Veterinary Service takes waiver on DSS, embraces RSA instead

The Animal and Plant Health Inspection Service is the first
agency officially to exempt itself from the government's Digital Signature Standard to use
commercial signature application.

Instead of the mandatory DSS, the Veterinary Service at APHIS will rely on the digital
signature program from RSA Data Security Inc. in Redwood City, Calif., already embedded in
the forms application the service uses.

APHIS spokesman Richard McNaney said the waiver covers electronic forms created using
InForms software from Corel Corp.'s WordPerfect division.

McNaney said APHIS officials issued the waiver because it would have been too costly to
retrofit its electronic forms program with a DSS-compliant application.

"The agency opted for the waiver because of the flexibility and costs,"
McNaney said. "Otherwise we would have had to develop our own software. This is a
much more economical option."

The Commerce Department issued DSS as a Federal Information Processing Standard (FIPS)
in 1994. Agencies, however, can waive a standard if its use will prove too costly or
hamper mission activities. Any agency that waives a FIPS must notify Commerce, the Senate
Government Affairs Committee and House Government Reform and Oversight committees, as well
as publish a notice in the Federal Register.

NIST officials said the APHIS waiver notice is the first official DSS exemption
announcement they have received. But NIST spokeswoman Anne Enright-Shepherd said her
agency does not track waiver decisions.

Ed Roback, a NIST computer specialist, said the standards agency does not enforce DSS
compliance or approve waivers.

"Under the Computer Security Act, the Commerce secretary delegated to agencies the
authority to waive standards that are mandatory and binding. The agencies have full
authority to waive the standard, and they notify us," Roback said. "But they
also assume responsibility for the security of a system if they choose to use something
that is not compliant with the federal standard."

Scientists at NIST's Computer Systems Laboratory designed DSS to serve as a
governmentwide tool for verifying the senders and contents of electronic messages. At the
heart of DSS is a public-key-based Digital Signature Algorithm (DSA).

The White House has been counting on DSS to fuel a slew of government reinvention and
public service initiatives, especially electronic commerce applications.

But some retired federal information security officials have predicted that more
agencies will seek DSS waivers until the government establishes a comprehensive public-key
encryption policy.

"The DSS has limited impact in the commercial marketplace, and there has been
limited use within the government," said Lynn McNulty, president of McNulty &
Associates, a McLean, Va., consulting firm, and a former NIST security policy chief.
"Only a handful of agencies are using it."

Speaking at a Washington security conference sponsored by RSA, McNulty and retired Adm.
William Studeman discussed the government's problems in cultivating mass support for its
encryption standards.

For years federal contractors have balked at the government's plan for mandating DSS
because RSA encryption is very popular and embedded in many software programs. Further,
some vendors have said they will not pursue government contracts if they are forced to
develop separate product lines to handle DSS transactions.

NIST and RSA also were locked in a lengthy patent fight over the Digital Signature
Algorithm and whether the public could use it without paying royalty fees. Although it has
not sued the government, RSA continues to claim patent rights to DSA.

Commerce lawyers issued statements refuting the RSA claim, and DSS remains the standard
for government users. NIST officials have promised to defend any patent infringement
claims in court.

Nevertheless, a number of agencies, including IRS, still are grappling with how to use
the DSS internally while letting their suppliers and the public choose commercial
signature tools.

McNulty said the dearth of DSS users and the absence of a federal public-key
infrastructure has given agencies a convenient waiver argument and opened the door for
widespread use of commercial alternatives.

"My feeling is that people in the civilian agencies are increasingly looking at
the signature capabilities found in mass-market software," McNulty said.
"Agencies also are under pressure to get digital signature applications going."

Studeman, former director of the National Security Agency, said the DSS failure has
undermined NIST's influence in federal security policy.

"NIST should be playing a major cross-cutting role. But it's underfunded,
undermanned and under-respected," Studeman said. "The DSS is underwhelming
because it lacks the infrastructure and has no industry support."

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.