GSA develops app to help agencies use PKI

GSA develops app to help agencies use PKI

By William Jackson

GCN Staff

The General Services Administration has developed an application to help agencies integrate public-key infrastructures into online services.

The Certificate Arbitrator Module, or CAM, handles the job of validating digital certificates.

GSA's Federal Technology Service expects CAM to make it easier to use Access Certificates for Electronics Services contracts, which provide interoperable digital certificates for PKI.

'We developed CAM specifically for the ACES program,' said Stan Choffrey, the ACES program manager. 'Because we had multiple awards, we had to have a routing function' for the certificates.

Agency interest caused GSA to broaden the scope of the module for use with non-ACES certificates, Choffrey said this month at a Washington conference hosted by GSA and the Federal Information and Records Management Council.

PKI uses public- and private-key pairs to encrypt and digitally sign documents. A digital certificate is software issued by a third party that acts as electronic identification. It contains the user's public key, which validates the digital signature.

Together, certificates and signatures can assure the identity of people who access data or submit forms online'capabilities agencies must provide by 2003 under the Government Paperwork Elimination Act.

The ACES contractors are AT&T Corp., Digital Signature Trust Co. of Salt Lake City and Operational Research Consultants Inc. of Chesapeake, Va.

When an encrypted certificate is submitted to an agency's online application, CAM will decode it and identify the certificate authority that supplied it. If the certificate authority is not listed as one trusted by the application, the certificate will be rejected. If the authority is trusted, CAM will contact the relevant authority's database to verify that the certificate was issued to the user and has not been revoked.

To and fro

CAM passes the information back to the application, along with the decoded certificate. Based on the certificate information, the agency system then can decide whether to grant access to the app.

CAM, developed using commercial software, would reside inside an agency firewall on a server running Microsoft Windows NT. It can link to certificate authorities via the Internet or a dedicated link for high-volume or critical applications.

So far, few agencies actively use PKIs, however, and none is using ACES certificates.

'One thing that isn't being done effectively, inside or outside of government, is budgeting' for PKI, said Gordon L. Bendick, AT&T's ACES program manager.

GSA is offering help there, too. Fees charged by ACES contractors depend on volume, ranging from 40 cents to $1.20 per transaction.

David Temoshok, GSA's electronic-government program manager in the Office of Governmentwide Policy, said agencies could safely budget for a cost of 63 cents per transaction, based on estimated volumes of 1 million to 5 million transactions in ACES' first year.

GSA has primed the pump for ACES by ordering 500,000 digital certificates from Digital Signature Trust and AT&T. The certificates will go to agencies on a first-come, first-served basis at no cost for issuance. Agencies will pay an activation fee and the transaction fees.

The Veterans Affairs Department has applied for 100,000 certificates for benefits applications. The department estimates it will do 1.2 million transactions a year.

Bendick said agencies could expect online transactional savings to pay for the cost of implementing PKI in three to five years.

inside gcn

  • security compliance

    Security fundamentals: Policy compliance

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above