12 agencies piloting VeriSign's PKI products

VeriSign Inc. has garnered 12 agency customers for its public-key infrastructure (PKI) products as the federal government moves to experiment with the technology needed to secure electronic commerce and public access to internal networks.

The agencies— nine civilian and three military— are using VeriSign's E-Commerce Solutions suite to pilot the use of digital certificates for secure communications and transactions over open networks. Certificates carry digital signatures, which are used to authenticate a user's identity and verify that data has not been altered during transmission over a network.

The E-Commerce product suite is designed to allow organizations to quickly and easily establish themselves as certificate authorities, which dole out and manage certificates, using front-end software coupled with VeriSign's back-end certificate-processing services.

The product is attractive to federal agencies because it provides a high-level of control over authenticating end users' authority and issuing and managing certificates, as well being able to scale to millions of users at a low cost of ownership, said Nick Piazzola, vice president of VeriSign's Federal Markets Division.

Although VeriSign declined to name the federal agencies that have begun using its products, FCW has learned that among them are the FBI, the Energy Department, the Patent and Trademark Office, the Social Security Administration, the Agriculture Department, the Air Force, the Navy and the Army. The Mountain View, Calif.-based company launched its Federal Markets Division from Baltimore in January 1997.

"We can bring up their own customized PKI in about seven days," Piazzola said. Agencies "fundamentally need security if they're going to connect up to the Internet and provide services. Just about every government agency today knows they need a PKI. It boils down to the issue of [whether] they want to develop one themselves or take advantage of our capabilities."

Core to the product suite is VeriSign's OnSite, which provides all the necessary certificate services, applications support and management tools required to operate a certificate authority.

OnSite consists of customized end-user enrollment pages, administrative control and management of World Wide Web pages, and a certificate directory distribution service.

End users can request and receive certificates via a set of Web pages. Administrators use a second set of Web pages to control user authentication, approve certificate requests and renewals, and revoke certificates as well as perform other management tasks.

Victor Wheatman, vice president of the information security strategy group at Gartner Group, San Jose, Calif., said VeriSign is "coming on rather strong" in the federal arena, especially because there has not been one central federal agency that has stepped up to operate a PKI for other agencies to use.

While the U.S. Postal Service and the General Services Administration have made overtures about launching a PKI to service other agencies, neither has launched an operational PKI, thereby leaving agencies on their own for securing transactions, he said. The FBI is using VeriSign's products in a pilot called Infraguard, which allows private-sector participants to file reports electronically to the FBI about computer security breaches, according to sources familiar with the project. These private-sector participants are issued certificates from VeriSign, and those certificates carry digital signatures to authenticate a user's identity.

PTO is using VeriSign technology as part of a pilot to demonstrate the exchange of patent documents in secure electronic form between the International Bureau of World Intellectual Property Office and patent offices in the United States, Europe and Japan.

Kelly Kavanagh, research director at IDC Government, said that while agencies are using digital certificates in pilot mode today, they are on track to fully deploy over the next 12 months.

Kavanagh said that although agencies are setting up PKIs via products, there are policy considerations to take into account when using the technology. "The issue of securing the infrastructure and the certificate servers and those elements of the process is something that agencies need to be aware of," he said.

At the same time VeriSign announced its growing government clientele, the company also announced a new marketing agreement designed to expand its federal offerings. The company signed an agreement with UWI.com that will allow VeriSign to give agencies the ability to create, distribute and archive digitally signed forms across the Internet, Piazzola said.