
compliant with the REAL ID Act of 2005
(P.L. 109–13), or by a state that has an
extension for REAL ID compliance.
NIST currently accepts other forms of
federal-issued identification in lieu of a
state-issued driver’s license. For
detailed information please contact Ms.
Young or visit: https://www.nist.gov/
public_affairs/visitor/.
Richard Cavanagh,
Acting Associate Director for Laboratory
Programs.
[FR Doc. 2015–25310 Filed 10–5–15; 8:45 am]
BILLING CODE 3510–13–P
DEPARTMENT OF COMMERCE
National Institute of Standards and
Technology
[Docket No. 150917865–5865–01]
National Cybersecurity Center of
Excellence (NCCoE) Domain Name
System-Based Security (DNS) for
Electronic Mail Building Block
National Institute of Standards
and Technology, Department of
Commerce.
ACTION: Notice.
AGENCY:
The National Institute of
Standards and Technology (NIST)
invites organizations to provide
products and technical expertise to
support and demonstrate security
platforms for the Domain Name SystemBased (DNS) Security for Electronic
Mail Building Block. This notice is the
initial step for the National
Cybersecurity Center of Excellence
(NCCoE) in collaborating with
technology companies to address
cybersecurity challenges identified
under the Domain Name System-Based
Security for Electronic Mail Building
Block. Participation in this building
block is open to all interested
organizations.
DATES: Interested parties must contact
NIST to request a letter of interest
template to be completed and submitted
to NIST that identifies the organization
requesting participation in the Domain
Name System-Based Security for
Electronic Mail Building Block and the
capabilities and components that are
being offered to the collaborative effort.
Letters of interest will be accepted on a
first come, first served basis.
Collaborative activities will commence
as soon as enough completed and signed
letters of interest have been returned to
address all the necessary components
tkelley on DSK3SPTVN1PROD with NOTICES
SUMMARY:
VerDate Sep<11>2014
18:31 Oct 05, 2015
Jkt 238001
and capabilities, but no earlier than
November 5, 2015. When the building
block has been completed, NIST will
post a notice on the Domain Name
System-Based Security for Electronic
Mail Building Block Web site at
https://nccoe.nist.gov/DNSSecuredEmail
announcing the completion of the
building block and informing the public
that it will no longer accept letters of
interest for this building block.
ADDRESSES: The NCCoE is located at
9600 Gudelsky Drive, Rockville, MD
20850. Letters of interest must be
submitted to dns-email-nccoe@nist.gov
or via hardcopy to National Institute of
Standards and Technology, NCCoE;
9600 Gudelsky Drive; Rockville, MD
20850. Organizations whose letters of
interest are accepted in accordance with
the process set forth in the
SUPPLEMENTARY INFORMATION section of
this notice will be asked to sign a
Cooperative Research and Development
Agreement (CRADA) with NIST. A
CRADA template can be found at:
https://nccoe.nist.gov/node/138.
FOR FURTHER INFORMATION CONTACT:
William C. Barker via email to dnsemail-nccoe@nist.gov; by telephone
301–975–3655; or by mail to National
Institute of Standards and Technology,
NCCoE; 9600 Gudelsky Drive; Rockville,
MD 20850. Additional details about the
Domain Name System-Based Security
for Electronic Mail Building Block are
available at https://nccoe.nist.gov/
DNSSecuredEmail.
SUPPLEMENTARY INFORMATION:
Background: The NCCoE, part of
NIST, is a public-private collaboration
for accelerating the widespread
adoption of integrated cybersecurity
tools and technologies. The NCCoE
brings together experts from industry,
government, and academia under one
roof to develop practical, interoperable
cybersecurity approaches that address
the real-world needs of complex
Information Technology (IT) systems.
By accelerating dissemination and use
of these integrated tools and
technologies for protecting IT assets, the
NCCoE will enhance trust in U.S. IT
communications, data, and storage
systems; reduce risk for companies and
individuals using IT systems; and
encourage development of innovative,
job-creating cybersecurity products and
services.
