NTIS looks for partner to develop PKI services

The Commerce Department's National Technical Information Service has begun a search for a joint venture partner to begin offering public-key services to government agencies much in the same way it offers World Wide Web services through FedWorld.

NTIS last month requested proposals for partners that could issue and manage certificates containing digital signatures, could provide directory services, could offer technical assistance in the development of polices for those services and could market the services on behalf of NTIS' numerous agency customers.

Federal agency customers of FedWorld, a Web site that offers access to more than a dozen government Web pages and bulletin boards, have identified public-key technology as key to accomplishing their missions, said Keren Cummins, FedWorld director. Public-key infrastructure (PKI) products use digital signature and encryption techniques to authenticate a user's identity and to ensure data is not tampered with during transmission. Many security experts believe this advanced technology is essential to secure electronic commerce and other electronic interactions with the public.

Possible Benefits

Federal applications that could benefit from the technology include those that depend on verifying the identity of users, including applications that require regular filing of forms, online licensing applications and medical records transactions, Cummins said.

While several federal agencies have begun piloting the use of public-key technology, no agency has taken the lead to centralize the complex function of issuing and managing certificates, although the General Services Administration and the U.S. Postal Service have begun projects that eventually could offer the services.

One of the more complex issues that FedWorld officials need to tackle in the joint venture would be to set up an easy method for citizens who need to communicate securely with the government to register to receive a certificate, Cummins said. Users would need to somehow show proof of identity to a registrar before receiving a certificate.

While Cummins said FedWorld wants to take on the responsibility of providing certificate services to agencies, officials are not prepared to offer a centralized service because the capabilities of the PKI products available today differ substantially, she said. FedWorld intends, however, to tailor an approach for each federal agency while at the same time examining the overall interoperability of the technology.

"We're hoping to really bear in on the issue of interoperability in a way that no one else has before," she said. "We have a core technical staff that is supporting more than one certificate authority [the product that issues certificates] in the same environment, and [we] have a unique opportunity to look at the interoperability issue."

Victor Wheatman, vice president of the Information Security Strategy Group at Gartner Group, San Jose, Calif., said VeriSign Inc. and Entrust Technologies are the two primary players competing head-to-head in the PKI federal market.

Nick Piazzola, vice president of VeriSign's Federal Markets Division, said NTIS officials are focusing on securing government-to-government and government-to-business transactions as opposed to GSA's plans to offer similar services for government-to-citizens transactions.

GSA issued a draft request for proposals in March for a contract that will offer public-key registration services and certificate validation to agencies throughout the federal government.

"Both GSA and NTIS have gone through the experience of taking a PKI product and running a certificate authority," Piazzola said. "They've both come to the conclusion that it's real hard if you don't have the experience...to run a business-grade, robust PKI."