Description:
This Sources Sought notice is issued for market research, budgetary and planning purposes only, and is not a commitment of any kind for GPO to procure anything.

The U.S. Government Printing Office (GPO) is interested in obtaining information from vendors and industry concerning technology products and systems that could be useful to GPO in meeting certain XML document and/or data authentication capabilities.

In particular, technology for authentication of XML data (in native XML format) is of interest. In addition, technology that can provide efficient and effective re-authentication over time, given that the GPO has permanent public access responsibilities and content integrity is a critical component of our mission.

Background

The GPO is the Federal government's primary centralized resource for gathering, cataloging, producing, providing, and preserving published U.S. Government information in all its forms. Since its inception, under the authority of Title 44 of the U.S. Code, GPO has offered Congress, the courts, and government agencies a set of centralized services that enables them to easily and cost effectively produce printed documents. GPO has offered these publications for sale to the public and made them widely available at no cost to the public through the Federal Depository Library Program (FDLP). The FDLP has also served the purpose of providing permanent public access to government publications.

GPO has implemented digital signature based authentication on certain PDF files that it disseminates on its FDsys web site, and disseminates native XML content on the FDsys site also.

Authentication in native XML format is of interest in this Sources Sought notice. This is not intended to replace the existing digitally signed PDF files GPO disseminates, but to potentially include an authentication option for the native XML content GPO also disseminates via the FDsys web site. For the end users of GPO XML content, XML authentication could apply both to automated content processing as well as individual end user access. In the case of individual end user access, a no cost client approach for XML authentication is of interest.
GPO is interested in technical systems in two broad categories of XML content authentication:

1) Hash algorithm based checking using NIST approved hash algorithms (SHA-256, etc.); and
2) Cryptographic digital signature authentication and validation using open, internationally recognized and accepted standards compliant technology, such as W3C standards (and the detached signature method in W3C standards).

GPO recognizes that as more Government information becomes available electronically, data integrity and non-repudiation of information become more important to user communities. The primary objective of GPO's authentication initiative is to assure users that the information made available by GPO is official and authentic, using techniques that are efficient and effective and that do not inhibit data re-use. GPO's authentication initiatives are designed to provide users with electronic tools to efficiently and effectively determine that files they download from GPO are authentic.

Opportunity
GPO is seeking to better understand the available technology solutions and capabilities that industry can offer which GPO might consider using the near future. The capabilities GPO is interested in specifically are described and documented below in the "XML Content Authentication Capabilities Requirements" section. GPO does not wish to overly constrain options or solutions that industry might have to offer in the context of XML authentication along the lines of the two broad categories defined above in the Background section; respondents to the Sources Sought notice are free to and encouraged to provide innovative solutions to the native XML content authentication capabilities generally outlined in the "XML Content Authentication Capabilities Requirements" below.

Making your Capabilities Known - Requested Information:
Vendors should furnish the following information (Word or PDF file) to GPO:

1. Response to XML Content Authentication Capabilities Requirements (see below)
2. White Papers
3. Comments or Questions

XML Content Authentication Capability Requirements:

1. For Hash based authentication of native XML content, capabilities of interest are:
1.1. Ability to validate using the SHA-256 algorithm by comparing the SHA-256 hash value of the XML data on hand against the SHA-256 hash value for that XML data obtained from the GPO FDsys web site.
1.1.1. This could be accomplished via a table lookup, if the SHA-256 values for XML content published by GPO were placed into a lookup table for processing.

2. For cryptographic digital signature based authentication, capabilities of interest are:
2.1. Capability to perform XML digital signatures in accordance with World Wide Web Consortium (W3C) open, international standards.( [XML-Digital Signature reference: Eastlake, Donald, et al. (2008). XML Signature Syntax and Processing, 2nd Edition, W3C Recommendation, June 2008. See http://www.w3.org/TR/xmldsig-core/.]
2.1.1. Capability to perform XML detached digital signature using W3C standards.
2.1.2. Capability to use the Canonical XML 1.1 method [XML-Canonical Reference: Boyer, John and Glenn Marcy (2008). Canonical XML Version 1.1, W3C Recommendation, May 2008. See http://www.w3.org/TR/2008/REC-xml-c14n11-20080502.] when generating and validating a XML digital signature.
2.2. Capability to generate and validate XML digital signatures using other open, internationally accepted and recognized, non-proprietary standards (document what that standard(s) is (are) and standards body that has issued it).
2.3. Optional capability, if available, to generate XML digital signature (detached signature method) using a Hardware Security Module (HSM).
3. Capability to provide an Application Programming Interface (API) or package set of software that GPO and organizations could use or license to generate and validate XML digital signatures in accordance with #2 above.
4. Capability to use PKI certificates for XML signature validation (for that type of authentication), that is compliant with W3C standards.
5. Capability to provide free client software that would be available for end user validation of the XML digital signature in accordance with W3C international, open standards, for the following end user platforms::

• Operating Systems:
• Windows XP
• Windows 7
• Windows 8
• MAC OS 9 - forward compatible
• MAC OS X - forward compatible
• Ubutu Linux
• Linux Red Hat
• SuSe Linux

6. Server side XML digital signature generation and signature validation capability for the following server platforms:

• Operating Systems:
• Windows Server 2008
• Windows Server 2012
• Linux Red Hat

7. Ensure integrity and security of XML content.

7.1. For cryptographic digital signature methods, capability to sign native XML using 2048-bit or larger RSA public/private key generation and x.509 v.3 certificate compatibility. Specifications include:

7.1.1. RSA key pair for digital signature in accordance with Public-Key Cryptography Standard (PKCS) #1.

7.1.2. Certificate format in accordance with International Telecommunication Union (ITU) X.509 version 3 standard.

8. GPO is interested in packaged, commercial off the shelf (COTS) software solutions that might exist to meet the above capability requirements. GPO is also interested in the capability of software vendors that have experience in building similar systems to the capability requirements described above. GPO is interested in what capabilities above COTS software can meet and which ones would require customized software (building on the capabilities of the vendor COTS software).

Response to Capability Requirements:

The submitted response must be 30 pages or less and contain no marketing material. Please also list company points of contact and GSA Schedule number (if applicable).

White Paper: Similar Solutions or Systems:
Vendors may also submit a separate document that summarizes the vendor's work on similar systems. The document must be 20 pages or less; however, up to five (5) white papers may be submitted provided that each represents a discrete operational system that has been successfully deployed.

Questions and/or Comments:

The Response to the Capability Requirements, any White Papers and any Questions/Comments in response to this Sources Sought notice must be submitted via email to [email protected]. For consideration, please use the subject heading "XML Content Authentication Market Research: YOUR COMPANY NAME") on the email. Faxed copies are not acceptable.

Background Material
All background material will be made available via the GPO FDsys website, as it becomes available at http://www.gpo.gov/authentication.