PKI team tries to lead by example on new pilot
PKI team tries to lead by example on new pilot
- By Dipka Bhambhani
- Apr 15, 2002
'I stress the importance of coordination among program leads, CIOs, network architects and others in bringing these solutions together if a full PKI is planned.'
' GSA'S BARRY WEST
In its latest effort to jump-start public-key infrastructure use within government, the Federal PKI Steering Committee will put its money where its mouth is and use an e-signature application for its own pilot.
Through the Access Certificates for Electronic Services program, the General Services Administration bought 150 licenses of ApproveIt Desktop at $143 apiece from Silanis Technology Inc. of Montreal. The steering committee will use the software to share documents and conduct online voting.
The committee wants to show other agencies that such software is easy to deploy and use, said David Temoshok, spokesman for the Federal Bridge Certification Authority. 'We believe it is a necessary infrastructure [piece] for enabling our electronic-government program.'
ApproveIt Desktop works through a browser with any vendor's PKI applications. Documents tagged in Extensible Markup Language or HTML require a $10,000 ApproveIt developers' kit for signing capability.
GSA will act as the certificate authority for the team as it uses ACES products and ApproveIt Desktop for the pilot.
Six months ago, GSA officials were skeptical about ApproveIt Desktop because of uncertainty about whether it would work with the Defense Department's PKI. So Silanis began a campaign to change GSA's mind.
'We looked at the ACES program requirements,' said Kristine Matulis, industry marketing manager for Silanis' government sector group. 'We wanted to ensure that we met those requirements.'
Last August, before interoperability testing began, Barry West, chairman of the Business Working Group of the PKI Steering Committee in GSA's Governmentwide Policy Office, said agencies needed to make sure the software would work with any PKI [GCN, Aug. 27, 2001, Page 9].
'Let's say an agency purchases this, and later on that agency decides to implement a full-scale PKI. There's no guarantee it is going to be interoperable,' West said at the time.
West said recently that his chief concern about implementing PKI has changed little in the last seven months.
'I stress the importance of coordination among program leads, CIOs, network architects and others in bringing these solutions together if a full PKI is planned or already in place,' West said. 'That's pretty much my same feeling from last year.'
One thing that is assured is that ApproveIt Desktop will work with the DOD PKI. In November, the Defense Information Systems Agency's Joint Interoperability Test Command determined the compatibility of the app with DOD's PKI program.
Even so, West's earlier concerns were on target, said William Burr, manager of the Security Technology Group at the National Institute of Standards and Technology.
ApproveIt Desktop runs under Microsoft Windows 9x, Win NT 3.51 and 4.1, and Win 2000. It can digitally sign documents in Microsoft Word and Excel, Adobe Portable Document Format, JetForm FormFlow, and XML and HTML formats.
Because it runs only under Microsoft Corp. operating systems, it presents an interoperability problem for agencies using other OSes, Burr said.
Silanis officials said the app conforms to NIST's Federal Information Processing Standard 186-1, approved in February 2000, and with the Advanced Encryption Standard, approved last December. The FIPS 180-1 hashing algorithm and the FIPS 186-1 digital signature algorithm support 160-bit encryption for AES.
But FIPS is only a foundation, Burr said, and 'you can build a lousy house on top of a good foundation.'
JITC's interoperability testing showed that agencies using the signing software with their own PKIs could accept DOD certificates, verify certificate status in DOD databases including the paths between two entities and search revocation lists of invalid DOD certificates through the Lightweight Directory Access Protocol.Caution needed
'We've been working with PKI and e-government transactions for a long time, and we recognize that just putting a PKI in place doesn't necessarily mean that applications that would use PKI are ready to go,' Temoshok said.
Burr said GSA's hesitation over the past year was warranted. A little caution now would also be warranted, he said.
'There's a lot of cryptography [software] out there'much of it good, a lot of it snake oil,' Burr said.
And it's not all about interoperability, he said, citing the need to ensure cryptographic soundness, too.
Matulis said she thinks GSA's licensing of ApproveIt Desktop had less to do with the interoperability tests and more to do with an awareness that agencies need more secure communications.
Earlier this year, in response to federal interest, she said, Silanis incorporated ACES' certificate arbitration module into ApproveIt.
Mitretek Systems Inc. of Falls Church, Va., developed the CAM for GSA. It checks a certificate's expiration date and verifies the attached signature.
'The CAM software uses the ACES validation protocol'the Online Certificate Status Protocol'to validate current certificate status with the issuer,' Temoshok said.
The CAM can tell a user whether another user's certificate is good, revoked or unknown. The CAM and protocol also can validate Silanis' ePersona files, which they could not do last year. The ePersona files maintain users' private data under password protection.
Users can digitally sign documents with ApproveIt Desktop in three ways. They can create an ePersona signature file with a digital ePad; manually sign a printed copy of an e-signature form and fax it to Silanis for conversion; or use the ePersona Server software, which lets them sign with a mouse.
Silanis officials said they hope to store the ePersona files on DOD Common Access smart cards.
Because most non-Defense agencies that use digital certificates purchased them through the ACES contract, promoting signature software compatible with ACES certificates will help build a uniform governmentwide PKI, Temoshok said.
Silanis' software also works with certificates from other PKI vendors such as Baltimore Technologies Inc. of Boston, Entrust Inc. of Addison, Texas, and RSA Security Inc. of Bedford, Mass.