The IRS sees PKI as its secret key to Net tax filing

As many as
5,000 IRS employees could file their 1999 tax returns over the Internet if the agency goes
forward with its first public-key infrastructure tax pilot.

Preparations for Web tax filing got started last month, IRS officials said.

“We definitely presume that a public-key infrastructure is going to provide the
kind of authentication and security that we believe is necessary,” said Stephen
Holden, national director of Electronic Program Enhancement for the IRS.

At first, the activity will focus on policies, procedures and training for use of
digital certificates and public-key cryptography. “‘Since this is new technology
for us, we know there will be some surprises,” Holden said.

As complex as public-key technology is, in some respects the policy issues are even
more complex. To develop a certificate policy, the IRS must figure out what levels of
security and authentication are right for which transactions and how to apportion
liability, for example.

“The Federal PKI Steering Committee is working on what I would call a model
certificate policy that federal agencies could adopt,” Holden said. But the issues
are complex, “especially in the context of the very complicated federal legal and
policy framework.”

The IRS will begin with digital certificates for conducting secure e-mail transactions
over the Web.

“It’s an easy application to test your public-key infrastructure,” said
Nick Piazzola, vice president of federal markets at VeriSign Inc. of Mountain View,
Calif., which won the initial contract for the IRS pilot. “And in one sense, it
doesn’t cost you anything.”

If IRS officials opt next year to continue the VeriSign project, they expect about
5,000 IRS employees to conduct their 1999 tax filing transactions over the Internet.

VeriSign proposed two tax-filing options under the contract. One is to use the
software-assisted Intuit TurboTax Service from Intuit Inc. of Mountain View, Calif. The
other is the forms-only InternetForms System from UWI.Com of Marina del Rey, Calif.

“They appeal to two different segments of the tax-paying population,”
Piazzola said.

Both applications will have embedded root keys for compatibility with VeriSign’s
public-key infrastructure, he said.

VeriSign has root keys in 120 e-mail packages, Web servers, virtual private networks
and other commercial products for use with its public-key infrastructure.

Even through the international X.509 Version 3 standard for digital certificates is
fairly well defined, there is no guarantee that a public-key infrastructure built by one
company will be compatible or interoperable with another company’s PKI, Piazzola

Both the Internet Engineering Task Force and the Federal PKI Steering Committee are
interested in interoperability standards for public-key infrastructures. “But it
will take some time,” Piazzola said.

For example, before two infrastructures could interoperate, someone would have to
guarantee that the two had similar security policies. “That’s one of the bigger
issues for the federal government to address,” he said.

PKI policies must be documented in a certificate practice statement, Piazzola said.

The statement, “among other things, addresses interoperability, liability and so
on,” Piazzola said.

IRS officials will learn a lot over the next few months about how to safeguard
confidentiality, integrity and authenticity of tax transactions that are sent over the
Internet, he said.

Security experts such as Piazzola, a 28-year veteran of the National Security Agency,
refer to the highest level of electronic security as non-repudiation. It means, he said,
that a taxpayer “could not say, ‘I did not sign that thing.’ ”  

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.