GPO gets a grip on its glut

'As hard-copy print runs get shorter and shorter and technology shifts, we are most worried about long-term preservation,' CIO Reynold Schweickhardt says.

Olivier Douliery

Only a fraction of the more than 6,000 bills the 108th Congress produces this summer will be signed by the president, but all of them will receive a digital signature.

The Government Printing Office will start assigning digital signatures to congressional bills, as well as the hundreds of documents agencies produce each month, to address its problem of preserving electronic documents.

By midsummer, the office will authenticate government documents using a public-key infrastructure and digital signatures on records submitted to www.gpoaccess.gov.

With agencies creating hundreds of thousands of electronic documents annually, GPO, the National Archives and Records Administration and the Library of Congress have faced two challenges: assuring the authenticity of documents and guaranteeing that they can be viewed five, 10, even 100 years from now. GPO's digital signature initiative will settle the authentication issue. 'By digitally signing the documents, we are beginning to manage digital information,' GPO CIO Reynold Schweickhardt said. 'As hard-copy print runs get shorter and shorter and technology shifts, we are most worried about long-term preservation.'

The growth of GPO's document library has made preservation and authentication a growing problem. The agency received 487 new documents in February and more than 3,800 between October and last month. On its Web site, GPO lists more than 157,000 files.

Ultimately, the agency plans to apply signatures to all the documents it has stored electronically, but it has no timetable for doing so. From here on out, GPO will attach signatures to all new documents it receives, Schweickhardt said.

While NARA works out a governmentwide approach for e-documents through its Electronic Records Archive project, the printing office will use the digital signature as at least a short-term fix for authentication.

'We want to mark content as it comes in and to take the final product and digitally sign it so others can determine it is authentic,' said Judy Russell, GPO's superintendent of documents and managing director for information dissemination.

'It is essential to use these technologies and others so people can evaluate the authenticity of the information and rely on it,' she said at the recent Federal Library and Information Center Committee Conference in Washington.

Russell said GPO and other agencies are concerned about how to make sure users know information is authentic after it leaves an agency or trusted Web sites. Users must be able to discern whether government information is original or has been changed, she said.

Schweickhardt said GPO often receives calls from librarians and others about how the office assures authenticity.

GPO hired Entrust Inc. of Addison, Texas, to implement the PKI infrastructure, which includes creating databases for a certificate authority, certificate directory and registration authority. All the databases reside on servers inside GPO.

Other agencies are using digital signatures, mostly for e-mail. But this is the first widespread use of the technology for authenticating large volumes of documents, said Margaret Hayhurst, Entrust's account executive for GPO.

Cross-certifying signatures

GPO also is cross-certifying its signatures on the Federal Bridge Public-Key Infrastructure, which lets agencies accept other PKI certificates. Russell said GPO is 'fairly far along' in the process of cross-certifying, but she didn't know when the process would be completed.

Agencies either will digitally sign documents before sending them to GPO or will send hard copies that GPO will digitally sign. When the office receives a digitally signed document, Schweickhardt said, GPO would digitally sign it again after editing or making other minor changes to it.

Authorized GPO employees will apply the digital signatures to the documents from their desktop PCs or through batch processing, Schweickhardt said. His office is still settling on the exact information each signature will include.

'We are standing up our own authority based on the business driver of permanent public access,' Schweickhardt said. 'If we can control the authentication piece, we can provide end-to-end management of these documents.'

A digital signature is a hash, or mathematical equation, that is encrypted onto the document, said Peter Bello, vice president of Cygnacom Solutions Inc. of McLean, Va., Entrust's subcontractor on the project.

'Once the digital signature is placed on the document, the certificate will always be a part of it,' Bello said. 'If the document is altered, a new hash is created and the certificate will not be able to verify the new hash to the certificate directory.'

Citizens can check the authenticity of the document by downloading any free reader that follows the X.509 protocol for digital signatures.

GPO also is working with NARA and other federal agencies on electronic preservation and verification policies and techniques generally.

'We have overlapping missions so we are working on common business processes,' Schweickhardt said. 'The goal is to support agencies in permanent preservation.'

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above