Process: NIST is soliciting responses
from all sources of relevant security
capabilities (see below) to enter into a
Cooperative Research and Development
Agreement (CRADA) to provide
products and technical expertise to
support and demonstrate security
platforms for the Domain Name System-
PO 00000
Frm 00015
Fmt 4703
Sfmt 4703
60363
Based Security for Electronic Mail
Building Block. The full building block
description can be viewed at: https://
nccoe.nist.gov/DNSSecuredEmail.
Interested parties should contact NIST
using the information provided in the
FOR FURTHER INFORMATION CONTACT
section of this notice. NIST will then
provide each interested party with a
letter of interest template, which the
party must complete, certify that it is
accurate, and submit to NIST and which
identifies the organization requesting
participation in the Domain Name
System-Based Security for Electronic
Mail Building Block and the capabilities
and components that are being offered
to the collaborative effort. NIST will
contact interested parties if there are
questions regarding the responsiveness
of the letters of interest to the building
block objective or requirements
identified below and to obtain
additional information. NIST will select
participants who have submitted
complete letters of interest on a first
come, first served basis within each
category of product components or
capabilities listed below up to the
number of participants in each category
necessary to carry out the Domain Name
System-Based Security for Electronic
Mail Building Block. However, there
may be continuing opportunity to
participate even after initial activity
commences. Selected participants will
be required to enter into a consortium
CRADA with NIST (for reference, see
ADDRESSES section above). NIST
published a notice in the Federal
Register on October 19, 2012 (77 FR
64314) inviting U.S. companies to enter
into National Cybersecurity Excellence
Partnerships (NCEPs) in furtherance of
the NCCoE. For this demonstration
project, NCEP partners will not be given
priority for participation.
Building Block Objective
Both public and private sector
business operations are heavily reliant
on electronic mail (email) exchanges.
The need to protect business plans and
tactics, the integrity of transactions,
financial and other proprietary
information, and privacy of employees
and clients are only four of the factors
that motivate organizations to secure
their email exchanges. Whether the
security service desired is
authentication of the source of an email
message, assurance that the message has
not been altered by an unauthorized
party, or confidentiality of message
contents, cryptographic functions are
usually employed in providing the
service. Economies of scale and a need
for uniform security implementation
drive most enterprises to rely on mail
E:\FR\FM\06OCN1.SGM
06OCN1
tkelley on DSK3SPTVN1PROD with NOTICES
60364
Federal Register / Vol. 80, No. 193 / Tuesday, October 6, 2015 / Notices
servers to provide security to the
members of an enterprise rather than
end-to-end security mechanisms
operated by individual users. Most
current server-based email security
mechanisms are vulnerable to, and have
been defeated by, attacks on the
integrity of the cryptographic
implementations on which they depend.
The consequences frequently involve
unauthorized parties being able to read
or modify supposedly secure
information, or to use email as a vector
for inserting malware into the system
that is intended to deny access to
critical information or processes or to
damage or destroy system components
and/or information. Improved email
security can help protect organizations
and individuals against these
consequences and also serve as a
marketing discriminator for email
service providers as well as improve the
trustworthiness of enterprise email
exchanges.
Domain Name System Security
Extensions (DNSSEC) for the Domain
Name System (DNS) are technical
mechanisms employed by internet
service providers to protect against
unauthorized modification to network
management information and
connections to devices operated by
untrustworthy parties. DNS-based
Authentication of Named Entities
(DANE) is a protocol that securely
associates domain names with
cryptographic certificates and related
security information so that they can’t
be fraudulently modified or replaced to
breach the security of Internet
exchanges. In spite of the dangers of
failure to authenticate the identities of
network devices, adoption of DNSSEC
has been slow. Demonstration of DANEsupported applications such as reliably
secure email may support increased
user demand for domain name system
security. Follow-on projects might
include HTTPS, IOT, IPSEC keys in
DNS, and DNS service discovery.
