Sharing certificates requires common directories plus attention to details

GSA's Judith Spencer says interoperability sometimes requires agencies and their vendors to tweak their software.

Four agencies have traveled a long, bumpy road to exchange digital certificates.




The Agriculture Department's National Finance Center, the Defense and Treasury departments, and NASA had to make their certificate directories and revocation lists work with those maintained by the General Services Administration's Federal Bridge Certification Authority, Judith Spencer said. She chairs GSA's Federal Public-Key Infrastructure Steering Committee.




'The directory infrastructure is the biggest workhorse,' said Bernadette Curry, Treasury's PKI program manager. 'When you want to encrypt a message, it's critical that you be able to exchange information properly with someone else's directory.'




The federal bridge follows the international X.500 Directory Service standard, whereas most agencies have implemented the Lightweight Directory Access Protocol.




Tim Polk, a program manager at the National Institute of Standards and Technology, said he helped the four agencies work through the technical difficulties.




There are different implementations of X.500, Polk said, and agencies considering joining the bridge should develop open minds about PKI.




'If you're getting ready to set up a PKI, you might want to do what other agencies are doing,' he said.




Some agencies have had to ask their digital certificate providers to make upgrades for compatibility with the bridge's X.500 directory, he said.




Three of the cross-certifying agencies use certificate software from Entrust Inc. of Dallas. DOD uses iPlanet software from Sun Microsystems Inc.




Gary Moore, Entrust's senior architect for global government, said the company made only minor code modifications.




DOD has issued the most certificates so far, more than 1 million. It also has the largest certificate revocation list. And DOD's LDAP directory at first could not interoperate with the federal bridge directory.




Polk said the solution was to set up an X.500 border directory outside DOD's firewall.




Treasury's Curry called such adjustments a small price to pay for joining the bridge. It would cost Treasury about $25,000 to evaluate each other agency's certificate policy without the bridge, she said.




Coding problems




'NASA was a very early adopter of a lot of this,' Polk said. Its directory would show, for example, 'organization=NASA' in the coding structure. That was fine internally, but the bridge used 'organization=government' instead.




'That caused some problems, nothing insurmountable,' he said. It just takes a while to find things in the interconnected directories, he said, 'like you're digging through the phone book and expecting to find a number in the residential white pages, but it's in the business pages instead.'
In addition to incompatible naming conventions, the different directory schemas have caused problems.




If a field in one agency's certificate refers to a Social Security number as 'ssn' and another agency calls it 'ssnumber,' the two directories will not understand each other.




'Folks implement the same certificate authority products, but they write certificate profiles that differ,' Spencer said. 'We may have to say to them, 'We need you to put this plug-in on your directory or populate your directory in a certain way.' '




One agency might designate a field for authorized uses, such as affixing a signature, Spencer said. Another agency's certificate software might not be able to read that field.




The participating agencies maintain their own directories and set certificate assurance levels, such as rudimentary, medium or high assurance. The higher levels require strict verification. The National Finance Center adheres to the highest level of assurance; DOD and NASA generally use medium assurance.


Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above