Goals of the Sphinx project were as follows:

• Phase 3 -- November 1999/November 2000
• Phase 2 -- September 1998/March 1999
• Phase 1 -- April 1998/September 1998

Phase 3 -- November 1999/November 2000

In phase 3 of the pilot project, a catalogue of uniform functional security requirements for the products was drawn up from a user perspective. A generic security policy was also created for the participating organisations. The organisational processes within the participating organisations were updated and adjusted. One specification was created for the directory service and one for the use of names after the go-live date. Test operations for the technical components were restructured with the aim of outsourcing these to IT Security Association Germany (TeleTrusT). The technical basis for the migration to MailTrusT Version 2 and ensuring conformity to signature legislation was created. The certification services were adjusted and updated. A procurement recommendation was created for the participating organisations, and support for end users and the acquisition of new subscribers were both pursued.
Phase 3 final report (PDF)

Phase 2 -- September 1998/March 1999

Phase 2 of the pilot project created the basic environment for a pilot project testing directory service usage. Specifications were drawn up for the technical foundation required for setting up and operating a directory service, and for access to the directory. This base setup can then be used for the further development of the end-user products and products for certificate authorities. The Federal Office for Information Security (BSI) set up a corresponding directory services server and made this server available. Specifications were drawn up for the technical foundation required for rolling out a revocation management system.

The interoperable functional scope that Sphinx products are required to support was extended. However, the shared functional scope defined by version 1 of the MailTrusT specification needs to be extended in order to satisfy the security requirements clarified to date. In particular, these extended capabilities involve processing X.509v3 (international standard for public key certificates version 3) certificates in order to facilitate the distinction of keys by function (such as signature keys, encryption keys), functions involved in key management for encryption keys, and the interface to PSE (Personal Security Environment) and to smartcards. Version 2 of the MailTrusT specification, which was published in March 1999, resolves these deficits.
Phase 2 final report (PDF)

Phase 1 -- April 1998/September 1998

Phase 1 of the pilot project involved drawing up an overall plan for the implementation of end-to-end security based on version 1.1 of the MailTrusT specification; this plan was then implemented and trialled. The overall plan incorporated the underlying standard, as well as the necessary infrastructural measures and organisational rules needed to introduce security systems. This plan was then used to set up a security infrastructure (certificate hierarchy) for the participating public authorities and businesses, which enables participants to apply for key materials and receive these securely.

In phase 1, the project essentially concentrated on the deployment and trialling of the technical components for the establishment of the certificate hierarchy and for the exchange of secure documents. The user experience from subscribers was documented in a user survey. Infrastructural and organisational arrangements were specified to the extent necessary for ensuring that processes would run smoothly.

Accordingly, the pilot project was extended to include a phase 2 for two key reasons. First, feedback from the subscribers needed to be documented. Second, a comprehensive organisational manual was to be set up, which would provide more detail on the Public Key Infrastructure components and their interplay from an organisational perspective.
Phase 1 final report (PDF)