The current project will demonstrate
a proof of concept security platform
composed of off the shelf components
that provides trustworthy mail server-tomail server email exchanges across
organizational boundaries. The DANE
protocol will be used to authenticate
servers and certificates in two roles in
the DNS-Based Security for Email
Project: (1) By binding the X.509
certificates used for Transport Layer
Security (TLS) to DNS names verified by
DNSSEC and supporting the use of these
certificates in the mail server-to-mail
server communication; and (2) by
binding the X.509 certificates used for
Secure Secure/Multipurpose Internet
Mail Extensions (S/MIME) to email
VerDate Sep<11>2014
18:31 Oct 05, 2015
Jkt 238001
addresses encoded as DNS names
verified by DNSSEC. These bindings
support trust in the use of S/MIME
certificates in the end-to-end email
communication. The resulting building
block will encrypt email traffic between
servers, allow individual email users to
digitally sign and/or encrypt email
messages to other end users, and allow
individual email users to obtain other
users’ certificates in order to validate
signed email or send encrypted email.
The project will include an email
sending policy consistent with a stated
privacy policy that can be parsed by
receiving servers so that receiving
servers can apply the correct security
checks and report back the correctness
of the email stream. Documentation of
the resulting platform will include
statements of the security and privacy
policies and standards (e.g., Executive
Orders, NIST standards and guidelines,
IETF RFCs) supported, technical
specifications for hardware and
software, implementation requirements,
and a mapping of implementation
requirements to the applicable policies,
standards, and best practices.
The secure email project will involve
composition of a variety of components
that will be provided by a number of
different vendors. Client systems, DNS/
DNSSEC services, mail transfer agents,
and certificate providers (CAs) are
generally involved. Collaborators are
being sought to provide components
and expertise for DNS resolvers (stub
and recursive) for DNSSEC,
authoritative DNS servers for DNSSEC
signed zones, mail servers and mail
security components, extended
validation and domain validation TLS
certificates.
This project will result in one or more
demonstration prototype DNS-based
secure email platforms, a publicly
available NIST Cybersecurity Practice
Guide that explains how to employ the
platform(s) to meet security and privacy
requirements, and platform
documentation necessary to compose a
DNS-based email security platform from
off the shelf components.
A detailed description of the Domain
Name System-Based Security for
Electronic Mail Building Block is
available at: https://nccoe.nist.gov/
DNSSecuredEmail.
Requirements: Each responding
organization’s letter of interest should
identify which security platform
component(s) or capability(ies) it is
offering. Letters of interest should not
include company proprietary
information, and all components and
capabilities must be commercially
available. Components are listed in
section eight of the Domain Name
PO 00000
Frm 00016
Fmt 4703
Sfmt 4703
System-Based Security for Electronic
Mail Building Block description (for
reference, please see the link in the
PROCESS section above) and include,
but are not limited to:
• Client systems
• DNS/DNSSEC services
• Mail transfer agents
• DNS resolvers (stub and recursive) for
DNSSEC validation
• Authoritative DNS servers for
DNSSEC signed zones
• Mail server/mail security systems
• S/MIME certificates
• Extended validation and domain
validation TLS certificates
Each responding organization’s letter
of interest should identify how their
product(s) address one or more of the
desired solution characteristics in
section five of the Domain Name
System-Based Security for Electronic
Mail Building Block description (for
reference, please see the link in the
PROCESS section above).
Additional details about the Domain
Name System-Based Security for
Electronic Mail Building Block are
available at: https://nccoe.nist.gov/
DNSSecuredEmail.
