GSA weighs benefits of smart cards
- By Colleen O'Hara
- Sep 12, 1999
The General Service Administration's Office of Electronic Commerce plans to study the plausibility of issuing smart cards and public-key infrastructure technology for certain applications on a governmentwide basis.
"We want to examine the feasibility of using smart cards and public-key infrastructure technology for authentication, digital signature and access control," said Marion Royal, agency expert at GSA's Office of Governmentwide Policy. "It's not just a study to see how well smart cards enable public-key infrastructure. The real challenge is whether we can use smart cards and [PKI] for access control."
GSA, which the CIO Council asked to conduct the study, plans to look into the interoperability issues associated with using smart cards and PKI for access to buildings and computer systems, Royal said. For example, GSA will examine whether an agency's access system will recognize smart cards from other agencies.
"You may have a secure Web site that manages Thrift Savings Plan access for a government employee," he said. "Can you share a common access control to that system using public-key infrastructure? If I can go to one agency and insert a smart card and be recognized as a guest from another agency, then we've accomplished something."
GSA will look at whether the emerging federal bridge certificate authority concept can provide a "common trust hub" for agencies using smart cards and PKI technology for access-control applications, Royal said. "The bridge certificate authority is a potential enabler," he said, adding that GSA wants to demonstrate how agencies can use the bridge certificate authority in their applications. The bridge certificate authority is a centralized entity designed to distribute digital signatures and to ensure that these certificates interoperate among agencies.
There are no limitations from a technology standpoint as to what applications can take advantage of the bridge certificate authority, said Richard Guida, chairman of the Federal PKI Steering Committee. "It's a matter of policy because each agency has to determine how much they want to trust certificates from other agencies," he said. Secure e-mail and building access should be two early applications that take advantage of the bridge certificate authority, Guida said. GSA is expected to be the one to design, build, deploy and operate the bridge.
A few agencies such as NASA, the Defense Department and GSA are currently testing or considering testing smart cards as the PKI token, said Bill Holcombe, director of card technology at GSA. In addition, the Catalog Interoperability Pilot, of which GSA is a part, is integrating smart card-based PKI during phase two of its test.
The study should provide some valuable information, Holcombe said. "We'd like to get some business models for integrating PKI and smart cards," he said. "We hope to be doing a technology assessment jointly with the Defense Department under that program. So hopefully, you'll see a study as a business case and a pilot tied into the technology assessment."
Anthony Cieri, program manager of the Navy's Smart Card Program Office, said DOD sees the smart card as having "tremendous potential" as a hardware token for PKI. "We view PKI as one of the killer applications for a smart card," he said, adding that DOD is looking at merging several applications on a smart card, not just one. The Navy is tasked with coming up with the PKI hardware token strategy for DOD.
One of the driving factors as far as applications go would be to use the smart card to allow service people to access their medical records from anywhere in the world, Cieri said. "If we used secure Web sites we could conduct those transactions in seconds and you need PKI for that," he said. GSA expects to release a final report on its findings in February next year, Royal said.