'John Hancock' Goes Digital
- By Heather Harreld
- May 01, 2000
While many states dabble with public-key infrastructure (PKI) technology
to secure in-house applications, others are far ahead, preparing to present
millions of citizens with a way to secure their electronic transactions.
Illinois, Iowa, Washington, Utah and North Carolina all are designing
large-scale projects involving digital certificates — electronic documents
that serve as a signature and a binding confirmation that people involved
in electronic transactions are who they say they are. Digital certificates
are the core of a PKI.
Digital signatures are the equivalent of a handwritten signature in
a paper-based transaction. Without such authentication, electronic transactions
may not be legally binding. State officials and vendors say the technical
issues in replacing handwritten signatures with digital ones are easily
solved, but the policies behind them can prove challenging.
Iowa has released a request for information for its PKI, and officials
plan to award a contract in August. Initially, people will be able to order
birth, marriage and death certificates online. And businesses will be able
to go online to file documents with the secretary of state's office and
perform some of the requirements for professional license renewal, said
Richard Varn, Iowa's chief information officer. Eventually, the PKI will
secure more advanced e-commerce transactions, such as online tax filing.
"We have a number of applications where we do need to have citizens
file with a certain degree of confidentiality and security," Varn said.
"This seems to be the industry direction."
One of the issues that has perplexed those considering a PKI is determining
who will serve as the certification authority (CA), or the entity responsible
for issuing, managing and revoking the digital certificates containing the
Varn said officials in Iowa have not decided if the state will operate
its own CA or allow a trusted third party — such as a vendor or a bank —
to operate it on its behalf. They have determined, however, that they will
use a single CA to issue certificates.
The certificates will contain various authorization levels. For example,
a citizen might have access rights to file taxes and documents with the
secretary of state's office but may not be allowed to handle other transactions
Although the state is still hammering out details on how to issue digital
certificates to citizens, one likely scenario would have them receiving
a digital certificate when they renew a driver's license, Varn said.
"What does it take to do this and to show you are who you say you are?"
Varn said. "What amount of verification do you need for what? Biometrics
being linked to your PKI is as secure as you can imagine. Between that extreme
and [saying] "Well, they registered' are an awful lot of policy choices."
Within three to four years, officials expect that all 2.9 million people
in the state will be able to perform secure government transactions via
the Internet. However, they may not all need digital signatures, Varn said.
Some may get the security they need using a personal identification number
(PIN) and a password.
Other states are not far behind.
Illinois has signed an enterprisewide agreement with Entrust Technologies
Inc. for PKI technology to secure both internal transactions and for transactions
with businesses and citizens. The state is finalizing plans to launch a
pilot in which agencies would use digital signatures to sign government
travel vouchers and internal forms, said Brent Crossland, deputy technology
officer for the Illinois Technology Office.
The state will operate its own CA and issue one certificate to citizens
containing the various authorization levels based on the ways a person might
communicate with the government. But like Iowa, Crossland said, there are
many policy details to figure out before rolling out a production PKI in
"If we issue a digital certificate, are there any grounds for us to
revoke the certificate?" Crossland said. "I suddenly make it impossible
for you to interact with government that way."
Another policy question to be addressed is whether a uniform authentication
standard is needed.
"Can they accept the same level of authentication at [the] revenue department
that they're going to accept at the department of natural resources?" Crossland
In March, the state of Washington tapped Digital Signature Trust Co.
to issue and manage digital certificates for businesses and citizens. The
company will help state officials write policies for its PKI and create
applications, said Karen West, the firm's director of government services.
Washington residents will obtain certificates by downloading a form
from a World Wide Web site, having it notarized at a bank and submitting
it to the company. In addition, several state agencies will issue certificates.
First, the state will tackle creating access control mechanisms for transactions
over the Web, such as filing taxes electronically. And state agencies will
begin to sign forms using a digital signature capability.
"You could scale up to 5 million users over the course of a few years,"
West said. "In two years, there'll be 100,000 people using the PKI."
It is vital that states' policies ensure that their PKI will interoperate
with PKIs operated by the federal government, other states and businesses,
West said. In addition, Washington will launch a campaign to educate people
about how digital signatures work and how to protect their certificates.
"This is like your credit card, like your PIN for your ATM card," West said.
"If you give it to someone else, you're going to have a problem."
— Harreld is a freelance writer based in Cary, N.C.