NIST cannot guarantee that all of the
products proposed by respondents will
be used in the demonstration. Each
prospective participant will be expected
to work collaboratively with NIST staff
and other project participants under the
terms of the consortium CRADA in the
development of the Domain Name
System-Based Security for Electronic
Mail Building Block. Prospective
participants’ contribution to the
collaborative effort will include
assistance in establishing the necessary
interface functionality, connection and
set-up capabilities and procedures,
demonstration harnesses, environmental
and safety conditions for use, integrated
platform user instructions, and
demonstration plans and scripts
necessary to demonstrate the desired
capabilities. Each participant will train
NIST personnel, as necessary, to operate
its product in capability
demonstrations. Following successful
demonstrations, NIST will publish a
description of the security platform and
its performance characteristics sufficient
to permit other organizations to develop
and deploy security platforms that meet
the security objectives of the Domain
Name System-Based Security for
Electronic Mail Building Block. These
descriptions will be public information.
Under the terms of the consortium
CRADA, participants will commit to
providing:
1. Access for all participants’ project
teams to component interfaces and
E:\FR\FM\06OCN1.SGM
06OCN1
Federal Register / Vol. 80, No. 193 / Tuesday, October 6, 2015 / Notices
the organization’s experts necessary
to make functional connections
among security platform
components
2. Support for development and
demonstration of the Domain Name
System-Based Security for
Electronic Mail Building Block in
NCCoE facilities which will be
conducted in a manner consistent
with Federal requirements (e.g.,
FIPS 200, FIPS 201, SP 800–53, and
SP 800–63)
In addition, NIST will support
development of interfaces among
participants’ products by providing IT
infrastructure, laboratory facilities,
office facilities, collaboration facilities,
and staff support to component
composition, security platform
documentation, and demonstration
activities.
The dates of the demonstration of the
Domain Name System-Based Security
for Electronic Mail Building Block
capability will be announced on the
NCCoE Web site at least two weeks in
advance at https://nccoe.nist.gov/. The
expected outcome of the demonstration
is to improve domain name systembased security for electronic mail within
the enterprise. Participating
organizations will gain from the
knowledge that their products are
interoperable with other participants’
offerings.
For additional information on the
NCCoE governance, business processes,
and NCCoE operational structure, visit
the NCCoE Web site https://
nccoe.nist.gov/.
Richard Cavanagh,
Acting Associate Director for Laboratory
Programs.
[FR Doc. 2015–25304 Filed 10–5–15; 8:45 am]
BILLING CODE 3510–13–P
DEPARTMENT OF COMMERCE
National Oceanic and Atmospheric
Administration
tkelley on DSK3SPTVN1PROD with NOTICES
Submission for OMB Review;
Comment Request
The Department of Commerce will
submit to the Office of Management and
Budget (OMB) for clearance the
following proposal for collection of
information under the provisions of the
Paperwork Reduction Act (44 U.S.C.
Chapter 35).
Agency: National Oceanic and
Atmospheric Administration (NOAA).
Title: Environmental Compliance
Questionnaire for National Oceanic and
Atmospheric Administration Federal
Financial Assistance Applicants.
VerDate Sep<11>2014
18:31 Oct 05, 2015
Jkt 238001
OMB Control Number: 0648–0538.
Form Number(s): None.
Type of Request: Regular (revision
and extension of a currently approved
information collection).
Number of Respondents: 1,000.
Average Hours per Response: One to
three hours.
Burden Hours: 3,000.
Needs and Uses: This request is for a
revision and extension of a currently
approved information collection. The
National Environmental Policy Act
(‘‘NEPA’’; 42 U.S.C. 4321–4370) requires
federal agencies to complete an
environmental analysis for all major
federal actions, including funding nonfederal projects through federal
financial assistance awards where
Federal participation in the funded
activity is expected to be significant.
