'John Hancock' Goes Digital

While many states dabble with public-key infrastructure (PKI) technology

to secure in-house applications, others are far ahead, preparing to present

millions of citizens with a way to secure their electronic transactions.

Illinois, Iowa, Washington, Utah and North Carolina all are designing

large-scale projects involving digital certificates — electronic documents

that serve as a signature and a binding confirmation that people involved

in electronic transactions are who they say they are. Digital certificates

are the core of a PKI.

Digital signatures are the equivalent of a handwritten signature in

a paper-based transaction. Without such authentication, electronic transactions

may not be legally binding. State officials and vendors say the technical

issues in replacing handwritten signatures with digital ones are easily

solved, but the policies behind them can prove challenging.

Iowa has released a request for information for its PKI, and officials

plan to award a contract in August. Initially, people will be able to order

birth, marriage and death certificates online. And businesses will be able

to go online to file documents with the secretary of state's office and

perform some of the requirements for professional license renewal, said

Richard Varn, Iowa's chief information officer. Eventually, the PKI will

secure more advanced e-commerce transactions, such as online tax filing.

"We have a number of applications where we do need to have citizens

file with a certain degree of confidentiality and security," Varn said.

"This seems to be the industry direction."

One of the issues that has perplexed those considering a PKI is determining

who will serve as the certification authority (CA), or the entity responsible

for issuing, managing and revoking the digital certificates containing the

digital signatures.

Varn said officials in Iowa have not decided if the state will operate

its own CA or allow a trusted third party — such as a vendor or a bank —

to operate it on its behalf. They have determined, however, that they will

use a single CA to issue certificates.

The certificates will contain various authorization levels. For example,

a citizen might have access rights to file taxes and documents with the

secretary of state's office but may not be allowed to handle other transactions

online.

Although the state is still hammering out details on how to issue digital

certificates to citizens, one likely scenario would have them receiving

a digital certificate when they renew a driver's license, Varn said.

"What does it take to do this and to show you are who you say you are?"

Varn said. "What amount of verification do you need for what? Biometrics

being linked to your PKI is as secure as you can imagine. Between that extreme

and [saying] "Well, they registered' are an awful lot of policy choices."

Within three to four years, officials expect that all 2.9 million people

in the state will be able to perform secure government transactions via

the Internet. However, they may not all need digital signatures, Varn said.

Some may get the security they need using a personal identification number

(PIN) and a password.

Other states are not far behind.

Illinois has signed an enterprisewide agreement with Entrust Technologies

Inc. for PKI technology to secure both internal transactions and for transactions

with businesses and citizens. The state is finalizing plans to launch a

pilot in which agencies would use digital signatures to sign government

travel vouchers and internal forms, said Brent Crossland, deputy technology

officer for the Illinois Technology Office.

The state will operate its own CA and issue one certificate to citizens

containing the various authorization levels based on the ways a person might

communicate with the government. But like Iowa, Crossland said, there are

many policy details to figure out before rolling out a production PKI in

June.

"If we issue a digital certificate, are there any grounds for us to

revoke the certificate?" Crossland said. "I suddenly make it impossible

for you to interact with government that way."

Another policy question to be addressed is whether a uniform authentication

standard is needed.

"Can they accept the same level of authentication at [the] revenue department

that they're going to accept at the department of natural resources?" Crossland

said.

In March, the state of Washington tapped Digital Signature Trust Co.

to issue and manage digital certificates for businesses and citizens. The

company will help state officials write policies for its PKI and create

applications, said Karen West, the firm's director of government services.

Washington residents will obtain certificates by downloading a form

from a World Wide Web site, having it notarized at a bank and submitting

it to the company. In addition, several state agencies will issue certificates.

First, the state will tackle creating access control mechanisms for transactions

over the Web, such as filing taxes electronically. And state agencies will

begin to sign forms using a digital signature capability.

"You could scale up to 5 million users over the course of a few years,"

West said. "In two years, there'll be 100,000 people using the PKI."

It is vital that states' policies ensure that their PKI will interoperate

with PKIs operated by the federal government, other states and businesses,

West said. In addition, Washington will launch a campaign to educate people

about how digital signatures work and how to protect their certificates.

"This is like your credit card, like your PIN for your ATM card," West said.

"If you give it to someone else, you're going to have a problem."

— Harreld is a freelance writer based in Cary, N.C.