PKI bridge open for business

The General Services Administration held a signing ceremony Sept. 18 for the first government agencies to be cross-certified with the federal public-key infrastructure bridge, which makes it easier for agency users to exchange data securely.

The PKI bridge links agencies' certificate authorities (CAs), the services that generate and manage digital certificates to identify users and secure their transactions. The bridge -- a partnership between the Federal PKI Steering Committee and the Federal PKI Policy Authority -- is a collection of hardware, software and policies that let federal agencies and other entities validate digital signatures issued by participating PKI certificates.

Powered by Entrust Inc's PKI technology, the bridge allows users at the Defense Department, the Agriculture Department's National Finance Center, NASA and the Treasury Department as well as other government users to securely share information.

The cross-certification marks a milestone in the government's e-Authentication project, one of the 24 cross-agency e-government initiatives, said Mark Forman, associate director for information technology and e-government at the Office of Management and Budget. The federal bridge "unifies islands of communities" across the government, he said.

More bridging between the government and private sector will happen in the future, Forman added.

Other agencies and governments plan to tie into the federal bridge, including the Canadian government, the state of Illinois, and the U.S. State Department, said Judith Spencer, chairwoman of the Federal PKI Steering Committee.

Before they can do that, however, they must map out policies, undergo compatibility testing, certification and accreditation as well as compliance auditing, Spencer said.

More agencies could be ready for cross-certification within the next three months, Spencer said.

The GSA's Federal Technology Service operates the federal bridge for the government. FTS also is testing other PKI technology from Baltimore Technologies PLC, Microsoft Corp. and RSA Security Inc.

Although VeriSign Inc., a provider of managed PKI services, is not being tested as part of the bridge architecture, the company is testing its products to ensure interoperability with the bridge, Spencer added.