DOD, Netscape ready PKI rollout

The Defense Department last week tapped Netscape Communications Corp. for software that is critical to DOD's future public-key infrastructure plans, and the department is preparing to award multiple contracts for digital certificate management authorities by the end of the month, according to government and industry sources.

Both moves are key elements in DOD's effort to develop a PKI to enhance the overall security of DOD's information networks and to support the paperless-contracting initiative backed by deputy secretary of Defense John Hamre.

Announced last week, the Netscape deal includes Version 4.1 of the Certificate Management System (CMS), which will provide the department with critical capabilities to issue and manage digital certificates, recover encryption keys and support Federal Information Processing Standard-compliant hardware cryptography as well as the Digital Signature Standard. Version 4.1 of CMS is part of the final option under an original contract signed with Netscape in 1997 for server and client software.

The Pentagon plans to use PKI technology to authenticate the identity of users on its networks as well as to encrypt electronic information flowing over those networks - a plan that, if successful, will result in the largest PKI in the world. DOD already has employed PKI technology in a pilot program supporting the Defense Travel System, and the department plans additional pilot projects covering electronic commerce applications, the Global Command and Control System and the Global Combat Support System.

Now in its second year, the original Netscape license agreement covered Communicator client software and five servers. Since 1997, the deal has gone through several amendments and upgrades, including the addition of new servers, Communicator Pro and a security toolkit. A spokeswoman for the Defense Information Systems Agency said DOD has purchased as many as 555,000 Netscape licenses to date, adding that the final option could bring the total number of licenses to 2 million.

John Menkart, director of government sales for Netscape, said DOD's acquisition of CMS Version 4.1, which he described as Netscape's "next-generation" product for certificate services, "puts DOD right in the sweet spot" in terms of preparing for deploying a PKI. "They have everything they need to roll out a PKI," Menkart said.

According to Menkart, CMS Version 4.1 is a "logical upgrade" for the certificate server. It will support large-scale PKI deployments, hardware tokens for increased security and functional separation - a security-enhancement feature aimed at separating the encryption process from the process of digitally signing documents. Through functional separation, DOD will be able to archive encryption keys for recovering data while maintaining security for the owner of the digital certificate.

Certificate Authorities

Nick Piazzola, vice president of the federal markets division at security vendor VeriSign Inc., said the more important decision facing DOD - one that it is poised to make this month - is picking interim external certificate authorities. They will be commercial vendors that will act as trusted third parties by issuing digital certificates, or electronic credentials, to verify the identities of the parties involved in a transaction with DOD.Certificates are stored in online digital directories, which must be updated and checked constantly.

"That will be a very important event because it would be the first formal acceptance [by DOD] of outsourced [certificate management] service," Piazzola said. In addition, "it opens up the possibility of [providing] managed PKI service inside DOD as well," he said.

According to Piazzola, DOD soon may realize that there are efficiencies and cost savings to be had from outsourcing internal certificate management.

According to industry sources, the National Security Agency, which in April picked up overall program management responsibility for DOD's PKI effort, recently issued a request for proposals for a pilot program covering commercial PKI management services in an effort to determine "if it would be acceptable to DOD."

However, an industry source said that of the 10 bids received by DISA for the Interim External Certificate Authority contracts, all were refused "for not meeting the requirements."

According to the source, the refusal of all 10 bids raises questions about whether DOD is focusing on the right requirements. As they now stand, "it's like buying a Cadillac and putting a tank turret on it and still calling it a tank," the source said.