New cross-certifications issued for Federal Bridge
- By William Jackson
- May 12, 2004
Four new entities have been cross-certified by the Federal Bridge Certification Authority so far this year, meaning digital certificates issued by them can be accepted by other FBCA users.
The addition of the departments of State and Energy, the state of Illinois and Digital Signature Trust Co. of Salt Lake City doubles the number of organizations cross-certified by the bridge since it went live in 2002.
The new members were recognized today at the Federal PKI Deployment Workshop in Washington.
FBCA is the evolving solution to the problem of identifying users and devices accessing government services and resources online. Since the mid-1990s, the focus has shifted from having the government issue digital certificates to a federated system built on trusted relationships with other certificate authorities. The digital certificates act as electronic IDs that agencies can accept online.
When a foreign digital certificate is submitted to an application, it can be passed along to the Federal Bridge. The bridge can verify that it was issued by an organization whose certificate policies have been accepted by the Federal Bridge. The bridge can also check with the issuing authority to ensure that the certificate still is valid.
FBCA is an enabler of the Federal Public Key Infrastructure Architecture, which in turn enables electronic delivery of government services. It has four levels of assurance: rudimentary, basic, medium and high. Most applications require--and most digital certificates qualify for--the medium level of assurance, said Tim Polk, cryptographic application and infrastructure program manager at the National Institute of Standards and Technology.
The first organizations to be cross-certified with the bridge were the departments of Justice, Commerce, Treasury and Defense, the Office of Management and Budget and the General Services Administration. NASA and the Agriculture Department's National Finance Center were added later.
Illinois became the first nonfederal entity to be cross-certified in January. The state is working with the Environmental Protection Agency on a program that would let Illinois companies file wastewater disposal reports electronically, using digital certificates issued by either EPA or Illinois.
The State Department was cross-certified in February and Energy in April. According to David Ames, Deputy Chief Information Officer for Operations, State is deploying PKI throughout its domestic offices and at 275 overseas locations. It is used now internally for encrypting and signing e-mail, access to Web applications and signing code, and programs are under way to expand its use with other departments and business partners.
Digital Signature Trust is the first vendor in GSA's Access Certificates for Electronic Services program to be cross-certified. This opens the way for its certificates, which are used by EPA, the National Institutes of Health, the departments of Health and Human Services and Labor, the Social Security Administration, the Coast Guard and others, to be accepted by other agencies through the bridge.
GSA's Judith Spencer, chairwoman of the Federal ID Credentialing Committee, said other ACES vendors also are working on cross-certification. Other organizations seeking cross-certification include the departments of Homeland Security and Labor, the Patent and Trademark Office and the state of Arkansas. Canada is 'on the brink,' Spencer said, and talks are under way with the United Kingdom and Australia.
William Jackson is a Maryland-based freelance writer.