Key Management: General 117 5. The tokens to be used. The description of the key-management component format may reference a key specification for an existing cryptographic device. If the format of the key-management components is not already specified, then the format and medium should be specified in the Key Management Specification.

10.2.4 Key Management Component Generation

The Key Management Specification should include a description of the requirements for the generation of key-management components by the cryptographic device for which the Key Management Specification is written. If the cryptographic device does not provide generation capabilities, the key-management components that will be required from external sources should be identified.

10.2.5 Key Management Component Distribution

When a device supports the automated distribution of keying material, the Key Management Specification should include a description of the distribution methods where employed used for keying material supported by the device. The distribution plan may describe the circumstances under which the key-management components are encrypted or in plaintext, their physical form electronic, paper, etc., and how they are identified during the distribution process. In the case of a dependence on manual distribution, the dependence and any handling assumptions regarding keying material should be stated.

10.2.6 Keying Material Storage

The Key Management Specification should address how the cryptographic device or application for which the Key Management Specification is being written stores information, and how the keying material is identified during its storage life e.g., using a Distinguished Name. The storage capacity capabilities for information should be included.

10.2.7 Access Control

The Key Management Specification should address how access to the cryptographic device components and functions is to be authorized, controlled, and validated to request, generate, handle, distribute, store, andor use keying material. Any use of passwords and personal identification numbers PINs should be included. For PKI cryptographic applications, role and identity-based privileging, and the use of any tokens should be described.

10.2.8 Accounting