PKI interoperability 'paramount'

Federated Electronic Government Coalition

The government risks undermining the potential benefits of a public-key infrastructure unless it develops common policies and processes to ensure interoperability, a new report from a coalition of vendors says.

"Interoperability is paramount. If this is not achieved, the U.S. government and American industry is dealing with a potentially disruptive technology that will affect the policy, legal, technical and process implementation aspects of their business," according to the report, issued May 3 by the Federated E-Government Coalition.

PKI technology allows users to conduct secure transactions through a Web browser. Transactions are encrypted, and the decryption key is provided when a user's identity has been authenticated with a digital certificate.

If there is no unified way for digital certificates to work across government, industry will have to create and support multiple environments. "The subsequent overhead costs would be significant for all parties," the report says.

The report is the third in a series of assessments of the government's PKI initiatives. The first report, in December 2000, was an assessment of the Defense Department's PKI policy.

The report issued May 3 is based primarily on work with DOD. But Michael Mestrovich, FEGC chairman and the president and chief executive officer of consulting firm Unlimited New Dimensions LLC, said the report has implications across government.

The report is critical of DOD's PKI efforts. Mestrovich, however, noted that DOD has been on the cutting edge of government PKI initiatives.

"DOD has progressed more quickly and aggressively than any other federal agency.... The DOD overall vision is commendable," the report says. "It is, however, in the execution of that vision — at the application level" that issues arise.

The government should establish pilots using "domains of common interest" that can focus on interoperability across their groups. A procurement/supply chain group, for example, could then drive interoperability.

The issues are not technological, said Katherine Hollis, director of global information assurance services at EDS. Instead, they are questions about how PKI works with business processes. Therefore, the leaders of the business process must drive PKI's development.

PKI development has been hampered by the "chicken-and-the-egg dilemma": Most applications have not been designed with PKI functionality because their digital certificates were not widely deployed. And most organizations were not deploying digital certificates because there were few PKI-enabled applications.

The group suggests that may be changing. DOD, for example, is putting digital certificates on each of its new Common Access Cards. However, those certificates are designed for internal DOD use.