Act would set digital guidelines

Government agencies and information security vendors are cautiously optimistic about a bill introduced in the House last month that aims to encourage the development of a nationwide electronic commerce infrastructure.

The Digital Signature Act, sponsored by Rep. Bart Gordon (D-Tenn.), would require the National Institute of Standards and Technology to develop guidelines and standards for the digital signature infrastructure that provides security for e-commerce transactions. The bill also would require NIST to create a list of commercially available products that meet the standards.

The bill intends to ensure the interoperability of the various digital signature systems—which authenticate the identity of a person who has "signed" an electronic document and ensure that the contents of the document were not altered during transmission—and public-key infrastructure (PKI) systems that agencies are developing throughout government and to establish a standard the public can trust, Gordon's office said.

"If criteria and systems are developed without any thought to compatibility, we will discourage the use of this electronic authentication technique by making it harder, not easier, for states and local governments, contractors and the general public to conduct business with the federal government," Gordon said in a statement.

The bill also would create a National Policy Panel for Digital Signatures to serve as a forum for exploring the issues associated with developing a national digital signature infrastructure. The panel would be led by the undersecretary of technology and the Commerce Department, according to the bill.

Tony Trenkle, director of electronic services at the Social Security Administration, said the bill moves the debate about standards in the right direction, especially at a time when agencies are trying to comply with the Government Paperwork Elimination Act (GPEA) passed last year. That act instructed the Office of Management and Budget to promote the use of electronic communications and forms, and digital signatures."I think, at least on the surface, it sounds like a pretty good idea," Trenkle said. "It'll help standardize some of the areas in the digital signature arena, particularly when we talk about things such as the GPEA and the issues related to that."

The Digital Signature Act is intended to complement GPEA, which requires all agencies to provide the public with the option of submitting government forms electronically whenever possible by October 2003. OMB in March released a draft version of its guidelines for federal agencies to comply with GPEA, and the final guidance is to be released next year.

But GPEA was intentionally written to be technology-neutral, and OMB's guidelines do not provide much additional help for agencies trying to choose an electronic infrastructure in a growing market, Trenkle said.

The Senate may make changes to the bill if it has any chance of passing, a Senate staff member said. "In general, we would support what they're trying to do," the staff member said. But the staff member said the primary opposition to the bill includes the provision that turns responsibility for guidance from OMB to NIST and how the bill possibly could counter the technology-neutral stance of GPEA.

Vendors see upsides and downsides to the proposed legislation. So far, the bill seems to follow the lines of similar legislation in Canada, but "if the legislation gets too detailed, it could fall into the harmful category," said Brian O'Higgins, executive vice president and chief technology officer at Entrust Technologies Inc.

Entrust is one of 16 companies already working with NIST on technical guidelines and standards for digital signatures and PKI to foster interoperability, said Kathy Lyons-Burke, supervisor of NIST's PKI and applications program area. That group is developing a Minimum Interoperability Specification for PKI Components (MISPC), a set of baseline guidelines that vendors are encouraged to follow when developing PKI products, and a reference to allow vendors to test their products against the MISPC.

But while the Digital Signature Act may add some additional guidance, "what we really need the Hill to do is fund some of these projects," said Santosh Chokhani, chief executive officer of CygnaCom Solutions Inc., another vendor working with NIST.

The National Policy Panel also could help strengthen the security structure for agencies, Trenkle said. But it may be difficult for NIST and Commerce to fulfill their functions because the bill provides no additional funding.

Some also are concerned that the panel could become more of a hindrance than a help. "This could turn out something that was incredibly destructive or something that is constructive or simply confusing," said Daniel Greenwood, deputy general counsel for the Information Technology Division in the commonwealth of Massachusetts. "It depends on the leadership of the panel."

Greenwood has worked with several other states for years to develop a digital signature strategy and other electronic forms of interaction that the public, industry and other government agencies could use. He said Congress could make the same mistakes that some states did by trying to set too many standards from the top down instead of letting the technology and policy develop naturally.

"It became a lot easier [to develop the states' PKI projects] when we realized you have to map the technology to the business and not map the technology to a law," he said. "We've gotten a bigger bang for our buck doing it that way instead of the other way around."

The bill, co-sponsored by Rep. F. James Sensenbrenner Jr. (R-Wis.) and Rep. George Brown (D-Calif.), has been referred to the House Science Committee.