DOD pushes ahead with PKI pilot

The Defense Information Systems Agency plans to roll out a pilot digital signature program based on commercial products this spring for anywhere from 250,000 users to as many as half a million users. The pilot will serve as the test bed for the development of all types of paperless processes throughout the Defense Department.

The Pentagon wants to use public-key infrastructure (PKI) to verify an individual's identity in an electronic environment as well as to provide encryption services, an approach critical to the paperless contracting initiative backed by John Hamre, deputy secretary of Defense.

A position paper developed by Hamre's office during his term as DOD comptroller said, "This PKI will satisfy the requirements of all DOD business areas and [will] provide for interoperability with non-DOD trading partners.''

DISA has already installed-medium assurance servers from Netscape Communications Corp. for the pilot project in its Mechanicsburg, Pa., and Denver megacenters.

Frank Perry, technical director of DISA, said the pilot program will test the capability of commercially developed medium-assurance PKI products to verify and protect transactions because DOD "cannot afford" to issue the National Security Agency-developed high-assurance system that is housed on Fortezza cards to all 2.5 million civilian and military employees in DOD.

Perry added that DOD has not backed off from using Fortezza to protect classified information over public networks in such programs as the Defense Message System (DMS). He estimated that some 400,000 users were likely to purchase the Fortezza cards.

Perry said that eventually the high-assurance Fortezza and medium-assurance system based on commercial products will be integrated into one PKI "with service at multiple levels.'' A statement from the Pentagon backed this up, saying, "The goal of [DOD] then is to combine these two infrastructures into a common Defense Information Infrastructure (DII)."

DISA plans to crank up the pilot project within a matter of weeks, following the award of the Defense Travel System contract, which will allow the processing of paperless travel vouchers by the 200,000 to 250,000 DOD employees within DTS Region 6, which included 11 states in the Midwest, Perry said. But other users within that region, such as the health care and personnel communities, also have indicated an interest in tapping into the pilot.

However, Microsoft Corp. believes it has been excluded from the opportunity to participate in the pilot program. DISA has been slow to issue either its requirements or standards, making it difficult for the company to play, according to Mitra Azizirad, systems engineering manager and DMS program manager for Microsoft Federal. "We want to know what the requirements are today," Azizirad said. "We have not yet seen anything come out. We know pilots are going on, but we are not privy to the information that would allow us to participate. We have not been afforded the opportunity to participate in the pilot, though we have asked and [still] have not been given an opportunity.''

By relying solely on Netscape for the pilot, Azizirad charged that DOD has opted for a closed solution. "This is not a very open solution," Azizirad said. "We are very concerned that our browser cannot request certificates from the [Netscape] server.''

Responding to Microsoft's complaint that it has been excluded from the pilot and has not received a copy of standards or requirements, Perry said in a statement, "DISA is working to get standards profiles related to medium-assurance services in a DOD PKI available in draft soon. Our objective is to not only provide them to Microsoft but to anyone else in the industry who is interested as well."

Despite comments from Perry and DOD that the Pentagon plans to craft an integrated high- and medium-assurance infrastructure, Microsoft views the pilot medium-assurance project as backing separate infrastructures. "These are two parallel infrastructures,'' Azizirad said.

Bill Neugent, chief engineer for the information systems security division of Mitre Corp., said that while there are some interoperability problems between Microsoft and Netscape products, both companies are moving to eliminate these glitches with "DOD encouraging them to do that in as many ways as DOD can."