GSA circulates draft of public key encryption policy

The General Services Administration recently released the first draft of a public key encryption policy, which is the first step toward establishing governmentwide standards for the technology. But the agency must resolve many issues before a final policy can be issued.

GSA's Federal Security Infrastructure Program office is circulating the document internally, and comments are due by mid-May.

In a public key system, users register their public keys with a certificate authority, an organization that verifies that a public key belongs to an individual with the matching private key. Only a user with the right private key can read a message that is encrypted this way. The certificate authority manages and tracks who has which keys and whether the keys are valid. Certificate authorities can also track digital signatures or otherwise authorize that a person is who he says he is for applications beyond encryption.

A public key approach is considered necessary for such applications as electronic commerce, where agencies would place orders and make payments over telecommunications networks. In these applications, agencies must be sure of the authenticity of their trading partners.

"We're attempting to put forth the minimum essential policy for federal government participation in the public key infrastructure," said Richard Kemp, director of the Federal Security Infrastructure Program.

The final policy will establish a minimum level of consistency in trust and assurance levels as well as a standard for secure registration of keys. It will also set the minimum security a certificate authority must have.

The draft policy "is a straw man for people to start shooting at," Kemp said. "We've issued the initial draft and still have a long way to go."

The Federal Security Infrastructure Program office is proposing governmentwide public key infrastructure policies at a time when the technology is still emerging. Only a few Defense Department networks use the approach.

"I thought [the draft policy] was premature," said Patricia Edfors, champion for security and privacy with the Government Information Technology Services Working Group. "I don't think we know enough about what our needs are to develop a policy. It's a good effort and good work, but there's a great deal we don't know now."

Kemp said public key pilot projects that GSA plans to undertake will provide some technical answers on how to implement certificate authority. GSA expects to announce next month which agencies will take part in the projects. The original projects, scheduled to take place this spring with the Social Security Administration and the Internal Revenue Service, were canceled.

Scott Schnell, vice president of marketing at Redwood City, Calif.-based RSA Data Security Inc., an encryption company, predicted there will be many differences between commercial and government certificate authorities. "A lot of government needs will have to do with security clearances, for example. The authority would have to be of sufficient caliber to handle that."

Certificate authority will be essential for applications such as electronic commerce, Schnell said. "You need some ability to establish trusted identity and trusted authority. You must have those in the digital world. That is what certificates are all about."