Document Scope

This document sets forth guidance for life-cycle management of public/private (i.e., asymmetric) keys that are used to secure interactions among systems. The devices included within the scope of this guidance, as well as representative examples, are identified in the following table.

The scope of this guidance is not intended to include:

• Any off-board, ground-based systems, including those with which aircraft systems and operator-controlled PEDs may communicate. Ground-based systems do not have the unique constraints and challenges associated with global, mobile aircraft systems; therefore, they are expected to reference guidance in ATA Spec 42 as applicable to typical IT environments.

• Passenger-owned devices, which are beyond the control of the aircraft operator.

• Operator-controlled PEDs that are treated like passenger-owned devices.

This document is meant to be a companion to Air Transport Association (ATA) Spec 42, which is the work product of the ATA Digital Security Working Group (DSWG). ATA Spec 42 specifies a digital identity management framework and standard digital certificate profiles recommended for use across the air transport industry, as well as standard policies governing the issuance and use of these certificates and the levels of assurance that may be conveyed in a digital identity. This document specifically addresses ATA Spec 42 in the context of actual aircraft deployment by providing operational guidance to aircraft manufacturers, equipment suppliers, and operators on topics including:

The guidance in this document is focused on the medium identity assurance level described in ATA Spec 42. Chapters 5-4-1 and 5-12-2, Section 1 of ATA Spec 42 define the concept of “trust” provided by various levels of identity assurance, based on factors such as the quality of the identity-proofing process and various technological, personnel, and procedural controls, as outlined in a Certificate Policy. The medium assurance level provides moderate trust in the binding of the public key certificate to the subject, and controls on the private key may be moderate or strong depending on whether software or hardware implementations (respectively) are employed. As suggested in Chapter 5-8 of ATA Spec 42, the medium assurance level is expected to apply broadly to air transportation applications; however, selection of the appropriate assurance level must be based on a risk assessment (Chapter 5-14 of ATA Spec 42), system requirements, and operational constraints. For cases where low credential assurance is determined to be acceptable, the guidance in this document may be tailored to accommodate the lower level.

Purpose and Objectives

Newer generations of aircraft in production and use today are equipped with security applications that rely on digital certificates. It is expected that future aircraft will use certificates for increasing numbers of applications. The purpose of this document is to provide operational guidance for key life-cycle management, which refers to the phases through which digital certificates and associated cryptographic keys progress, from creation through usage to retirement.

The guidance is based on open international standards that are adapted to the aviation environment, recognizing that a typical commercial airplane has a long lifespan, its operational environment is highly complex and regulated, and multiple stakeholders operate ground-based systems that communicate with airplanes. Using a standardized and consistent key management approach, as proposed in this document, helps to reduce cost of design, implementation, and operation even across a heterogeneous fleet.

The document is intended to benefit the following users:

• Airlines and other Aircraft Operators – Digital certificates are expected to be used in the deployment of airline applications used on aircraft. A key objective of this document is to assist operators in their efforts to implement procedures that support the use and maintenance of digital certificates. This is necessary to accommodate the directions that the airframe manufacturers are taking in new aircraft and to comply with any future regulatory requirements that address certificate-based message authentication of air-to-ground communications. Standardized guidance helps operators to develop uniform procedures for installation, use, and life-cycle maintenance of digital certificates in aircraft systems.

• Airframe Manufacturers and Avionics Equipment Suppliers – The guidance in this document is intended to help airframe manufacturers and avionics equipment suppliers consider the impact of digital certificate implementation decisions on airlines and aircraft operators. The application of consistent practices across multiple aircraft systems that employ digital certificates helps to minimize recurring design effort and drives more uniform key management processes, even across a heterogeneous fleet. As a result, this is expected to reduce costs for operators.

• ARINC Standards Developers – By referencing this digital certificate guidance, developers of other ARINC Standards (e.g., external-entity-to-aircraft communications requiring certificate-based security or message-sender authentication) can maximize consistency across specifications.

When reading this document, the reader is cautioned that:

• It may be necessary for airlines and aircraft operators to adapt the roles and activities described in this guidance in accordance with the Certificate Policy selected to govern the digital certificate life cycle.

• It may be necessary for airframe manufacturers and avionics equipment suppliers to tailor the guidance to accommodate avionics system technical and operational constraints (e.g., limited processing/memory resources, limited connectivity).

• In the case where the supplier or equipment manufacturer maintains management and/or oversight of a system installed on the aircraft, it may be necessary to substitute “supplier” for “airline.”