Vendors step up PKI push

Now that public-key infrastructure technology is being accepted, information security vendors are touting their PKI solutions as a way for agencies to support new applications, rather than simply a way to increase security.

PKI solutions use digital signature, digital certificate and encryption technologies to authenticate a user's identity and to ensure that data is not tampered with during transmission across the Internet.

Until recently, agencies generally have looked at PKI as simply another component of their security strategies, although an important one for electronic commerce and other digital transactions. But that is changing, vendors said, as agencies begin to realize that PKI enables them to develop new classes of applications

"No one uses certificates or PKI for PKI's sake," said Chris Lowden, director of the National Technical Information Service's FedWorld office. "There's something you want to use it for."

The Commerce Department's NTIS, which sells scientific, technical, engineering and related business information to agencies, has been providing online services to agencies through FedWorld for years.

Recently more and more agencies have been asking for PKI services, Lowden said, so this week NTIS announced a partnership with Electronic Data Systems Corp. to jointly offer agencies customized PKI security services and products that will enable agencies to move new business applications to the Internet.

For example, many agencies are looking to develop applications that enable citizens to fill out forms or submit information electronically, rather than submitting paper forms. PKI is seen as a key technology in such applications because it ensures the security of the data.

"It's what you are trying to achieve from a business standpoint," said Kevin Durkin, director of Defense Department sales at EDS.

NTIS and EDS offer another feature that most vendors cannot, said Rich Guida, chairman of the Federal PKI Steering Committee. An agency can be in a real bind if a vendor goes bankrupt, but even if NTIS were dissolved by Congress, by law NTIS' functions would be transferred to another agency. "You have the assurance that what they have done will be continued someplace else," Guida said.

Other vendors, such as Xcert International Inc., are promoting their PKI solutions as a way to save money by enabling agencies to cut down on the amount of time and effort it takes to exchange information.

The Energy Department and Lockheed Martin Idaho Technologies are using Xcert's Sentry CA product to send and receive reports electronically on nuclear waste retrieval efforts in Idaho. Those reports must pass through several authorization levels and must be made available electronically only to certain people, said Tim Gage, the marketing manager at Xcert.

Instead of thousands of pages of paper being exchanged, the public-key technology allows the two organizations to send a single file with an electronic signature. Over the next two to three years, Lockheed Martin estimates that this approach could save the agency and the company as much as $9 million.

Making It Legal

E-Lock Technologies Inc. has developed a product called ATS that is intended to strengthen the legal validity of PKI transactions.

ATS, which is based on Microsoft Corp.'s CryptoAPI, sits on top of any vendor's PKI and provides a further level of data integrity and confidentiality that is not currently available in digital signatures.

ATS goes beyond most digital signature technology to provide time stamps and date stamps to show when a person actually signed an electronic document.

This increased assurance gives the information that is being exchanged a legal authority that is often necessary for transactions between government and the private sector, said Chris O'Connor, vice president of sales and marketing at E-Lock.

The company believes that the most important part of a PKI-enabled business process is how the applications are being used, not the PKI itself, so last week the company announced that it is giving its PKI software away for free. "We see the real value in enabling your current business applications to use the PKI," O'Connor said. "Maybe this will kick-start the whole market."