States seeking bridges so PKI can span systems

State and local governments are only beginning public-key infrastructure

plans, but they already have a looming problem.

At some point, agency PKIs will have to interoperate, and government

systems will have to communicate with those of commercial vendors. How well

this works could determine the ultimate success of government PKI.

A solution under development by the federal government could be the answer.

The Federal Bridge Certification Authority (FBCA) is a way to create

so-called trust paths between user groups. By "cross-certifying" individual

certificate authorities (CAs) through the FBCA, which acts as a trusted

third party, any user that needs to accept a PKI certificate from another

body to conduct a transaction will know the certificate can be trusted,

no matter which CA issued it.

The FBCA won't be operational until the end of this year at the earliest.

But it's already sparking enthusiasm among some states. Virginia is all

but committed to using it as the model for its own PKI and for future expansion

of electronic transactions between it and the federal government.

New Jersey and Georgia have also been in close consultation with the Federal

PKI Steering Committee, the Treasury Department body overseeing development

of the FBCA, and other states have reportedly expressed interest in the

federal bridge, including California and Washington, as well as the city

and county of Los Angeles.

"The bridge will be needed at some point," said Patricia Edfors, director

of government operations for Baltimore Technologies, a CA vendor that provides

PKI solutions to federal and state governments as well as to private companies.

"States will do what they need to do [on PKI], and the federal government

will do what it needs to do, and they will not agree on all of the rules

they use," Edfors said. "The FBCA will speed up the the communication between

the two sides. Otherwise, it will take years for them to negotiate the necessary

agreements."

State governments realize the need for PKIs to communicate, she said,

since interoperability has become a constant in government requests for

proposals. "But that doesn't mean they necessarily know what [inter- operability]

means," she added.

If parties want to create trust paths between each other now, they either

have to use the same vendor as a CA and issuer of certificates — and even

here there may be different "flavors" of certificates — or else develop

their own CA trust lists, and deal with all of the interpretation and management

protocols involved.

The FBCA does all of this automatically by forming a non-hierarchical

hub that matches CAs according to terms and policies agreed upon with each

of the participating parties.

Within the federal government, for example, a policy authority under

the auspices of the Federal PKI Steering Committee agrees with each of the

participating government agencies on the levels of assurance under which

they would accept certificates from other agencies. This policy authority

would then map that agency's policy to the FBCA certificate policy.

States who use this as a model for their own systems would form their

own policy authority to map their agencies' PKIs to the state bridge CA

policy. That state bridge would then interoperate with the FBCA to allow

state agencies to conduct transactions with federal agencies or, presumably,

with other states that also interoperate with the FBCA.

"Ideally, we'd like to find a "killer application' that the state and

local governments need to interoperate with a federal agency that could

drive this and make it happen sooner," said Richard Guida, chairman of the

Federal PKI Steering Committee. "We're just beginning to tap the tip of

the iceberg with this. But the expectation is, as people become more aware

of the FBCA, the applications will arise."

Because the federal policy authority was expected to be in place in

July, some months ahead of the FBCA itself, any state government that already

has a PKI in place could apply to be qualified through the policy authority

to have its CAs cross-certified with the federally approved CAs. However,

Guida said, "We don't expect it because no state is near to that yet. It's

more likely to happen in early 2001."

Virginia's formal connection with the FBCA began with a report last

summer that had as a core assumption the expectation that there would be

multiple PKIs throughout its government. The report also suggested that

Virginia explore the federal bridge concept. Before then, said R.F. "Chip"

German, director of policy and strategic planning in the University of Virginia's

Office of Information Technologies, "it was more a case of what we knew

couldn't be done [about interoperability] than could.

"Then [Guida] made a presentation to us about the FBCA. The technical

people became intrigued with the notion of the bridge, and it quickly became

the potential answer for them," German said. "Then we got up to speed on

the policy side."

The University of Virginia is researching the viability of the bridge

concept as it applies to state government PKIs.

Unlike in the federal government, where there are already agency PKIs

installed that need to interoperate, Virginia will deploy the bridge concept

early enough that it can be used to dictate the policies that the state

agencies will use to issue certificates. That will simplify things because

the optimum certificate policy for the Virginia bridge can be worked out

ahead of time.

A prototype of the state bridge is already operating, German said, and the

next steps will be detailed in a report due out in September. However, he

said, "it's my opinion that the bridge will be a core part of the state

PKI environment going forward. It will be one of the major considerations

for an overall PKI implementation in Virginia, for dealing with multiple

hierarchies and multiple CAs."

New Jersey is also a "big fan" of PKI, according to Don Johnson, the

state's director of advanced technology research. But unlike Virginia,

New Jersey has taken a more homogeneous route and is disallowing multiple

PKIs throughout the government. It's only using VeriSign Inc.'s digital

certificates.

However, Johnson said, as the state begins to interact more with organizations

outside of the government, which will have their own CAs and certificate

policies, the FBCA approach will become more applicable.

"For that reason we consider ourselves a business partner with the federal

government," he said. "At least [Guida's group] has started to develop a

way of dealing with multiple, different CAs. They have an understanding

of the trust issues involved and, crucially, they've developed the client

software that allows [inter- operability] to happen."

How relevant the FBCA is to state governments depends on their approach

to PKI. For Virginia, New Jersey and other states that have opted to install

full PKIs, the relevance is obvious. But it's less so for states like Massachusetts,

which has decided that a full PKI deployment is not the way to go.

It's too complicated and expensive, and it doesn't agree with the state's

current approach, said Dan Greenwood, Massachusetts' special counsel for

e-commerce.

"We prefer to use mature technologies such as Secure Sockets Layer on

top of the infrastructure we have in place now," he said.

Nevertheless, Massachusetts probably will maintain contact with Guida's

committee.

"If you equate a CA with [an electronic] contract, it might be helpful

in the future to be able to map from one contract to another, and then the

FBCA model could be useful for that," Greenwood said. "There's also simply

an inherent value in keeping a relationship open between state and federal

governments."

The future of the FBCA now rests with Congress. A prototype was successfully

demonstrated in April, and a production version is due to go up by the end

of this year.

—Robinson is a freelance journalist based in Portland, Ore.