This Environmental Compliance
Questionnaire for National Oceanic and
Atmospheric Administration Federal
Financial Assistance Applicants
(Questionnaire) is used by the National
Oceanic and Atmospheric
Administration (NOAA) to collect
information about proposed activities
for NEPA and other environmental
compliance requirements associated
with proposed projects, such as federal
consultations. The Questionnaire is
used in conjunction with NOAA
Funding Opportunity Announcements
(FOA). Applicants are required to
provide only the information from this
Questionnaire that is specified in the
FOA to which they are applying. The
FOA may present these questions in one
of two ways: (1) The applicable
questions can be inserted directly into
the FOA with reference to the OMB
Control Number (0648–0538) for this
form; or (2) The FOA can specify which
questions (e.g. 1, 2) an applicant must
answer, with the entire OMB-approved
Questionnaire attached to the FOA. This
Questionnaire has been revised to (1)
remove repetitive questions; (2) revise
specific questions to use plain language
instead of NEPA-specific language; and
(3) add questions that would be helpful
to a wider range of NOAA programs.
The revision reduced the overall
number of questions by 22.
Affected Public: Individuals or
households; business or other for-profit
organizations; not-for-profit institutions;
state, local, or tribal government; and
federal government.
Frequency: On occasion.
Respondent’s Obligation: Required to
obtain or retain benefits.
This information collection request
may be viewed at reginfo.gov. Follow
the instructions to view Department of
Commerce collections currently under
review by OMB.
PO 00000
Frm 00017
Fmt 4703
Sfmt 4703
60365
Written comments and
recommendations for the proposed
information collection should be sent
within 30 days of publication of this
notice to OIRA_Submission@
omb.eop.gov or fax to (202) 395–5806.
Dated: October 1, 2015.
Sarah Brabson,
NOAA PRA Clearance Officer.
[FR Doc. 2015–25378 Filed 10–5–15; 8:45 am]
BILLING CODE 3510–NW–P
DEPARTMENT OF COMMERCE
National Oceanic and Atmospheric
Administration
Proposed Information Collection;
Comment Request; Limits of
Application of the Take Prohibitions
National Oceanic and
Atmospheric Administration (NOAA),
Commerce.
ACTION: Notice.
AGENCY:
The Department of
Commerce, as part of its continuing
effort to reduce paperwork and
respondent burden, invites the general
public and other Federal agencies to
take this opportunity to comment on
proposed and/or continuing information
collections, as required by the
Paperwork Reduction Act of 1995.
DATES: Written comments must be
submitted on or before December 7,
2015.
SUMMARY:
Direct all written comments
to Jennifer Jessup, Departmental
Paperwork Clearance Officer,
Department of Commerce, Room 6616,
14th and Constitution Avenue NW.,
Washington, DC 20230 (or via the
Internet at JJessup@doc.gov).
FOR FURTHER INFORMATION CONTACT:
Requests for additional information or
copies of the information collection
instrument and instructions should be
directed to Gary Rule, NOAA Fisheries,
1201 NE Lloyd Blvd. Suite 1100,
Portland, OR 97232, (503) 230–5424 or
gary.rule@noaa.gov.
SUPPLEMENTARY INFORMATION:
ADDRESSES:
I. Abstract
This request is for extension of a
currently approved information
collection. Section 4(d) of the
Endangered Species Act of 1973 (ESA;
16 U.S.C. 1531 et seq.) requires the
National Marine Fisheries Service
(NMFS) to adopt such regulations as it
‘‘deems necessary and advisable to
provide for the conservation of’’
threatened species. Those regulations
may include any or all of the
E:\FR\FM\06OCN1.SGM
06OCN1
]]>Agencies
[Federal Register Volume 80, Number 193 (Tuesday, October 6, 2015)]
[Notices]
[Pages 60363-60365]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2015-25304]
-----------------------------------------------------------------------
DEPARTMENT OF COMMERCE
National Institute of Standards and Technology
[Docket No. 150917865-5865-01]
National Cybersecurity Center of Excellence (NCCoE) Domain Name
System-Based Security (DNS) for Electronic Mail Building Block
AGENCY: National Institute of Standards and Technology, Department of
Commerce.
ACTION: Notice.
