Will $50K kit convince agencies to buy into PKI?

Will $50K kit convince agencies to buy into PKI?

Discounted package combines certificate modules and services while lowering the price barrier; setup said to take 25 days

BY DIPKA BHAMBHANI | GCN STAFF

A public-key infrastructure provider under the General Services Administration's Access Certificates for Electronic Services program next week will discount the price of a PKI kit to a flat $50,000.

'Yes, you'll have to put in an investment'$50,000 for all you can eat for 500 people'but that investment will pay back many, many times,' said Judith Spencer, chairwoman of the Federal PKI Steering Committee.

Digital Signature Trust Co. of Salt Lake City is selling its PKI ekit with 500 digital certificates, unlimited verification services and a certificate arbitrator module. The CAM tracks key use and provides interoperability among agencies.

All in one

Digital Signature Trust officials said everything can be set up within 25 days. Keren Cummins, vice president of government services, said the kit covers the 'unnecessarily intimidating' components that often discourage agencies from using PKI.

Under the ACES program, each Digital Signature Trust certificate normally costs $19. Verification of a certificate costs $1.24 each time it is used. ACES certificates issued to public users dealing with agencies are free; GSA provides the CAM component.

But Cummins said few agencies have adopted the approach because they see the task of implementing it as daunting.

'You don't have to become a Ph.D. in PKI to move forward,' Cummins said.

Spencer disagreed about the reason behind PKI's slow adoption within the government. She said agencies aren't overwhelmed by the thought of PKI, just its price tag.

The ekit, valued at up to $80,000, will be sold from July 9 to the end of September at the $50,000 price.

'It gives the systems people an opportunity to respond to the naysayers,' Spencer said. 'They can say, 'For $50,000, we can give it a shot. If it works, hey. If it doesn't, hey, it's only $50,000.' '

The other ACES certificate providers are AT&T Corp. and Operational Research Consultants Inc. of Chesapeake, Va. The providers verify the identity of key holders; GSA handles the rest. Through a Web browser's Secure Sockets Layer, an agency user connects to one of the ACES registration authorities, which verifies the employee's personal information, protected by the Privacy Act.

Agencies at the ready

The registration authorities assume all liability for unauthorized use. They send back to the user a personal identification number and password, and they issue a certificate so that the user can digitally sign documents.

GSA has set up an ACES Customer Advisory Board of representatives of agencies that are PKI-ready.

Spencer said becoming PKI-ready is relatively easy. 'It just means [the agency's] applications have to be able to read and understand certificates,' she said.

That would cost an agency about $20,000, depending on the desired uses of PKI, Cummins said.

Access-control applications that require public keys to open are the easiest to implement, she said. But using digital signatures on, say, IRS forms would be more difficult.

With the ekit, 'we've taken two-thirds of the problem off the table,' Cummins said.

Spencer said packaging the PKI components that agencies would otherwise have to purchase individually makes the kit attractive. The certificates will be automatically interoperable among agencies, she said.

Agencies such as the Social Security Administration and the Patent and Trademark Office already have PKI programs. The Defense Department is considering use of the ekit, Cummins said.

But David Reiss, management analyst for the deputy chief financial officer at the Treasury Department, said he hasn't even started thinking about digital signatures for security. Reiss said PINs and password-controlled access behind a firewall work well enough.

'We don't have a need for it,' he said. 'For most purposes, the security we have in place is sufficient.'

Nonetheless, Spencer said, there's a lot of activity among agencies in PKI.

The PKI Steering Committee is preparing to issue a status report. 'We'll take the temperature and get everyone's position at the end of the fiscal year or the beginning of the new fiscal year,' Spencer said.

inside gcn

  • health data

    Improving the VA patient journey with data transparency

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above