States seeking bridges so PKI can span systems

State and local governments are only beginning public-key infrastructure plans, but they already have a looming problem.

State and local governments are only beginning public-key infrastructure

plans, but they already have a looming problem.

At some point, agency PKIs will have to interoperate, and government

systems will have to communicate with those of commercial vendors. How well

this works could determine the ultimate success of government PKI.

A solution under development by the federal government could be the answer.

The Federal Bridge Certification Authority (FBCA) is a way to create

so-called trust paths between user groups. By "cross-certifying" individual

certificate authorities (CAs) through the FBCA, which acts as a trusted

third party, any user that needs to accept a PKI certificate from another

body to conduct a transaction will know the certificate can be trusted,

no matter which CA issued it.

The FBCA won't be operational until the end of this year at the earliest.

But it's already sparking enthusiasm among some states. Virginia is all

but committed to using it as the model for its own PKI and for future expansion

of electronic transactions between it and the federal government.

New Jersey and Georgia have also been in close consultation with the Federal

PKI Steering Committee, the Treasury Department body overseeing development

of the FBCA, and other states have reportedly expressed interest in the

federal bridge, including California and Washington, as well as the city

and county of Los Angeles.

"The bridge will be needed at some point," said Patricia Edfors, director

of government operations for Baltimore Technologies, a CA vendor that provides

PKI solutions to federal and state governments as well as to private companies.

"States will do what they need to do [on PKI], and the federal government

will do what it needs to do, and they will not agree on all of the rules

they use," Edfors said. "The FBCA will speed up the the communication between

the two sides. Otherwise, it will take years for them to negotiate the necessary

agreements."

State governments realize the need for PKIs to communicate, she said,

since interoperability has become a constant in government requests for

proposals. "But that doesn't mean they necessarily know what [inter- operability]

means," she added.

If parties want to create trust paths between each other now, they either

have to use the same vendor as a CA and issuer of certificates — and even

here there may be different "flavors" of certificates — or else develop

their own CA trust lists, and deal with all of the interpretation and management

protocols involved.

The FBCA does all of this automatically by forming a non-hierarchical

hub that matches CAs according to terms and policies agreed upon with each

of the participating parties.

Within the federal government, for example, a policy authority under

the auspices of the Federal PKI Steering Committee agrees with each of the

participating government agencies on the levels of assurance under which

they would accept certificates from other agencies. This policy authority

would then map that agency's policy to the FBCA certificate policy.

States who use this as a model for their own systems would form their

own policy authority to map their agencies' PKIs to the state bridge CA

policy. That state bridge would then interoperate with the FBCA to allow

state agencies to conduct transactions with federal agencies or, presumably,

with other states that also interoperate with the FBCA.

"Ideally, we'd like to find a "killer application' that the state and

local governments need to interoperate with a federal agency that could

drive this and make it happen sooner," said Richard Guida, chairman of the

Federal PKI Steering Committee. "We're just beginning to tap the tip of

the iceberg with this. But the expectation is, as people become more aware

of the FBCA, the applications will arise."

Because the federal policy authority was expected to be in place in

July, some months ahead of the FBCA itself, any state government that already

has a PKI in place could apply to be qualified through the policy authority

to have its CAs cross-certified with the federally approved CAs. However,

Guida said, "We don't expect it because no state is near to that yet. It's

more likely to happen in early 2001."

Virginia's formal connection with the FBCA began with a report last

summer that had as a core assumption the expectation that there would be

multiple PKIs throughout its government. The report also suggested that

Virginia explore the federal bridge concept. Before then, said R.F. "Chip"

German, director of policy and strategic planning in the University of Virginia's

Office of Information Technologies, "it was more a case of what we knew

couldn't be done [about interoperability] than could.

"Then [Guida] made a presentation to us about the FBCA. The technical

people became intrigued with the notion of the bridge, and it quickly became

the potential answer for them," German said. "Then we got up to speed on

the policy side."

The University of Virginia is researching the viability of the bridge

concept as it applies to state government PKIs.

Unlike in the federal government, where there are already agency PKIs

installed that need to interoperate, Virginia will deploy the bridge concept

early enough that it can be used to dictate the policies that the state

agencies will use to issue certificates. That will simplify things because

the optimum certificate policy for the Virginia bridge can be worked out

ahead of time.

A prototype of the state bridge is already operating, German said, and the

next steps will be detailed in a report due out in September. However, he

said, "it's my opinion that the bridge will be a core part of the state

PKI environment going forward. It will be one of the major considerations

for an overall PKI implementation in Virginia, for dealing with multiple

hierarchies and multiple CAs."

New Jersey is also a "big fan" of PKI, according to Don Johnson, the

state's director of advanced technology research. But unlike Virginia,

New Jersey has taken a more homogeneous route and is disallowing multiple

PKIs throughout the government. It's only using VeriSign Inc.'s digital

certificates.

However, Johnson said, as the state begins to interact more with organizations

outside of the government, which will have their own CAs and certificate

policies, the FBCA approach will become more applicable.

"For that reason we consider ourselves a business partner with the federal

government," he said. "At least [Guida's group] has started to develop a

way of dealing with multiple, different CAs. They have an understanding

of the trust issues involved and, crucially, they've developed the client

software that allows [inter- operability] to happen."

How relevant the FBCA is to state governments depends on their approach

to PKI. For Virginia, New Jersey and other states that have opted to install

full PKIs, the relevance is obvious. But it's less so for states like Massachusetts,

which has decided that a full PKI deployment is not the way to go.

It's too complicated and expensive, and it doesn't agree with the state's

current approach, said Dan Greenwood, Massachusetts' special counsel for

e-commerce.

"We prefer to use mature technologies such as Secure Sockets Layer on

top of the infrastructure we have in place now," he said.

Nevertheless, Massachusetts probably will maintain contact with Guida's

committee.

"If you equate a CA with [an electronic] contract, it might be helpful

in the future to be able to map from one contract to another, and then the

FBCA model could be useful for that," Greenwood said. "There's also simply

an inherent value in keeping a relationship open between state and federal

governments."

The future of the FBCA now rests with Congress. A prototype was successfully

demonstrated in April, and a production version is due to go up by the end

of this year.

—Robinson is a freelance journalist based in Portland, Ore.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.