-----------------------------------------------------------------------
SUMMARY: The National Institute of Standards and Technology (NIST)
invites organizations to provide products and technical expertise to
support and demonstrate security platforms for the Domain Name System-
Based (DNS) Security for Electronic Mail Building Block. This notice is
the initial step for the National Cybersecurity Center of Excellence
(NCCoE) in collaborating with technology companies to address
cybersecurity challenges identified under the Domain Name System-Based
Security for Electronic Mail Building Block. Participation in this
building block is open to all interested organizations.
DATES: Interested parties must contact NIST to request a letter of
interest template to be completed and submitted to NIST that identifies
the organization requesting participation in the Domain Name System-
Based Security for Electronic Mail Building Block and the capabilities
and components that are being offered to the collaborative effort.
Letters of interest will be accepted on a first come, first served
basis. Collaborative activities will commence as soon as enough
completed and signed letters of interest have been returned to address
all the necessary components and capabilities, but no earlier than
November 5, 2015. When the building block has been completed, NIST will
post a notice on the Domain Name System-Based Security for Electronic
Mail Building Block Web site at https://nccoe.nist.gov/DNSSecuredEmail
announcing the completion of the building block and informing the
public that it will no longer accept letters of interest for this
building block.
ADDRESSES: The NCCoE is located at 9600 Gudelsky Drive, Rockville, MD
20850. Letters of interest must be submitted to dns-email-nccoe@nist.gov or via hardcopy to National Institute of Standards and
Technology, NCCoE; 9600 Gudelsky Drive; Rockville, MD 20850.
Organizations whose letters of interest are accepted in accordance with
the process set forth in the SUPPLEMENTARY INFORMATION section of this
notice will be asked to sign a Cooperative Research and Development
Agreement (CRADA) with NIST. A CRADA template can be found at: https://nccoe.nist.gov/node/138.
FOR FURTHER INFORMATION CONTACT: William C. Barker via email to dns-email-nccoe@nist.gov; by telephone 301-975-3655; or by mail to National
Institute of Standards and Technology, NCCoE; 9600 Gudelsky Drive;
Rockville, MD 20850. Additional details about the Domain Name System-
Based Security for Electronic Mail Building Block are available at
https://nccoe.nist.gov/DNSSecuredEmail.
SUPPLEMENTARY INFORMATION:
Background: The NCCoE, part of NIST, is a public-private
collaboration for accelerating the widespread adoption of integrated
cybersecurity tools and technologies. The NCCoE brings together experts
from industry, government, and academia under one roof to develop
practical, interoperable cybersecurity approaches that address the
real-world needs of complex Information Technology (IT) systems. By
accelerating dissemination and use of these integrated tools and
technologies for protecting IT assets, the NCCoE will enhance trust in
U.S. IT communications, data, and storage systems; reduce risk for
companies and individuals using IT systems; and encourage development
of innovative, job-creating cybersecurity products and services.
Process: NIST is soliciting responses from all sources of relevant
security capabilities (see below) to enter into a Cooperative Research
and Development Agreement (CRADA) to provide products and technical
expertise to support and demonstrate security platforms for the Domain
Name System-Based Security for Electronic Mail Building Block. The full
building block description can be viewed at: https://nccoe.nist.gov/DNSSecuredEmail.
Interested parties should contact NIST using the information
provided in the FOR FURTHER INFORMATION CONTACT section of this notice.
NIST will then provide each interested party with a letter of interest
template, which the party must complete, certify that it is accurate,
and submit to NIST and which identifies the organization requesting
participation in the Domain Name System-Based Security for Electronic
Mail Building Block and the capabilities and components that are being
offered to the collaborative effort. NIST will contact interested
parties if there are questions regarding the responsiveness of the
letters of interest to the building block objective or requirements
identified below and to obtain additional information. NIST will select
participants who have submitted complete letters of interest on a first
come, first served basis within each category of product components or
capabilities listed below up to the number of participants in each
category necessary to carry out the Domain Name System-Based Security
for Electronic Mail Building Block. However, there may be continuing
opportunity to participate even after initial activity commences.
