Industry raps Pentagon PKI

Defense Department officials say they're revamping their public-key infrastructure policy in light of an industry consortium report that sharply criticized DOD practices.

The Federal Electronic Commerce Coalition called for the Pentagon to relax its Aug. 12, 2000, PKI policy that mandates the highest level of PKI certification — Level 4 — for every transaction by 2005.

Because retirees will need to access DOD financial, health and personnel systems, and vendors dealing with DOD may not use Level 4 certificates, the department should mandate different levels of certification — from Level 2 to Level 4 — depending on the business area, said Michael Mestrovich, chairman of Arlington, Va.-based FECC.

Thirty-eight industry officials signed the FECC "Impact Assessment of DOD's PKI Policy" white paper on Dec. 11. The organization represents 16 industry associations with 7,000 members.

"They're suggesting we use the federal [PKI] bridge, and we have always been committed to that," said Paul Grant, electronic business executive for the assistant secretary of Defense for command, control, communications and intelligence.

DOD officials are implementing key areas of the report, he said, and added that he believed the Bush administration would try to implement the FECC recommendations.

Nonetheless, he said it will be difficult to enable retirees and vendors with weaker certificate authority to perform transactions with DOD systems without compromising sensitive or classified data.