State Dept. wants to leverage PKI
- By William Jackson
- May 20, 2004
Federal credential expert Judith Spencer says agencies, vendors, states and other nations want to cross-certify their digital certificates.
The State Department, one of the four entities cross-certified this year by the Federal Bridge Certification Authority, has big plans for its public-key infrastructure.
'The bridge is going to be invaluable to us,' deputy CIO David Ames said at an event this month recognizing the department's certification.
State already was operating an internal PKI with digital certificates and encryption keys to securely sign e-mail, documents and authenticated code, as well as to share information with the Homeland Security Department. But the cross-certification opens up new opportunities for secure transactions with other agencies, business partners and citizens.
'As soon as we implement PKI for logical access and single sign-on, there are a hundred other applications that will pop up,' said Alan Herto, acting chief of State's Systems Integrity Division.
Since the mid-1990s, federal bridge proponents have been trying to evolve ways to identify users and devices that access the government online. Now their focus has shifted from government-issued digital IDs to a federated trust system. Under the new approach, each agency can decide whose third-party digital certificates to accept.
The federal bridge, as a governmentwide broker, assembles a list of certificate issuers it will trust. Agencies that in turn trust the bridge can accept certificates from those issuers.
A government application that receives digital certificate submissions can pass them on to the federal bridge for verification of issuers whose policies the bridge has vetted. The bridge also can check with the issuing authorities to ensure that certificates are still valid.
The first organizations to be cross-certified by the bridge in 2002 were the departments of Commerce, Defense, Justice and Treasury; the Office of Management and Budget; and the General Services Administration. NASA and the Agriculture Department's National Finance Center later joined, followed last month by the Energy Department.
Illinois in January became the first cross-certified nonfederal entity. It is working with the Environmental Protection Agency on a program that would let Illinois companies file wastewater disposal reports online with digital certificates issued by either EPA or Illinois.
The Digital Signature Trust subsidiary of Identrus LLC of New York became the first cross-certified vendor in GSA's Access Certificates for Electronic Services program. Digital Signature's certificates, already used by a number of agencies, can be accepted across agency lines through the bridge.
GSA's Judith Spencer, chairwoman of the Federal ID Credentialing Committee, said the two other ACES vendors, Operational Research Consultants Inc. of Chesapeake, Va., and AT&T Government Services working with VeriSign Inc. of Mountain View, Calif., also are seeking cross-certification. So are the departments of Homeland Security and Labor, the Patent and Trademark Office, and the state of Arkansas.
'Canada is on the brink,' Spencer said, and talks have begun with the United Kingdom and Australia.
Herto said State's domestic installation of PKI hardware and software is more than 90 percent complete at 14,500 desktop computers. State has issued more than 16,000 smart ID cards with PKI certificates.
Overseas deployment will involve 275 to 286 offices in about 168 countries, 'depending on who has thrown us out of their country lately,' Herto said.
Initial overseas PKI implementations at 35 posts in Tel Aviv and Jerusalem, Israel, and Nassau, Bahamas, are set for completion by September. Full overseas deployment will take until the end of 2005.
Although DHS is not yet part of the bridge, State already is using PKI to share visa control numbers over the Web with 88 of DHS' Citizenship and Immigration Services Bureau offices. Herto said the secure exchange via PKI saved more than $700,000 last year.
Meanwhile, State's Consular Affairs Bureau is developing an adoption tracking service for domestic as well as overseas adoptions. The bureau would issue digital certificates to approved nongovernmental adoption agencies for access to the records.
State Department officials could digitally sign the adoption papers and children's records so that adoptive parents 'have some assurance the documents they see are valid and real,' Herto said.
Consular Affairs also will pilot a program to digitally sign machine-readable travel documents. The pilot, expected to begin this year, initially will cover only official and diplomatic passports but could expand to tourist passports next year.
Herto said the department also wants to incorporate biometrics into its PKI for logical access to IT systems.
'Our goal is to get rid of passwords on the OpenNet' intranet, which has 45,000 users, he said. Eventually biometrics would support single sign-ons to applications.
Rollout of the logical-access system, which will require Microsoft Windows XP and Active Directory, and biometric smart-card readers, will begin this summer domestically, and overseas by fall.
Herto, however, said one big concern about incorporating PKI across the department is performance'particularly overseas where connections run the gamut from fiber-optic to dial-up.
'We're up to about 256 Kbps in most places,' he said, but that can easily drop to 64 Kbps or even 9.6 Kbps with dial-up. A PKI log-in at the slower speeds can take up to 30 seconds, and other operations can take several minutes.
Herto called on industry to develop PKI products that perform better in conditions under which the department must operate around the world.