Citizen PKI project under way

A distant cousin to the Federal Bridge Certificate Authority (FBCA) is the

General Services Administration's Certificate Arbitrator Module (CAM), which

like the FBCA is intended to provide a level of interoperability among

public-key infrastructure systems.

But whereas the FBCA is aimed at enabling interoperability among government

agency PKIs, the CAM's goal is to allow an individual citizen to deal with

multiple agencies using the same digital certificate. The CAM is part of

the Access Certificates for Electronic Services program at GSA.

ACES provides digital certificates to citizens who want to conduct online

transactions with agencies. The individual connects via the Internet to

an ACES Registration Authority, which asks for certain details such as name,

address and phone number. After verifying the information, a one-time personal

identification number is mailed to the person, who uses it to generate a

public/private key pair with his or her computer's World Wide Web browser.

The person then supplies the personal identification number and public key

to the ACES certificate authority, which issues a certificate that is then

stored in the user's Web browser.

The CAM is a piece of software — provided for free by GSA — that is

inserted into an agency's regular security umbrella and allows it to automatically

check on whether a citizen's certificate is valid, in real time. It's basically

a router that automatically generates a request to the certificate's ACES-compliant

issuer to determine its status.

"CAM wouldn't be necessary if agencies could build that [validation]

functionality into each and every application," said Stanley Choffrey, GSA

program manager for ACES and the CAM, as well as the FBCA. "The CAM allows

agencies to build a simple application program interface for those applications,

and then every application is automatically PKI-enabled. It offloads a lot

of the PKI infrastructure work that would have to be embedded in each application."

Agencies still have to build trust lists and manually enter the trust

keys for each of the certificate authority domains it wants to maintain.

Other than that, the CAM automatically verifies all transactions.

The CAM is actually pretty flexible, according to Choffrey. It can filter

many types of information so that the use of certificates can be precisely


The CAM and the FBCA could be made to work together, Choffrey said,

but they operate on wholly different trust models. With the CAM, the party

that needs to accept the certificate has the burden of verifying the trust

level, whereas the FBCA handles that by maintaining copies of the trust

policies of participating agencies.

Eventually, Choffrey said, the goal is to open up the source code for

the CAM so that the world at large can have access to it and improve on


About the Author

Brian Robinson is a freelance writer based in Portland, Ore.


  • Acquisition
    Shutterstock ID 169474442 By Maxx-Studio

    The growing importance of GWACs

    One of the government's most popular methods for buying emerging technologies and critical IT services faces significant challenges in an ever-changing marketplace

  • Workforce
    Shutterstock image 1658927440 By Deliris masks in office coronavirus covid19

    White House orders federal contractors vaccinated by Dec. 8

    New COVID-19 guidance directs federal contractors and subcontractors to make sure their employees are vaccinated — the latest in a series of new vaccine requirements the White House has been rolling out in recent weeks.

Stay Connected