Administration to relax digital signature policy

Officials at the National Institute of Standards and Technology are gathering public
comments aboutadding commercial public-key algorithms to DSS, which now prescribes the
Digital Signature Algorithm (DSA). The Commerce Department in 1994 issued DSS as a
mandatory Federal Information Processing Standard for verifying the senders and contents
of electronic messages.

"It's clear that DSA is not as widely available in commercial products as is
necessary for all federal government activities requiring signature technology," said
Edward Roback, a NIST computer specialist.

But expanding DSS to include a suite of commercial algorithms would render DSA optional
because agencies could use digital signature algorithms embedded in popular software

"Clearly, integrating DSA into commercial products already employing another
signature technology solely for government use is cost-prohibitive and raises
interoperability issues as well," Roback said. "Agencies want to use
commercially available products, and I think that, consistent with sound security
measures, that should be accommodated."

The government's move to accept commercial signature algorithms gained momentum this
spring when the Environmental Protection Agency became the second agency to issue a waiver
exempting itself from DSS to use a digital signature algorithm from RSA Data Security Inc.
of Redwood City, Calif.

The Animal Plant and Health Inspection Service issued a similar waiver last year. APHIS
and EPA officials said the waivers were necessary because retrofitting their agencies'
administrative applications to comply with DSS would be too expensive.

Roback acknowledged that the costs and inconvenience of having agencies use DSS
internally while letting their suppliers and the public choose commercial signature tools
were prime factors in the decision to revise the standard.

Public comments about adding public-key signature algorithms are due to NIST by Aug.
11. Roback said a formal DSS revision proposal might be ready by the end of the year. NIST
is reluctant to set a deadline because the comments might raise new issues such as
intellectual property concerns, Roback said.

Once changes are made, Commerce officials are counting on the extra algorithms to
provide agencies and vendors with the message integrity and authentication guarantees
needed to spur more electronic commerce and electronic service initiatives. Roback said
NIST also will develop conformance tests for the additional algorithms.

James Bidzos, RSA president who for years led the fight against a mandatory DSS, said
the changes will benefit taxpayers by letting agencies finish reinventing business
operations. Many companies have used signature technology to make greater use of the World
Wide Web to disseminate information, and the government can do the same, he said.

"This gives agencies an opportunity to set up corporate style intranets where they
can distribute information to their employees," Bidzos said. "The fact that the
vice president's reinventing government initiatives have been using RSA shows what
agencies will do when given a choice."

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.