Federal PKI bridge gets private peer
- By William Jackson
- Jul 20, 2006
The Federal Bridge Certification Authority in May recognized an aerospace industry bridge for validating digital certificates, enabling secure communications between government agencies and contractors that issue their own certificates.
The bridge, operated by CertiPath LLC of Herndon, Va., is the first private-industry bridge to link with the FBCA. Cross-certification extends the federal public-key infrastructure and helps enable e-government, said Peter Alterman, chair of the Federal PKI Policy Authority.
'The government has got to get out of the business of issuing credentials to users of its systems and get into the business of trusting credentials issued by others,' he said.
Digital certificates act as electronic IDs, but the party or application accepting the certificate must have a way of validating it. When a foreign certificate is submitted to an application, it's passed along to the federal bridge, which verifies that it was issued by an organization whose policies have been accepted by the bridge. The bridge also can check with the issuing authority to ensure the certificate is still valid.
The relationship between the federal bridge and CertiPath is unique because CertiPath itself is a bridge that cross-certifies certificates issued by aerospace contractors. CertiPath is a joint venture of ARINC Inc. of Annapolis, Md., Exostar LLC of Herndon, Va., and SITA of Geneva, Switzerland. VeriSign Inc. of Mountain View, Calif., issues certificates to the CertiPath bridge for bridge-to-bridge trust.
The organization spent three years trolling for money and defining the technology and policies needed, said president and CTO Jeff Nigriny.
'We had a large number of companies that wanted to be the source of authority for their employees' identities,' he said. But employees on government contracts needed certificates issued by an agency trusted by the federal bridge. 'It would be much better if we could have a single credential.'
It also would be better for the government. 'The federal government is not in a position to cross-certify every company out there,' Nigriny said.
Boeing Co. was the first company to receive bridge-to-bridge certification through CertiPath. The company's 153,000 employees now can use digital certificates from Boeing's PKI to access federal resources.
Other certificate authority bridges are being developed, including one for the pharmaceutical industry and one for the higher education community. Both would like to cooperate with government, but so far neither has cross-certified with the federal bridge.
William Jackson is freelance writer and the author of the CyberEye blog.