A bridge too far?

The use of public-key infrastructure to enable secure electronic transactions

has been expanding in government, but so far it's been limited to isolated

programs aimed at individual agency applications.

All that will change at the beginning of next year, if a project to

link those agency PKIs into a truly interoperable, governmentwide PKI goes

forward as planned. But first, the project participants must sort through

some additional technical issues, as well as secure funding to finish building

the system and to get other agencies to use it.

The system — the Federal Bridge Certificate Authority (FBCA) — is a

way to create so-called trust paths between various agency PKIs. The actual

linking occurs between the certificate authorities, which play a critical

role in the PKIs. CAs are computer servers that issue the digital certificates

that identify users and secure their electronic transactions.

By cross-certifying CAs through the FBCA, which acts as a trusted third

party, an agency that needs to accept a certificate from another agency

in order to conduct a transaction will know that certificate can be trusted.

The FBCA prototype was made operational in early February and demonstrated

at the Electronic Messaging Association annual conference in April.

Currently, agencies have two options to create trust paths among two

or more CAs. They can standardize on a single vendor's certificates and

CA system. Or they can laboriously develop their own CA trust lists and

manage all of the system interpretation and upkeep involved in their use.

In contrast, the FBCA does all of this automatically by forming a hub

that matches CAs according to terms and policies agreed to by each of the

participating agencies. A Policy Authority under the auspices of the Federal

PKI Steering Committee, a Treasury Department organization overseeing development

of the FBCA, would agree with each participating agency on the levels of

assurance under which that agency would accept certificates. It would then

map that agency policy to the FBCA certificate policy.

"It's important to note that this doesn't impose obligations on any

of the agencies that accept certificates as the "relying' party," said Richard

Guida, chairman of the PKI Steering Committee. "They can still have their

own policies for accepting certificates, but at the least it allows for

other relying parties to accept the certificates going out from participating

agencies. In this way, we can protect agency autonomy."

This approach retains the possibility of getting as many agencies as

possible to participate in the FBCA because it doesn't put burdens on those

that, for one reason or another, want to maintain close control over the

certificates they accept for online transactions.

Work Remains

Overall, the April demonstration showed that the FBCA could deliver

the PKI interoperability that was promised, though there's still work to

be done, said Gary Moore, technical adviser for the federal government for

Entrust Technologies Inc., Plano, Texas, one of the two CA vendor participants

in the FBCA.

More than the CAs themselves, he said, one of the most challenging aspects

of the whole project is managing the directories, which store information

such as user names and profiles and access privileges.

"When we started all of this two years ago, one of the things we recognized

was the need for the various agency directories to communicate," Moore said.

"In building the trust paths, we have to deal with how to make directories

more compatible, since [directories built on] LDAP [Lightweight Directory

Access Protocol] don't work in the same way as X.500."

Then there are the different directory schemas to be taken into account

and the need for consistent naming because one agency may define something

completely differently from another agency. That means having to look at

different ways of enabling organizations to communicate with each other

while at the same time protecting the individual directory and PKI structures

within the agencies.

But, Moore said, there is a strong understanding of what is required

of the different elements of the FBCA. All of the elements are there, he

said, and "there are no technical showstoppers."

Not everyone is convinced of the need for the FBCA, at least not yet.

Mike Laurie, vice president of alliances and co-founder of Silanis Technology,

St. Laurent, Quebec, thinks agencies are still so focused on their own needs

that they don't yet attach any urgency to interoperating with other agencies.

In the meantime, he said, "the Web is happening. The focus is on how

to get [agencies] to use the Web in the first place, even before considering

such things as the use of certificates and interoperability."

Agencies' current needs may be limited to the ability to use digital

signatures so they can sign off on internal requests. "PKI by its nature

delivers a whole higher level of authenticity, but many people and agency

processes don't need things to happen at that high a level," Laurie said.

"It will be a few years before an interoperable PKI is in place."

Maybe. But the fact is that, in this case, government seems to be ahead

of the commercial sector, and that by itself may drive the whole issue of

interoperability.

"To my knowledge, there is nothing out there that is similarly trying

to bring together so many disparate elements," said Patricia Edfors, director

of government operations for Baltimore Technologies, Needham, Mass., the

other CA vendor taking part in the prototype FBCA.

Edfors has a particularly wide perspective, having been a champion for

security issues on the Government Information Technology Services board

and a senior official involved in technology at the Treasury and Justice

departments, and the National Institute of Standards and Technology.

"Wide-scale cross- certification of CAs in an operational environment

has not happened elsewhere, so to that extent, the government effort is

leading the way," she said.

The FBCA has already shown the potential of the bridge approach and

helped introduce users to the different flavors of CAs that already exist.

If true interoperability and cross-certification can be demonstrated, she

said, "it could provide an opportunity to take this [bridge] approach and

spread it to state and local markets, into the commercial world, and even

internationally."

If there is any resistance to developing the production version of the

FBCA, scheduled for rollout by the end of this year, it will likely come

during the congressional appropriations process. Treasury has requested

$7 million in its recent budget proposal, though $5 million of this is targeted

to helping agencies connect to the FBCA. Only $1.5 mil-lion is intended

for the rest of the development work on the bridge itself, and the other

$500,000 is designated for operational needs.

"Even if we get only a fraction of what we've asked for, we will still

be able to build the bridge," Guida said. "But the question then is if there

will be anyone who can use it."

—Robinson is a freelance journalist based in Portland, Ore. He can be reached

at hullite@mindspring.com.