GSA promotes new tools to encourage PKI use

GSA promotes new tools to encourage PKI use

BY DIPKA BHAMBHANI | GCN STAFF

The newest public-key infrastructure offerings under the General Services Administration's Access Certificates for Electronic Services program are unlikely to kick-start wide acceptance of PKI in the government, a GSA official contends.

Although agencies are under the gun to meet the Government Paperwork Elimination Act's 2003 deadlines calling for electronic services for most government interactions with the public, they have yet to achieve the mind-set, said David Temoshok, PKI policy manager in GSA's Governmentwide Policy Office.

Agencies 'are just not going to be able to flick a switch and go from a paper-based process to an electronic one,' Temoshok said.

Judith Spencer
Judith Spencer, chairwoman of the federal PKI committee, says she is optimistic.
But agencies are steadily adopting electronic processes, said Judith Spencer, chairwoman of the Federal PKI Steering Committee. Its next PKI status report, due this fall, will probably show an improvement in adoption since last year, she said.

'The obstacle is that this is business process re-engineering,' Temoshok said. Agencies' back-end technologies are not ready for complete conversion from paper to electronic processes, and systems have to be developed to accept the ACES applications, he said.

'The more vendors learn about agencies' needs, the easier and more efficient it's going to be for us,' Temoshok said.

New ACES offerings came out this month from Digital Signature Trust Co. of Salt Lake City, E-Lock Technologies Inc. of Fairfax, Va., and PureEdge Solutions Inc. of Seattle. The three vendors' FedSign signature application adds digital signing capability to ACES.

Digital Signature Trust, a certification authority and PKI application provider, also introduced the $50,000 ACES ekit [GCN, July 2, Page 10]. And the company brought out a service under ACES, the Electronic Transaction Risk Assessment.

Three elements, one from each vendor, make up FedSign for workflow routing and approval. FedSign uses PureEdge's Certificate Validation Module (CAM), which integrates with the ACES certificate arbitrator module. The CAM makes keys interoperable and tracks use.

PKI triumvirate

Assured Office, a server validation module from E-Lock, integrates with Microsoft Corp. operating systems to validate the locations of keys with the appropriate servers. It verifies that a key is coming from a valid destination.

Digital Signature Trust's SimpleSign, the final element, is an application for citizens to digitally sign transactions with the government. Keren Cummins, vice president of government services for Digital Signature Trust, said users could upload digitally signed tax forms to the IRS, for example.

FedSign is only for digital document signatures. If agencies simply want PKI to control access to computers, the ACES ekit is all they need.

Damage control

The Social Security Administration recently piloted Digital Signature Trust's risk assessment service, and other agencies can now buy the service under ACES.

'It's not your traditional penetration test,' Cummins said. 'It's an assessment of the degree of risk in choosing to accept an electronic credential.'

The service estimates the types of damage agencies might incur in finances, privacy or public reputation.

'Is it a $500 contract or a $500,000 contract someone is signing?' Cummins asked. 'If someone's name and phone number are exposed, or if someone screws the system, are you a little bit embarrassed or a lot embarrassed?'

inside gcn

  • When cybersecurity capabilities are paid for, but untapped

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group