Sign Language

Sign Language

Scott Bream, Washington's PKI program manager, says he's closely monitoring federal PKI initiatives and policies. With him at the state capitol is Agnes Kirk, who provides technical support for the wage reporting project.

Washington state tests online wage reporting

Washington is about to become the first state in which employers can digitally sign their online wage reports to the Social Security Administration. Washington also is the first state to have its digital certificates accepted by federal agencies.

SSA will begin accepting the state's certificates in April as part of a pilot to bring states and federal agencies under a uniform public-key infrastructure. SSA began testing digital certificates two years ago and one year ago started accepting Access Certificates for Electronic Services, the centerpiece of the General Services Administration's PKI program, issued to other federal agencies.

Although the state has used digital certificates for several years, federal agencies weren't ready to accept them. Last year a half-million Washington employers filed their business taxes and conducted other state transactions online using digital certificates.

Washington's PKI program manager, Scott Bream, said he expects no technical glitches with SSA's system. The reason is that Washington certificates come from one of the federal certification authorities, Digital Signature Trust Co. of Salt Lake City, under GSA's ACES contract.

'We've been tracking the federal government for a long time, and we modeled our policy after what was going on at the federal level,' Bream said.

Chuck Liptz, SSA's management analyst for the pilot, said the agency hopes eventually to accept certificates from all 50 states once interoperability problems are resolved.

Give it a whirl

'When the opportunity came to test out interoperability with the state of Washington, we thought, let's try this,' he said.

Bream had been working with a state interoperability subcommittee and with the federal PKI steering committee. 'The federal government has been pretty good about letting us know what they were doing,' he said.

Besides the certificates, Washington employers will use Digital Signature Trust's browser-based digital signature application, SimpleSign.

SimpleSign delivers a nonpersistent applet through a browser and prompts the user of a file to upload and sign it.

'You select which file you want to digitally sign, and it signs it with a private key and certificate from your browser. It uploads the file to SSA, they verify the signature and validate the certificate,' Bream said.

SSA then issues a confirmation to the employer that can be saved or printed.

About 450 Washington employers uploaded their online wage reports last year, but the files were not digitally signed, said Keren Cummins, vice president for government services at Digital Signature Trust. The businesses used personal identification numbers and pass codes instead.

SSA certified the certificates and wage reports in a mutually authenticated Secure Sockets Layer session.

'Last year was a test that digital certificates would work with SSA. This year it's true signing,' Cummins said.

A browser service called Transact Washington lets employers digitally sign documents to state agencies. Bream said the state's certificates are even more secure than the ones used by federal agencies under ACES.

'We have three levels of assurance, ACES has one level of assurance,' Bream said. The lowest level, standard assurance, is a verification feature in the browser. A second level can be information on a token or smart card, and the highest level requires obtaining a certificate in person with verification by a token or a biometric identifier.

SSA will validate the Washington filings through a certificate arbitrator module. The CAM applies the Online Certificate Status Protocol to match each certificate against its issuer and validate it in a repository of certificates accepted by SSA.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above