GSA's digital signature plans hinge on standards

The General Services Administration hopes to award in January a governmentwide contract for digital-signature services to give citizens secure access to private data but policy-makers at the agency must settle issues related to federal standards before the solicitation can be issued this fall.

Judith Spencer acting director of GSA's Center for Governmentwide Security said the contract will offer public-key registration services and certification validation to agencies throughout the federal government. She said GSA's Federal Telecommunications Service will award multiple contracts to vendors which will issue private-key certificates to citizens - certificates that could be used to gain access to data such as personal earnings or benefits.

For example the Social Security Administration this year offered citizens online access to their earnings and Social Security benefits statements. But SSA shut down the service in April when news reports showed how easy it was for someone who knew basic information about another individual to access that person's earnings history.

"We are talking about validating the identification of an individual coming into a government agency online " Spencer said. "They would have a certificate and digitally sign requests for information."

Agencies would be billed for each time they use the infrastructure to provide information to the public or to other agencies she said.

Spencer said the governmentwide approach would benefit the public as well as agencies. Citizens would be able to obtain a single private key that would allow them to certify their identities to all participating federal offices. Agencies would be able to hop onto a pre-existing infrastructure and not bear the expense of building their own she said.

Certificates to the public will probably be software-based Spencer said adding that GSA is still not sure whether to require users to show proof of identification before receiving a certificate. She said a second level of certification will be provided for electronic commerce users that certification will require a hardware token and in-person identification.

A GSA briefing to agencies this month revealed widespread concern that GSA's plan for a commercial off-the-shelf infrastructure would not adhere to the Federal Information Processing Standard (FIPS) algorithm for digital signatures. Spencer acknowledged that industry has standardized on an algorithm developed by RSA Data Security Inc. that does not conform to federal standards.

Spencer suggested that the issue may be resolved if the National Institute of Standards and Technology proceeds with a plan to incorporate RSA's algorithm into the FIPS.

A NIST spokeswoman said the agency has asked for comments on a proposal "to change the digital signature standard itself to include other algorithms and RSA is one of those." She said it remains unclear whether NIST will pursue such an action but she said the comments received so far were "encouraging."

However a NIST official at GSA's meeting this month said responses to revise the standard "were less than overwhelming."

Most of the agency participants at the GSA meeting this week appeared to support the program. "I would like to see some closure among agencies on this issue " one attendee said. "As a citizen I would hate to have to stand in 10 different lines to receive 10 different certificates to deal with 10 different agencies."