Retooling e-authentication

In the future, conducting confidential business with the government via the Internet could mean that citizens will use electronic credentials issued by commercial entities, such as banks, to prove they are who they claim to be.

A draft document, which has not been widely circulated, describes how the federal government plans to simplify secure online transactions and communications.

Issued by the General Services Administration's e-Authentication program, the document states that authorized credential services companies and government agencies, in some cases, would issue electronic credentials to users before they submit address changes to the Social Security Administration, for example.

For transactions that are relatively low-risk from a security or privacy standpoint, citizens would receive passwords or personal identification numbers. For higher-risk exchanges, such as money transfers or the sharing of medical or financial information, citizens would be issued new digital certificates or would reuse existing ones to verify their identities when logging on to a network.

"If the government has already issued you a passport in person, it might also be able to issue you an electronic credential that could be used for higher-risk transactions down the road," said Trent Henry, a security analyst at the Burton Group, an information technology

research and consulting company.

Federal officials continue to revise their plans for how to verify the identities of

citizens and others who want to conduct business or communicate with the government using the Internet. Members of the e-Authentication Executive Steering Committee say they are inclined to follow industry's lead on technical standards for

e-authentication.

"Our effort is to remain aligned with what's happening in the market," said Drew Ladner, chairman of the steering committee and the Treasury Department's chief information officer.

GSA, the lead agency for e-authentication efforts, has set aside its plans for creating a centralized governmentwide gateway. The General Accounting Office warned last September that it would be risky for GSA to take on a central role as an online authentication broker. Soon afterward, GSA officials began revising their plans.

Now, they are working out the details of a decentralized, "federated" approach to e-authentication. Compared with newer federated identity protocols, authentication credentials based on public-key infrastructure (PKI) technologies afford higher levels of assurance that people are who they claim to be. PKI technologies also are more versatile, Henry said.

"What really interests people is that PKI can do more than just authentication," he said, adding that a PKI is useful for encrypting and digitally signing documents as well. GSA officials are now seeking vendors that can supply smart cards based on federal PKI standards.

For technical managers who have been developing PKI standards for nearly a decade, the recent surge of interest from the Office of Management and Budget and GSA is welcome.

"We've been trying to build a federal PKI from the bottom up, agency by agency, and that's doing it the hard way," said William Burr, manager of the security technology group at the National Institute of Standards and Technology.