NENA standards for NG9-1-1, including i3 (see NENA STA-010), require integration with certain services; namely, the PSAP Credentialing Agency (PCA) Public Key Infrastructure (PKI) and the Forest Guide (see IETF RFC 5582). Operating services like this involves financial commitments and needs to be done with independent oversight in order to be operated ethically and fairly. The NENA board committed to stand up these services subject to independent oversight and so established NIOC in 2020. 

A PKI is a chain of trust established using X.509 certificates that works very much like the public internet. The key difference between a PKI and the general public internet’s trust chain is that there is a shared root for a PKI. Examples of PKI include SHAKEN used to authenticate telephone numbers (learn more at the STI-GA website) or the US Federal Government PKI (learn more at the FPKI website). NIOC will endeavor to comply with the CA/Browser Forum essential requirements for operating a Certificate Authority (CA) and a PKI (learn more at the CA/Browser Forum website).

 A X.509 digital certificate is a unique digital identity normally issued to a URI or a domain name (for example, nearly every public website has an X.509 certificate issued to its domain; ng911ioc.org has a certificate assigned to it for example). In NG9-1-1, X.509 certificates are used not only to assert identity of individual elements within the network (for example, ESInet functional elements all have certificates issued to them to authenticate as NG9-1-1 network elements), but also some other novel uses, such as to manage roles (individuals have certificates issued to them that are used to assert their roles and privileges). More information is available at our resources page, while technical details are available in NENA standards, available at NENA’s website.

There may be a nominal charge for the issuance of an end-entity certificate to each entity. This is per the Certificate Practice Statement (CPS) for each issuing certificate authority throughout the trust chain, and the entity that operates the issuing certificate authority (for example, a state ESInet operator). There may be cases where the ESInet operator passes on costs to operate the certificate authority to its individual endpoints (e.g., 9-1-1 operating positions), or there may be cases where the ESInet operator pays for all costs itself. NIOC notes that NIOC itself is forbidden from making a profit from operating the trust chain and that its finances are open. More information is available at our resources page, and our finances are publicly available here.

There will be many certificate authorities for NG9-1-1. The PCA only signs certificates for issuing certificate authorities; we anticipate there being up to hundreds of certificate authorities for NG9-1-1, typically with one per NG9-1-1 system. However, they all share a common root. Even though every endpoint in NG9-1-1 is required to have a certificate in the i3 standard for NG9-1-1 (more information available at NENA’s website), generally speaking, no endpoints will have a certificate issued directly by the PCA. More information is available at our resources page. 

A Forest Guide (RFC5582) is part of the Location to Service Translation (LoST) protocol (RFC5222) query process and allows client functional elements to discover call routing information outside of its domain (typically their ESInet or state level ECRF/LVF). In plain terminology, the Forest Guide is used when location-based routing fails to find a location locally within an NG9-1-1 system, and the Forest Guide will help NG9-1-1 network find the right network to route to, whether that is another state or another country’s Forest Guide. More information is available at our resources page. 

The Industry Council for Emergency Response Technologies (iCERT) defines conformance testing as:

The testing of a vendor system, subsystem, component, or
element against a promulgated/published standard. This type of testing requires a
known working standard implementation as the “reference implementation,” and
formalized test plans specific to a system, subsystem, component, or element. This
testing is typically done in a lab environment by an independent third party. Vendors can
perform testing without coordinating with other vendors.  

Conformance testing is a long-term study item for NIOC, and we have plans to engage in a conformance testing program of some sort in collaboration with industry and the appropriate associations, including NENA. 

You can access iCERT’s research on this topic at their website. 

No, NIOC plays no material role in FirstNet, the nationwide public safety cellular broadband network operated by the US federal government with a commercial partner. However, mission-critical services that support NG9-1-1 operations do need to interoperate with public safety broadband services. The programs that NIOC oversees, including the NG9-1-1 PKI, support that interoperability.

Future meetings will be open to the public. We are currently working on our open meetings policy. Please check back soon for more information.

In the meantime, please contact admin@ng911ioc.org with any questions or comments, or if you would like to attend one of our meetings or submit something for our agenda.