Secure middleman

When one agency receives an electronic transaction created using a private

key that corresponds to a public key issued by the sender's certificate

authority (CA), the receiving agency has to determine that the certificate

carrying that public key originated from a trusted source. The Federal Bridge

Certificate Authority currently under construction allows that verification

to take place through a so-called "trust path."

Next, the recipient agency has to determine that the certificate has

sufficient trust relative to the transaction taking place — a financial

transaction might require a higher trust level than a non- classified e-mail

message, for example. The FBCA can also enable this verification by knowing

the receiving agency's trust policy.

Finally, the FBCA allows the receiving agency to determine that the certificates

being exchanged are still valid and have not been revoked.

If all three of these requirements are met — something the FBCA determines

automatically — the transaction can be completed.

The FBCA prototype uses two CA products, one from Baltimore Technologies

and the other from Entrust Technologies Inc.; both of them interoperate

within the FBCA. Any agency CAs that can interoperate with either of those

products will be able to interoperate with each other. The intent is to

include a range of CA products in the FBCA, with the goal of allowing interoperability

with any CA product or service an agency may choose to work with.

When agencies have been cleared by the PKI Policy Authority to connect

to the FBCA, the bridge will issue a certificate to the agency CA that contains

the details of the trust policy that allows the agency to interoperate with

other agencies.

All the agency then needs is the client/server software that will conduct

the certificate trust path validation and authentication on its end.

The benefit of this arrangement, according to Richard Guida, chairman

of the Federal PKI Steering Committee, is that the bridge need only be powered

up once a week to issue the certificates to agencies. That means the FBCA

will need very little maintenance and will be extremely hard to hack. The

only thing that needs to operate around-the-clock is a small directory that

supplies copies of certificates to users.

About the Author

Brian Robinson is a freelance writer based in Portland, Ore.


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.