GAO warns to look before you leap into PKI
- By Brad Grimes
- Sep 16, 2004
The Government Accountability Office figures that managed public-key infrastructure services might be more trouble than they're worth to agencies in some instances.
Chief technologist Keith Rhodes conveyed GAO's findings in a recent letter to Rep. Tom Davis (R-Va.), chairman of the House Committee on Government Reform. Rhodes noted that several agencies had asked GAO informally for advice on managed PKI services.
GAO's position is that agencies might face a greater burden in using managed services, specifically contract certification authorities, than if they implemented the technology themselves, Rhodes said.
GAO is especially concerned about managed services when it comes to using PKI for financial transactions.
'If the certification authority is compromised, the impacts can be catastrophic to an agency's operations,' Rhodes said.
GAO made several suggestions for implementing PKI, such as exercising strict physical control over the necessary hardware and software so it can't be compromised.
According to GAO, agencies should study managed PKI services to ensure they use proper controls.