On PKI, who can you trust?
On PKI, who can you trust?
BY DIPKA BHAMBHANI
| GCN STAFF
A lack of trust among agencies is fueling a 'keep it in the family' movement when it comes to issuing digital certificates.
Some agencies do not consider self-governing commercial certification authorities reliable.
But the General Services Administration is encouraging agencies to use its cadre of third-party authorities.
'I can think of no better approach for issuing certificates' than GSA's Access Certificates for Electronic Services program, said David Temoshok, a GSA policy manager. ACES oshok, a GSA policy manager. ACES supplies the public-key infrastructures and certificates, and agencies can easily verify the rightful keyholders because they know their employees, Temoshok said.
When the Federal PKI Steering Committee began working to support the 1998 Government Paperwork Elimination Act, it found that agencies were concerned about trusting unregulated authorities with confidential information.
GSA's David Temoshok holds an example of the smart cards the agency is using for its electronic signatures.
'Right now there is no accreditation process for certification authorities in the United States,' Temoshok said. 'You're kind of left on your own.'
As a safe alternative to ACES, some agencies are building their own PKI infrastructures and issuing certificates under the Federal Bridge Certification Authority, overseen by the Federal PKI Policy Authority.
The Office of Management and Budget reported that the steering committee, which oversees the bridge authority, funded it to the tune of $3.5 million this year. The Chief Information Officers Council, which helps OMB develop and implement PKI policy, has given the authority about $500,000 from its interagency innovation fund.Spanning the divide
'We would like the federal bridge to be able to link PKI domains outside the federal government, such as in the health care arena for Medicaid or to transport medical records securely via the Internet,' Temoshok said.
GSA designed the ACES program to accommodate agencies that wanted ready-made PKI and government-certifiable third parties to issue the certificates. GSA's choices as authorities are AT&T Corp., Digital Signature Trust Inc. of Salt Lake City and Operational Research Consultants Inc. of Chesapeake, Va. The companies assume full liability for problems with keys, including loss.
Despite that advantage, 25 agencies have issued nearly 23,000 certificates on their own. The Patent and Trademark Office alone has issued 5,000. Agencies enjoy credibility as certificate authorities, but with the liability of acting as their own operators.
'Over the long run it's cheaper to do it yourself,' said Art Purcell, senior computer scientist in PTO's CIO office. There's no expectation of privacy because everything on the key belongs to the government, he said.
'God help you if you lose the key,' Purcell said. 'If the cryptography is good, you're out of luck.'
Scott Lowry, president and chief executive officer of Digital Signature Trust, disagreed that agencies run any risks by going outside their own ranks. His company has won eight of the 11 task orders under ACES. Agencies 'are outsourcing a series of risks: the technology risk, the operating risk, the identity risk and the third-party liability,' he said. 'If they in-source it, they bear all those risks.'
Temoshok said there is no financial advantage for agencies in becoming their own certification authorities.
'GSA is not trying to generate revenue' with ACES, Temoshok said. 'We believe it's a service to citizens, using taxpayer money to build the infrastructure.'
Lowry said Digital Trust spent about $2.5 million to set up a certification authority infrastructure and is spending an additional half to three-quarters of a million dollars annually to run it.
'At the end of the day you really need to go where your core competencies are,' Lowry said. Just because the government uses many desks does not mean it should manufacture them, he said.The next step
According to a General Accounting Office report, the bridge authority might lend some credibility to government certification authorities, but it still 'lacks the context of a well-defined program plan' plus key policy and technical standards.
Establishing a federal PKI management framework could 'accelerate participation in the [bridge authority] as well as overall adoption of key technology for enabling electronic government,' GAO said.
After the bridge authority starts issuing public and private keys in bulk to federal employees, it could take on additional certification chores for companies that do government business and other companies as well, Temoshok said.