Group lays foundation for expanding PKI use

Group lays foundation for expanding PKI use

By William Jackson

GCN Staff

An interagency group is developing a framework to certify federal public-key infrastructure policies and establish trust levels for interagency PKI use.

The Federal Bridge Certificate Authority 'is still in the prototype phase,' said Judith Spencer, director of the Federal Technology Service's Center for Governmentwide Security. 'We should be going live by the first of the year, and we're looking at being fully operational in 18 months.'

Spencer last week described the Federal Bridge CA at an information assurance conference in Alexandria, Va.

The government looks to PKI, a scalable way of using public- and private-key pairs to encrypt and digitally sign documents, for securing federal transactions over the Internet.

FTS' Access Certificates for Electronic Services program provides contracts for setting up technically interoperable PKIs. But no one will use the contracts unless they feel confidence in the digital certificates underpinning the PKIs.

Agencies face a dilemma in taking their core business online. The Government Paperwork Elimination Act requires them to put forms and processes online by 2003. Preliminary plans are due by the end of this month.

Congressional committees, however, are 'going to be on top of you in about 12 seconds' if they are not convinced that such processes are secure, said Renato DiPentima, government-sector president of SRA International Inc. of Arlington, Va.

DiPentima, former chief information officer at the Social Security Administration, said trust is as important as security. He reminded the audience of SSA's experience in providing Personal Earnings and Benefits Estimate statements over the Web.

The PEBES site had the same level of security as statements sent through the mail and earned a 98 percent approval rating among users, DiPentima said. Eventually, however, because of congressional pressure, SSA took the site down.

Information sent via postal mail, fax or voice mail is more vulnerable than most Internet traffic, DiPentima said, 'but nobody pays a lot of attention to that. It pales in comparison when you start talking to citizens about the Internet.'

Because PKI can encrypt data and authenticate parties and content, it has the potential to provide both the security and the trust needed to smooth electronic transactions inside agencies and with citizens.

DiPentima predicted federal PKI programs would remain in the pilot stage for the next two or three years, as agencies remain leery of online transactions.

The trust necessary for PKI ultimately hinges on the digital certificates that verify the identity of different parties and contain public keys.

Agencies will tend to trust certificates issued by themselves or on their behalf. Trusting another agency's or an outside entity's certificates requires a central authority to vouch for their trustworthiness.

The Federal Bridge CA has six charter agencies: the Commerce, Defense, Justice and Treasury departments, the General Services Administration, and the Office of Management and Budget. The bridge will examine policies for issuing certificates and certify them at one of four levels of trust: rudimentary, basic, medium and high.

Someone's watching

A Federal PKI Policy Authority will oversee and authorize issuance of bridge certificates. It also will maintain a directory of certificates and a revocation list, so users can verify public keys and certificates.

The bridge currently recognizes digital certificates from Entrust Technologies Inc. of Plano, Texas, and Baltimore Technologies PLC of Ireland. Other certificate authorities will be added as the bridge becomes operational.

Use of the bridge is not mandatory, but any agency can submit its PKI policy for issuing certificates to receive certification.

It will be up to each agency to decide what levels of trust to accept.

inside gcn

  • IoT security

    A 'seal of approval' for IoT security?

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above