Selected participants will be required to enter into a consortium CRADA
with NIST (for reference, see ADDRESSES section above). NIST published
a notice in the Federal Register on October 19, 2012 (77 FR 64314)
inviting U.S. companies to enter into National Cybersecurity Excellence
Partnerships (NCEPs) in furtherance of the NCCoE. For this
demonstration project, NCEP partners will not be given priority for
participation.
Building Block Objective
Both public and private sector business operations are heavily
reliant on electronic mail (email) exchanges. The need to protect
business plans and tactics, the integrity of transactions, financial
and other proprietary information, and privacy of employees and clients
are only four of the factors that motivate organizations to secure
their email exchanges. Whether the security service desired is
authentication of the source of an email message, assurance that the
message has not been altered by an unauthorized party, or
confidentiality of message contents, cryptographic functions are
usually employed in providing the service. Economies of scale and a
need for uniform security implementation drive most enterprises to rely
on mail
[[Page 60364]]
servers to provide security to the members of an enterprise rather than
end-to-end security mechanisms operated by individual users. Most
current server-based email security mechanisms are vulnerable to, and
have been defeated by, attacks on the integrity of the cryptographic
implementations on which they depend. The consequences frequently
involve unauthorized parties being able to read or modify supposedly
secure information, or to use email as a vector for inserting malware
into the system that is intended to deny access to critical information
or processes or to damage or destroy system components and/or
information. Improved email security can help protect organizations and
individuals against these consequences and also serve as a marketing
discriminator for email service providers as well as improve the
trustworthiness of enterprise email exchanges.
Domain Name System Security Extensions (DNSSEC) for the Domain Name
System (DNS) are technical mechanisms employed by internet service
providers to protect against unauthorized modification to network
management information and connections to devices operated by
untrustworthy parties. DNS-based Authentication of Named Entities
(DANE) is a protocol that securely associates domain names with
cryptographic certificates and related security information so that
they can't be fraudulently modified or replaced to breach the security
of Internet exchanges. In spite of the dangers of failure to
authenticate the identities of network devices, adoption of DNSSEC has
been slow. Demonstration of DANE-supported applications such as
reliably secure email may support increased user demand for domain name
system security. Follow-on projects might include HTTPS, IOT, IPSEC
keys in DNS, and DNS service discovery.
The current project will demonstrate a proof of concept security
platform composed of off the shelf components that provides trustworthy
mail server-to-mail server email exchanges across organizational
boundaries. The DANE protocol will be used to authenticate servers and
certificates in two roles in the DNS-Based Security for Email Project:
(1) By binding the X.509 certificates used for Transport Layer Security
(TLS) to DNS names verified by DNSSEC and supporting the use of these
certificates in the mail server-to-mail server communication; and (2)
by binding the X.509 certificates used for Secure Secure/Multipurpose
Internet Mail Extensions (S/MIME) to email addresses encoded as DNS
names verified by DNSSEC. These bindings support trust in the use of S/
MIME certificates in the end-to-end email communication. The resulting
building block will encrypt email traffic between servers, allow
individual email users to digitally sign and/or encrypt email messages
to other end users, and allow individual email users to obtain other
users' certificates in order to validate signed email or send encrypted
email. The project will include an email sending policy consistent with
a stated privacy policy that can be parsed by receiving servers so that
receiving servers can apply the correct security checks and report back
the correctness of the email stream. Documentation of the resulting
platform will include statements of the security and privacy policies
and standards (e.g., Executive Orders, NIST standards and guidelines,
IETF RFCs) supported, technical specifications for hardware and
software, implementation requirements, and a mapping of implementation
requirements to the applicable policies, standards, and best practices.
The secure email project will involve composition of a variety of
components that will be provided by a number of different vendors.
