GAO warns to look before you leap into PKI

The Government Accountability Office figures that managed public-key infrastructure services might be more trouble than they're worth to agencies in some instances.

Chief technologist Keith Rhodes conveyed GAO's findings in a recent letter to Rep. Tom Davis (R-Va.), chairman of the House Committee on Government Reform. Rhodes noted that several agencies had asked GAO informally for advice on managed PKI services.

GAO's position is that agencies might face a greater burden in using managed services, specifically contract certification authorities, than if they implemented the technology themselves, Rhodes said.

GAO is especially concerned about managed services when it comes to using PKI for financial transactions.

'If the certification authority is compromised, the impacts can be catastrophic to an agency's operations,' Rhodes said.

GAO made several suggestions for implementing PKI, such as exercising strict physical control over the necessary hardware and software so it can't be compromised.

According to GAO, agencies should study managed PKI services to ensure they use proper controls.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above