SP800-73-4 to 5 transition strategy

[Kim O'Sullivan]

Hi,

I'm not sure if this is the most appropriate forum for this question but since it does also pertain to test cards I'll try. 

Our OpenFIPS201 applet is going through IUT with FIPS 140-3 and we have had to navigate a number of challenges in the 140-2 to 140-3 transition, as everyone has. We are aiming for submission to the MIP queue on or around the end of June and this has brought up the question of the SP 800-73 transition.

Overall, it would be great to get an update from the NPIVP team as to when the SP800-73-5 is expected to be finalised, and some guidance on how vendors and customers deal with the transition. 

Specifically, there are a few questions that would be very helpful:

1. When is SP800-73-5 expected to be finalised?
2. Have any significant (interop breaking) technical changes been introduced since the commenting period closed?
   
3. When will there be a corresponding release of a compatible test tool and test card set?
4. Will there be a transition plan in place similar to the CMVP approach with cut-off dates for 800-73-4 NPIVP evaluations to be accepted?

Our concern is, with a June submission and the current CMVP queue of 11 months, we  risk being in a situation where we have a product that cannot pass NPIVP because it did not comply with all changes in the final version of 73-5, and we cannot change without going back to IUT again in FIPS 140.

Any guidance/reassurance on this would be very helpful.

Regards,

Kim

[Kim O'Sullivan]

Hi All, 

I was made aware that Hildegard Ferraiolo from the NIST PIV team replied back in April 19th! However Google antivirus was a little over-cautious about the email and incorrectly marked it as 'dangerous'. This means the reply wasn't posted here, nor did I receive it directly (we use Google Workspace for our email).

For the benefit of everyone else on the group, here is her feedback:

1. When is SP800-73-5 expected to be finalized?

//HF – We are aiming  for NLT end of May to publish it and SP 800-78-5 (Kim comment: Hildy has since updated this to a July estimate)

2. Have any significant (interop breaking) technical changes been introduced since the commenting period closed?

//HF – The changes in SP 800-73-5  and  SP 800-78-5 are all optional new capabilities, so departments and agency can choose to implement when  products are on the market – that is after they have gone through validation, as appropriate.

3. When will there be a corresponding release of a compatible test tool and test card set?

//HF – yes, we plan to release one. It’ll be after May, but we do not have firm timeline yet.

4. Will there be a transition plan in place similar to the CMVP approach with cut-off dates for 800-73-4 NPIVP evaluations to be accepted?

//There will not be a cut-off date.  SP 800-73-4 bases cards are still valid, that is: 112 bit security keys are still valid.  We give the option for 128 bit secure keys for PIV by 2030, but if department and agencies have plans to directly switch to PQ crypto keys in the future, they can do so, without having to switch to 128 bit traditional crypto key sizes. See draft SP 800-78-5 line 301-312 – btw, line 301-312 nor table 1 has not changed draft version to candidate final SP, that will be published shortly.

Our concern is, with a June submission and the current CMVP queue of 11 months, we  risk being in a situation where we have a product that cannot pass NPIVP because it did not comply with all changes in the final version of 73-5, and we cannot change without going back to IUT again in FIPS 140.

//HF - It is my understanding that some changes can be done while in queue – including updating PIV app to include additional new algorithm (say RSA 3K)?

Thanks for your responses Hildy!

Cheers,

Kim