Federal bridge opens to two-way traffic
- By William Jackson
- May 15, 2002
'The bridge is standing and ready, but the policy piece is a bit of a hang-up.'
'PKI committee's Judith Spencer
The Federal Bridge Certification Authority has begun qualifying the first five organizations to exchange digital certificates under its auspices.
They are NASA, the Agriculture Department's National Finance Center, a consortium of agencies using the General Services Administration's Access Certificates for Electronic Services program, the state of Illinois and Canada.
'The bridge is standing and ready, but the policy piece is a bit of a hang-up,' said Judith Spencer, chairwoman of the CIO Council's Public-Key Infrastructure Committee.
Each bridge partner's policy for issuing digital certificates must be mapped to the federal bridge policy to ensure acceptance of certificates issued by other parties.
The first group of partners does not know exactly how long it will take to qualify, said Brent Crossland, deputy technology officer for Illinois' digital certificate project. 'We're trying to shoot for the first part of April,' he said.More coming
Spencer said 10 other organizations are preparing to qualify by documenting their certification policies.
Originally intended to help agencies accept each other's digital certificates, the federal bridge is emerging as a PKI keystone beyond federal boundaries.
Some state and local governments, schools and foreign governments are issuing their own digital certificates, and the federal bridge can 'cross the trust gap between federal and nonfederal organizations,' Spencer said. Illinois wants to accept certificates from other states, Crossland said, 'but state-to-state interactions are going to depend on some kind of bridge. So we are mapping our certificates to the federal bridge.'
Digital certificates in software can verify the holders' identities online. Used with a public-private key pair, they can encrypt and digitally sign documents for a variety of secure online transactions.
The federal bridge came into being because agencies could not agree on a single entity to issue all federal certificates. The bridge exchanges pairs of cross-certificates with other authorities that comply with its standards, telling each party in effect, 'It's OK to trust a certificate from this other party.'
The certificates can have four levels of assurance based on the certifying authority's policies: rudimentary, basic, medium and high. Officials of Entrust Inc. of Addison, Texas, one of the federal bridge's certification authorities, said they issue certificates with four types of authentication: online registration over the Web; face-to-face registration; face-to-face with a background check; and a biometric identifier plus a background check.
If a government application does not recognize a digital certificate submitted to it, the certificate can be routed to the federal bridge, which determines whether the issuer is a trusted party and what the level of assurance is. Then the agency app decides whether the assurance level is adequate.
Illinois began its digital signature and PKI project after passage of the state's 1998 Electronic Commerce Security Act. Citizens and state employees can use their certificates for multiple applications. Each agency application can set the level of access it will accept.
'Application development is totally decentralized,' Crossland said. Each state agency develops its own.
'We took the position from the start that deployment is going to be driven by the applications,' Crossland said.
So far, Illinois has issued about 2,000 certificates, evenly divided between citizens and state employees. Sixteen agencies have pioneered applications, including the departments of Revenue, Employment Security, Public Health and Aging, and the state Environmental Protection Agency.
All Illinois certificates are in software stored on a floppy disk or a computer's hard drive. 'If we can get a handle on the problem of making readers available, we'd like to explore having smart cards,' Crossland said.
On the federal side, the National Institutes of Health is using a federal bridge prototype in a grants pilot with three universities. NIH grant forms are paper-intensive, each averaging 125 pages and requiring 25 copies, said Peter Alterman, director of operations for NIH's Office of Extramural Research. 'Whole forests die in Canada' every time NIH processes an application, Alterman said, and the agency receives about 40,000 a year.
The NIH Educause PKI interoperability project lets researchers at Dartmouth University, the University of Alabama at Birmingham and the University of Wisconsin at Madison submit forms online using their own digital certificates.
William Jackson is freelance writer and the author of the CyberEye blog.