A bridge not too far

Federal PKI Steering Committee

The federal government is investigating the legal and policy issues involved in opening its public-key infrastructure to the state of Illinois, with the intent of using the Illinois test as a blueprint for including other non-federal organizations in its security framework for electronic transactions.

Under the federal government's vision, a single PKI would exist in which any agency could accept a digital certificate issued by any other agency. Digital certificates store data on an individual's identity for authentication and authorization in electronic transactions.

The Federal PKI Steering Committee oversees the governmentwide PKI and developed the Federal Bridge Certification Authority, the central mechanism that enables the interaction of different agency certificates. Last year the steering committee successfully tested the bridge with six differentagencies — including the Defense and Treasury departments and the General Services Administration — and it is expected to be operational by May.

Jim Flyzik, chief information officer at the Treasury Department, said that once digital signatures become routine, "the things we're going tobe able to do will be phenomenal. This is the beginning of a national infrastructure for PKI."

The success of the bridge in testing caught the attention of the officeof the chief technology officer in Illinois, which is rolling out its own PKI.

Being able to use the federal bridge to interoperate with agencies at that level will make e-government that much more attractive to citizens, said Mary Reynolds, Illinois CTO. "They don't care what level of government provides a service, or something they need," she said.

Citizens and businesses at present often must work with agencies at both the state and federal levels for the same transaction. State and federal officials agree that cross-certifying must be driven by the applications that will use the certificates, such as the ability of an employer to file wage earnings reports to the state, the Social Security Administration and the Internal Revenue Service.

PKI "doesn't really make any difference by itself until people start building applications for it," said Brent Crossland, deputy technology officer for Illinois. "By itself it really doesn't get you where you want to go."

Those applications include, for example, filing reports to the Environmental Protection Agency and receiving grants or requesting financial aid fromthe Education Department. The ability to use the same certificates for various transactions reduces management responsibilities for the agencies and hassle for the citizens, said Judith Spencer, chairwoman of the Federal PKI Steering Committee. "The more that that person can do with that certificate, the better [it is] for everybody."

The steering committee and the Illinois CTO office met regularly during the past few months, and Spencer has asked the committee's legal and policy working group to determine how the federal bridge can cross-certify with the Illinois certification authority.

One of the working group's biggest problems is simply that the proposal has never been done before at any level. "We're not sure what the issues are, what are the roadblocks that will prevent us from doing this," Spencer said.

Just persuading agencies to consider using digital certificates is a challenge for officials who have few examples to cite as successes. "It'snot something that people are comfortable using because it's brand new," Reynolds said.

That may prove the most vital aspect of the Illinois work, PKI officials said. Although improving service for citizens interacting with the stateand federal government will be crucial to the partnership, a successful conclusion to the test will be a trophy to show.

"The idea is if we can demonstrate it, then perhaps it can be used as a blueprint for other states," Spencer said.

Illinois is only the first step — and a safe one since it is simply another form of U.S. government. The vision is to have the federal bridge cross-certify with certification authorities from different U.S. market sectors such as the financial and health care industries, and even with international governments.

"Those are things that we're actively working for long term," Spencer said. "Obviously we're going to walk before we run." Judi Hasson contributed to this report.