PKI at the crossroads

Think more Golden Gate Bridge than wooden footbridge. Years in the works, a federal effort to link the public-key infrastructures (PKIs) of agencies has proved quite an undertaking and has been marked by what appears to be rather slow progress.

Now, there is a strong current of activity surrounding the federal PKI bridge. "Under the water, we are paddling like mad," said Judith Spencer, chairwoman of the Federal PKI Steering Committee.

Half a dozen agencies, two states and the Canadian government are among the first to participate in the Federal Bridge Certification Authority (FBCA).

That's a respectable showing, many say, given the effort it takes to meet FBCA requirements. "Six is about what I expected," said Spencer, whose group works with the Federal PKI Policy Authority, which oversees FBCA operations.

The bridge was conceptualized as a PKI hub that can provide an efficient way to link agencies' certificate authorities (CAs). The central component of a PKI, a CA is the server used to generate digital certificates to identify users and secure their transactions, such as e-mail messages and file exchanges.

By cross-certifying CAs through the FBCA, which acts as a trusted third party, an agency that needs to accept a certificate from another federal, state or local agency to conduct an electronic transaction will know that the certificate can be trusted.

The alternative is for agencies to create and maintain direct PKI-to-PKI links to each agency they want to exchange secure information with — and that would be an even more immense undertaking.

Certified Solutions

Although the bridge has yet to experience its first true exchange, some sizable agencies are in different stages of "cross-certifying" their PKIs with the bridge. Those include NASA, the Agriculture Department's National Finance Center, and the Defense and Treasury departments.

Plus, the General Services Administration's PKI services contract, Access Certificates for Electronic Services, is on its way to cross-certification. Meanwhile, many other organizations both within and outside of the federal government have expressed interest in the bridge.

For the organizations preparing to use the bridge in the next several months, cross-certification involves proving — from a policy and technology standpoint using mutual baselines — that the agencies are ready to send and receive secure communications with other bridge participants.

Spencer offered a scenario that illustrates the benefits of cross-certification. "What they will be able to do, for example, is have credentials issued to a NASA employee recognized by the National Finance Center," she said. This would enable a NASA employee to make National Finance Center financial transactions securely online, she said.

The ability to capitalize on PKI investments beyond a single agency is crucial, said Peter Alterman, director of operations for the Office of Extramural Research at the National Institutes of Health.

"PKI is no good if you are only talking to yourself," he said. "For instance, if I use the technology to certify [Department of Health and Human Services] travel orders or procurement documents, I can get a reasonable return on investment. But really, that is just efficiency in government."

By contrast, FBCA was designed to let federal agencies move beyond their own borders, so they could build sophisticated online applications across government. Along the way, the bridge was also intended to make the forging of PKI paths to the outside world much easier for agency users.

"The idea was why not build a central point and have everyone link to it. That way the process of cross-certification is done once, not 30 times," said Gary Moore, senior architect for global government solutions at Entrust Inc., a CA vendor participating in the federal bridge.

Technology: The Easy Part

One cross-certification exercise is enough for any agency. Many described the process as an exhaustive regimen of codifying and mapping the policies that dictate the issuance and use of digital certificates. Then bridge candidates must have policies matched to practice statements verified by an outside audit.

And that comes after an agency has put a substantive PKI in place. In fact, building the enterprise PKI required for bridge connectivity is considered the lighter side of the equation. "The technical part is the easiest," Moore said.

But implementing a PKI is not an easy option for all agencies. In fact, agencies vary widely in terms of their adoption of PKI technology, said Bill Stewart, principal at Booz Allen Hamilton, which has helped develop PKIs at DOD and several civilian and intelligence agencies.

Stewart suggests thinking of federal PKI use as a classic bell curve. "At the top end are those implementing it for real," he said. "The mainstream is people who are looking at it pretty hard and have pilots and prototypes in place. They are looking at their policies but have not yet pulled the trigger."

At the bottom of the curve are agencies that have not gone far at all with PKI. In fact, some agencies do not realize they must first build systems before turning to FBCA. These agencies "think they'll just use the bridge. In other words, they don't have a clue," Stewart said.

"A bridge connects two points," quipped one vendor, who also talked about the challenges of educating agencies on what they need to participate in the FBCA. "I believe many agencies have a profound misconception of the bridge."

But despite lingering PKI confusion and industry reports citing the technology's demise, there is some evidence of healthy PKI plans across government, said NIH's Alterman. "The exciting thing is that agencies by and large are committed to standing up PKIs and issuing certificates to do business," he said.

A Matter of Policy

In addition to building a sturdy PKI, agencies must also think about their business processes and policy planning.

"People really get focused on the technology. But what's really important about the bridge is the fact that it creates a venue to bring forth policies and have a disinterested third party map those policies vis-a-vis everyone else's," said Keren Cummins, vice president of government services at Identrus LLC, a CA vendor on GSA's contract that is working on FBCA interoperability.

An agency's set of governing PKI policies includes everything from how the organization goes about dispensing digital certificates to how it characterizes its internal security levels.

"PKI reflects the rigor put into vetting a person's identity," said Stewart, citing just one component of a PKI policy. For instance, one agency might require employees to have a face-to-face meeting and bring two forms of identification before issuing a certificate, Stewart said.

"In another agency, they might believe you are who you say you are and just make you show up and get your certificate," he said. "You have to work through those issues to cross-certify."

Once such details are codified to form a policy, a bridge applicant would ship that documentation to the PKI working groups manning the bridge.

"We do the mapping exercise against our criteria," Spencer said. "They must meet or exceed all 150 of the individual items on our list and be mapped to a medium assurance system."

Even matching 95 percent of the FBCA criteria won't cut it, because deficiencies will impact all bridge users. "We can't say to the others, 'Here are the areas where they fell down. You decide if that's important to you,'" she said.

However, applicants that score a 95 may qualify for a lower, "basic" security level. "We don't just toss them out," she said.

Many conclude that the level of difficulty attached to the journey to cross-certification is fitting.

"If it were easy, you wouldn't be so sure there was a trust relationship," said Georgia Marsh, associate director of the Illinois Department of Revenue.

Once the initial pack of applicants have finished certifying their PKIs, other agencies, including the U.S. Patent and Trademark Office, are expected to follow suit.

"Within 12 months, there will be a real change," Alterman said. He predicts that once the bridge goes live and the benefits are obvious, more agencies will initiate PKI pilot projects.

Jones is a freelance writer based in Vienna, Va.

***

Federal Bridge Certification Authority

* Designed as a nonhierarchical hub to link agencies' public-key infrastructures.

* Not a root certificate authority, so it does not generate digital certificates.

* Connects trust domains — systems of mutual security policies — to forge paths between agencies' principal certificate authorities. * Eliminates tedious peer-to-peer cross-certification between agency certificate authorities.

* Maintains a central directory of certificates and certification revocation lists.

* Operated by Mitretek Systems Inc., which also runs a prototype lab and is testing the interoperability of products offered by vendors including Entrust Inc., Microsoft Corp., VeriSign Inc. and RSA Security Inc.