A bridge too far?
- By Brian Robinson
- Jun 19, 2000
The use of public-key infrastructure to enable secure electronic transactions
has been expanding in government, but so far it's been limited to isolated
programs aimed at individual agency applications.
All that will change at the beginning of next year, if a project to
link those agency PKIs into a truly interoperable, governmentwide PKI goes
forward as planned. But first, the project participants must sort through
some additional technical issues, as well as secure funding to finish building
the system and to get other agencies to use it.
The system — the Federal Bridge Certificate Authority (FBCA) — is a
way to create so-called trust paths between various agency PKIs. The actual
linking occurs between the certificate authorities, which play a critical
role in the PKIs. CAs are computer servers that issue the digital certificates
that identify users and secure their electronic transactions.
By cross-certifying CAs through the FBCA, which acts as a trusted third
party, an agency that needs to accept a certificate from another agency
in order to conduct a transaction will know that certificate can be trusted.
The FBCA prototype was made operational in early February and demonstrated
at the Electronic Messaging Association annual conference in April.
Currently, agencies have two options to create trust paths among two
or more CAs. They can standardize on a single vendor's certificates and
CA system. Or they can laboriously develop their own CA trust lists and
manage all of the system interpretation and upkeep involved in their use.
In contrast, the FBCA does all of this automatically by forming a hub
that matches CAs according to terms and policies agreed to by each of the
participating agencies. A Policy Authority under the auspices of the Federal
PKI Steering Committee, a Treasury Department organization overseeing development
of the FBCA, would agree with each participating agency on the levels of
assurance under which that agency would accept certificates. It would then
map that agency policy to the FBCA certificate policy.
"It's important to note that this doesn't impose obligations on any
of the agencies that accept certificates as the "relying' party," said Richard
Guida, chairman of the PKI Steering Committee. "They can still have their
own policies for accepting certificates, but at the least it allows for
other relying parties to accept the certificates going out from participating
agencies. In this way, we can protect agency autonomy."
This approach retains the possibility of getting as many agencies as
possible to participate in the FBCA because it doesn't put burdens on those
that, for one reason or another, want to maintain close control over the
certificates they accept for online transactions.
Overall, the April demonstration showed that the FBCA could deliver
the PKI interoperability that was promised, though there's still work to
be done, said Gary Moore, technical adviser for the federal government for
Entrust Technologies Inc., Plano, Texas, one of the two CA vendor participants
in the FBCA.
More than the CAs themselves, he said, one of the most challenging aspects
of the whole project is managing the directories, which store information
such as user names and profiles and access privileges.
"When we started all of this two years ago, one of the things we recognized
was the need for the various agency directories to communicate," Moore said.
"In building the trust paths, we have to deal with how to make directories
more compatible, since [directories built on] LDAP [Lightweight Directory
Access Protocol] don't work in the same way as X.500."
Then there are the different directory schemas to be taken into account
and the need for consistent naming because one agency may define something
completely differently from another agency. That means having to look at
different ways of enabling organizations to communicate with each other
while at the same time protecting the individual directory and PKI structures
within the agencies.
But, Moore said, there is a strong understanding of what is required
of the different elements of the FBCA. All of the elements are there, he
said, and "there are no technical showstoppers."
Not everyone is convinced of the need for the FBCA, at least not yet.
Mike Laurie, vice president of alliances and co-founder of Silanis Technology,
St. Laurent, Quebec, thinks agencies are still so focused on their own needs
that they don't yet attach any urgency to interoperating with other agencies.
In the meantime, he said, "the Web is happening. The focus is on how
to get [agencies] to use the Web in the first place, even before considering
such things as the use of certificates and interoperability."
Agencies' current needs may be limited to the ability to use digital
signatures so they can sign off on internal requests. "PKI by its nature
delivers a whole higher level of authenticity, but many people and agency
processes don't need things to happen at that high a level," Laurie said.
"It will be a few years before an interoperable PKI is in place."
Maybe. But the fact is that, in this case, government seems to be ahead
of the commercial sector, and that by itself may drive the whole issue of
"To my knowledge, there is nothing out there that is similarly trying
to bring together so many disparate elements," said Patricia Edfors, director
of government operations for Baltimore Technologies, Needham, Mass., the
other CA vendor taking part in the prototype FBCA.
Edfors has a particularly wide perspective, having been a champion for
security issues on the Government Information Technology Services board
and a senior official involved in technology at the Treasury and Justice
departments, and the National Institute of Standards and Technology.
"Wide-scale cross- certification of CAs in an operational environment
has not happened elsewhere, so to that extent, the government effort is
leading the way," she said.
The FBCA has already shown the potential of the bridge approach and
helped introduce users to the different flavors of CAs that already exist.
If true interoperability and cross-certification can be demonstrated, she
said, "it could provide an opportunity to take this [bridge] approach and
spread it to state and local markets, into the commercial world, and even
If there is any resistance to developing the production version of the
FBCA, scheduled for rollout by the end of this year, it will likely come
during the congressional appropriations process. Treasury has requested
$7 million in its recent budget proposal, though $5 million of this is targeted
to helping agencies connect to the FBCA. Only $1.5 mil-lion is intended
for the rest of the development work on the bridge itself, and the other
$500,000 is designated for operational needs.
"Even if we get only a fraction of what we've asked for, we will still
be able to build the bridge," Guida said. "But the question then is if there
will be anyone who can use it."
—Robinson is a freelance journalist based in Portland, Ore. He can be reached
Brian Robinson is a freelance writer based in Portland, Ore.