Next Windows to work with Pentagon's PKI

Microsoft Corp. officials have agreed to alter the next- generation Windows operating system so that it will accommodate the existing digital certificate being used on Defense Department Common Access Cards.

The agreement will help the Pentagon avoid issuing new, application-specific digital certificates for millions of Common Access Cards, which are being issued with a generic public-key infrastructure identity certificate. The move could give the Pentagon an incentive to quickly migrate to the successor to the Windows 2000 operating system.

The Pentagon plans to issue Common Access Cards, also known as smart cards, to 3.2 million people by Sept. 30, 2002. When inserted in a PC Card reader, the cards give authorized users access to a network.

In mid-May, Micro.soft officials sent a letter to Mike Green, the program management officer for DOD public-key infrastructure, committing to the use of DOD's identity certificate for smart card log-ins under the next-generation Windows system, said Pat Arnold, Microsoft Federal's director of information assurance. The successor to Windows 2000, code-named Blackcomb, is expected to be released in "a couple of years," said Keith Hodson, a Microsoft spokesman.

DOD and Microsoft officials met with members of the Internet Engineering Task Force (IETF)—an international community of network designers, operators, vendors and researchers—in March to discuss the agreement, Arnold said. IETF was consulted because Microsoft is using PKINIT, an IETF- produced public-key cryptography, for initial authentication in Blackcomb, Arnold said.

"PKINIT is how you marry up key operations and Kerberos," he said. Kerberos is the Massachusetts Institute of Technology- developed secret-key cryptography that provides strong authentication between client and server.

The smart card log-in feature of Windows 2000—the system used on Navy Marine Corps Intranet PCs and servers—uses application-specific certificates, Green said. "What we told [Microsoft] is "That's not the way we designed the DOD certificate,' " he said.

Within the next two years, there could be thousands of PKI- enabled DOD applications, Green said. If Microsoft continues to make its PKI log-in application-specific, users might have to add digital certificates to their smart cards for every new application.

"If we let Microsoft do that, we know the next week someone else would want to do it," Green said. "We didn't want to get in that game." He called the agreement "a very good decision on both parts. A good compromise."