Broad DMS requirements set
- By Gregory Slabodkin
- May 04, 1998
Specifications for the Defense Message System medium-assurance requirements will be
inclusive enough to attract competitive vendors, a program official said last month.
The Internet Engineering Task Force (IETF) and the Defense Information Systems Agency
came up with the requirements.
DISA has yet to approve the task force specifications, but Dawn Hartley, DISA's chief
engineer, said the specs will be open and broad enough to attract commercial vendors.
"Our goal is get a number of commercial providers for DMS products," Hartley
DISA officials said they believe commercial messaging products will cut the cost of
using Fortezza cards while giving medium-assurance services for the Defense Department's
estimated 2 million DMS users.
DMS already uses 80-bit, Fortezza encryption cards from the National Security Agency
for its high-assurance security requirements. But for medium assurance, DISA plans to use
products based on secure, interoperable commercial standards for Web services.
Most DMS users won't send Fortezza-encrypted messages, DISA officials said, but would
likely send medium-assurance messages with standard Internet certificates of
authentication. DMS 1.0 uses the X.509 Version 1 certificate. DMS 2.0, to be released
later this year, will use X.509 Version 3.
"We are DMS-compliant and very encouraged by DMS' flexible, local architecture,
which picks up more of the Internet protocols, especially in the medium-assurance
area," said Mitra Azizirad, Microsoft Corp. Federal System's DMS product manager.
For instance, Azizirad said, Microsoft ported X.509 Version 3 to Microsoft Exchange
5.5. But the problem, she said, is that DISA has not yet defined DMS medium-assurance
requirements for vendors.
DOD has licensed and deployed Internet technology from Netscape Communications Corp.,
said John Menkart, Netscape's regional sales manager.
DISA signed a $50 million, client-server agreement with Netscape last September for
more than 2 million DOD users with the company's six licensed servers, Fortezza-enabled
Communicator client and other software.
DISA is testing Netscape servers as part of a pilot that could lead to the
establishment of a medium-assurance Public Key Infrastructure throughout DOD that is
separate from DMS. Under the Defense Travel System program, DOD has initiated a pilot to
implement a medium-assurance PKI in Defense Travel Region 6, an 11-state Midwest district
with more than 250,000 DOD users.
The pilot includes a new digital signature accounting process that gives DOD travelers
pre-travel authorization and lets them sign their vouchers once the trip is concluded. DOD
officials see digital signatures as a crucial part of DOD's move to a paperless system.
The signer controls the private key, and the public key is available to all recipients
who need to verify the sender's signature. The PKI, in turn, generates public key
certificates and distributes them to verifiers.
"Netscape feels that the difference between high-assurance and medium-assurance
means you install a separate and parallel PKI that is not interoperable with what's being
rolled out for DMS," Azizirad said.
She said a medium-assurance PKI increases the complexity, costs, management and
training required for DOD to support two separate systems--PKI and medium-assurance
requirements, both of which DOD supports.
An August 1997 DOD directive established a PKI that includes directory services under a
centralized management to cut costs and ensure interoperability.
DISA is expected to approve the draft IETF profile for medium-assurance security for
"There are clear and compelling technical and functional considerations that
justify DOD's continuing support of both initiatives," Menkart said. He said Netscape
technology will use X.509v3 certificates with client and server technology.
The technology will also include Federal Information Processing Standard 140-1
validated encryption for information protection, user authentication and non-repudiation.
Netscape's Certificate Server and Directory Server are being used for the DMS pilot at
two DOD megacenters.
"We're going to evaluate how the standards and the products that we selected are
working and we'll make a decision about where we go from here," Hartley said.
He reiterated that DOD does not select or endorse single products but rather defines
the product requirements and standards.