States poised to adopt digital IDs
- By William Jackson
- Apr 11, 2008
The federal government has no interest in issuing digital certificates to the public, but its mandates for issuing interoperable electronic identifications to employees and contractors soon could spur the adoption of certificates and public-key infrastructures throughout the country, one industry observer predicts.
Some states have begun issuing IDs compatible with federal Personal Identity Verification (PIV) cards to emergency responders, and one state has cross-certified with the federal PKI bridge for authenticating digital certificates.
Peter Bello, senior vice president of federal sales at Entrust, predicted that states soon will begin including digital certificates in IDs that would be interoperable with state and federal systems and also could be used to access commercial services.
'Having citizens access government applications is the next big thing,' and the states are the logical entities to enable the process, Bello said at last week's RSA Security conference in San Francisco. The government has decided it will not be in the business of issuing digital certificates to people, and 'the states have always been the issuers of identity credentials.'
Bello predicted that the certificates could begin appearing in driver's licenses in the next one to two years as states begin retooling their licenses to comply with the federal Real ID mandate. 'Maybe I'm being too optimistic, but I think it's just a matter of time,' he said.
He has reason to be optimistic: Entrust already is one of the leading providers of digital certificates to government, and expanded use of the certificates for access to online resources could open a large new market.
A digital certificate is an electronic ID, a bit of code stored on a smart card or other token or kept on a computer. It contains a digital signature from the issuing authority that can be used to verify the certificate's authenticity. It also can include a private cryptographic key for encrypting and digitally signing documents.
Government uses the certificates in the Defense Department's Common Access Card and its civilian counterpart, the PIV card. The job of issuing, verifying and managing the certificates often is done by a third party.
Several agencies, including the Treasury Department and the Government Printing Office, provide certificate authority services to other agencies as shared-services providers. Entrust is a commercial shared-services provider, giving it the advantage of also being able to sell to the nonfederal market, such as states.
William Jackson is freelance writer and the author of the CyberEye blog.