GSA leaps PKI hurdle

GSA ACES

The General Services Administration is making available to the public a technology originally developed for the government that allows organizations to authenticate the identity and authority of any user in an electronic transaction.

The technology is called the Certificate Arbitrator Module (CAM) and is important because it allows an organization to validate a digital certificate from any vendor.

Many public-key infrastructure technologies are available on the commercial market, all of which can be used to issue slightly different digital certificates. PKI-enabled applications use the digital certificates to authenticate a user's identity by checking the certificate against the issuing certificate authority's validation list.

But when an organization chooses to go with one PKI technology, it normally cannot accept the digital certificates issued by another.

In 1999, GSA's Federal Technology Service awarded its multiple-vendor Access Certificates for Electronic Services (ACES) contract, intended to allow agencies to provide secure transactions to the public. Because a citizen or business could use a certificate issued by any agency, officials knew they would have to find a way for agencies to be able to accept any certificate. That is where the CAM comes in. GSA contracted with Mitretek Systems Inc. to develop a prototype, testing it by using the certificates issued by the three ACES vendors. Now, after more than a year of testing, GSA has proved the CAM works, and the agency and Mitretek are releasing the software as open-source technology for anyone in the private sector to use.

Making the CAM software available to everyone, it is hoped, will "spur on PKI implementation," said Sallie McDonald, assistant commissioner for GSA's Office of Information Assurance and Critical Infrastructure Protection.

Studies have shown that many organizations have not started a PKI program to provide security for their Web-based applications because it is too complex and expensive. The CAM could remove that objection by mitigating concerns that an organization will be cut off from others when it chooses a single vendor solution, McDonald said.

It took a while to make the CAM open source because of intellectual property concerns and other legal issues, said Gilbert Miller, vice president of Mitretek's Center for Telecommunications and Advanced Technology. The nonprofit company provides expertise to the government on many projects, and in the case of the CAM, also put up money for development, Miller said.

The government paid for the development of the CAM, and Mitretek will continue to maintain the software. The government will not receive a direct return on investment, but agencies will benefit from GSA making the software open source, Miller said.

"We and GSA would not be able to keep up with the improvements that other people could think about," he said.

People interested in the technology will often tinker with open-source software as they use it, making improvements and other changes in what essentially becomes a large test center for the software. The most well-known example of this is the continual changes made in the Linux operating system.

Because the CAM Web site includes a section for submitting source code changes, in the future government users will end up with a better tool as well, McDonald said. The changes will also help the general public, as the CAM will adapt to fit environments other than the government, McDonald said.

Mitretek maintains the CAM Open Source Web site, allowing downloads of the software and evaluating the source code that is submitted. GSA will review those changes to determine what can best benefit the government, Miller said.

Candid Cam

The Certificate Arbitrator Module (CAM) allows public-key infrastructure-enabled applications to validate the authenticity of any digital certificate.

Typically, a digital certificate can only be verified within the same network that issued it. But when an organization has a diverse user base that uses many types of certificates, the CAM matches the certificates with the appropriate issuing certificate authorities (CAs).

When a user starts a transaction with a certificate not recognized by an application, the application uses the CAM to submit a signed validation request to the issuing CA via the Internet. A response, also signed to ensure the integrity of the information, is sent back to the CAM and is forwarded to the organization, saying that it is OK to accept the certificate or, if the certificate was turned down, explaining why.