PKI gets shot in the arm from HSPD-12
FIPS-201 and mandate give agencies means and motive to develop apps
- By Jason Miller
- Nov 16, 2006
In 1995, when Tim Polk began working full time on developing standards and guidance for using public-key infrastructure applications, he figured it would be a two- or three-year project.
But 11 years later, Polk, the National Institute of Standards and Technology's PKI program manager, still is helping agencies adopt the technology.
'There has never been a killer app for PKI,' Polk said recently at a conference sponsored by Input Inc. of Reston, Va. 'We spent a lot of time looking for it, but there was nothing so compelling that made agencies buy and install PKI to support one app.'
While that killer app still may never come, Polk said Homeland Security Presidential Directive-12 should provide the impetus for every agency to use PKI more widely.Helps to have standards
'We needed a centralized driver because it was hard to compute return on investment,' Polk said. 'HSPD-12 and [Federal Information Processing Standard] 201 change everything. It is not the killer app we have been looking for ... [but] a lot of pieces of the interoperability puzzle have been solved.'
Polk added that, because PKI is a central piece of FIPS-201, agencies and industry now have standards around which they can develop and implement software.
FIPS-201 standardized biometrics, and the key size and algorithm it will support.
'It used to be that, when you wanted to cross this divide, you had all these questions out there,' Polk said. 'Now the hardest ones are resolved.'
But Polk isn't unrealistic about how quickly agencies will adopt applications such as e-mail or single-sign-on capability using PKI.
Right now, Polk said, agencies are focused on meeting the letter of the HSPD-12 mandate, which was to have the ability to issue at least one card by Oct. 27, and issue compliant cards over the next two years. Polk instead is focusing on when agencies will be able to meet the spirit of the edict, when authentication becomes routine.
'If you look at the Department of Defense's experience, it shows this takes a long time to get people used to using PKI as a part of business,' he said. 'You definitely need some institutional fortitude.'
DOD has been trying to implement PKI since the mid-1990s, and only this past year did the Defense Information Systems Agency mandate its use, calling for systems to be in place by July 31. About 80 percent of DOD met the mandate, officials have said.
Dan Turissini, chief executive officer of Operational Research Consultants Inc. of Fairfax, Va., one of four PKI shared-services providers for HSPD-12, said the key to widespread use is a combination of having a reason to use it and implementing the hardware to use it on.
'We still have to deploy and make sure everyone gets a reader in their keyboard or laptop, or a USB reader,' he said. 'That is a challenge and expense that is not budgeted for. And then we need the apps. At the end of the day, there aren't a lot of access points that are PKI-enabled.'Long road ahead
But Turissini agreed with Polk that HSPD-12 is a platform for agencies and gives industry a way to push it forward.
Turissini points to DOD's slow walk to PKI as an example of what many other agencies will face.
For instance, DOD required its employees to have a PKI certificate only this October for its Contractor Performance Assessment Reporting System, and for architect-engineer and construction reporting systems. Vendors had until Nov. 1 to obtain a PKI to access these sites.
'The lesson we learned at DOD is that the deployment of individual credentials is important, but it's maybe half or less of the story,' Turissini said. 'Today, to get into a Web app or PKI-protected network or e-mail server, you still need to apply cert to that app or device and then configure the app to do validation. There is a lot more work that needs to be done, but it is a big step to have individual credentials.'
Turissini said agencies without PKI-enabled applications should look for the programs that have the biggest user base and then reuse the validation scheme. He also suggested that if agencies PKI-enable their network access it will go a long way toward improving security and spreading the use of the technology to applications.