Client systems, DNS/DNSSEC services, mail transfer agents, and
certificate providers (CAs) are generally involved. Collaborators are
being sought to provide components and expertise for DNS resolvers
(stub and recursive) for DNSSEC, authoritative DNS servers for DNSSEC
signed zones, mail servers and mail security components, extended
validation and domain validation TLS certificates.
This project will result in one or more demonstration prototype
DNS-based secure email platforms, a publicly available NIST
Cybersecurity Practice Guide that explains how to employ the
platform(s) to meet security and privacy requirements, and platform
documentation necessary to compose a DNS-based email security platform
from off the shelf components.
A detailed description of the Domain Name System-Based Security for
Electronic Mail Building Block is available at: https://nccoe.nist.gov/DNSSecuredEmail.
Requirements: Each responding organization's letter of interest
should identify which security platform component(s) or capability(ies)
it is offering. Letters of interest should not include company
proprietary information, and all components and capabilities must be
commercially available. Components are listed in section eight of the
Domain Name System-Based Security for Electronic Mail Building Block
description (for reference, please see the link in the PROCESS section
above) and include, but are not limited to:
Client systems
DNS/DNSSEC services
Mail transfer agents
DNS resolvers (stub and recursive) for DNSSEC validation
Authoritative DNS servers for DNSSEC signed zones
Mail server/mail security systems
S/MIME certificates
Extended validation and domain validation TLS certificates
Each responding organization's letter of interest should identify
how their product(s) address one or more of the desired solution
characteristics in section five of the Domain Name System-Based
Security for Electronic Mail Building Block description (for reference,
please see the link in the PROCESS section above).
Additional details about the Domain Name System-Based Security for
Electronic Mail Building Block are available at: https://nccoe.nist.gov/DNSSecuredEmail.
NIST cannot guarantee that all of the products proposed by
respondents will be used in the demonstration. Each prospective
participant will be expected to work collaboratively with NIST staff
and other project participants under the terms of the consortium CRADA
in the development of the Domain Name System-Based Security for
Electronic Mail Building Block. Prospective participants' contribution
to the collaborative effort will include assistance in establishing the
necessary interface functionality, connection and set-up capabilities
and procedures, demonstration harnesses, environmental and safety
conditions for use, integrated platform user instructions, and
demonstration plans and scripts necessary to demonstrate the desired
capabilities. Each participant will train NIST personnel, as necessary,
to operate its product in capability demonstrations. Following
successful demonstrations, NIST will publish a description of the
security platform and its performance characteristics sufficient to
permit other organizations to develop and deploy security platforms
that meet the security objectives of the Domain Name System-Based
Security for Electronic Mail Building Block. These descriptions will be
public information.
Under the terms of the consortium CRADA, participants will commit
to providing:
1. Access for all participants' project teams to component interfaces
and
[[Page 60365]]
the organization's experts necessary to make functional connections
among security platform components
2. Support for development and demonstration of the Domain Name System-
Based Security for Electronic Mail Building Block in NCCoE facilities
which will be conducted in a manner consistent with Federal
requirements (e.g., FIPS 200, FIPS 201, SP 800-53, and SP 800-63)
In addition, NIST will support development of interfaces among
participants' products by providing IT infrastructure, laboratory
facilities, office facilities, collaboration facilities, and staff
support to component composition, security platform documentation, and
demonstration activities.
The dates of the demonstration of the Domain Name System-Based
Security for Electronic Mail Building Block capability will be
announced on the NCCoE Web site at least two weeks in advance at https://nccoe.nist.gov/. The expected outcome of the demonstration is to
improve domain name system-based security for electronic mail within
the enterprise. Participating organizations will gain from the
knowledge that their products are interoperable with other
participants' offerings.
For additional information on the NCCoE governance, business
processes, and NCCoE operational structure, visit the NCCoE Web site
https://nccoe.nist.gov/.
Richard Cavanagh,
Acting Associate Director for Laboratory Programs.
[FR Doc. 2015-25304 Filed 10-5-15; 8:45 am]
BILLING CODE 3510-13-P
