Secure middleman

When one agency receives an electronic transaction created using a private

key that corresponds to a public key issued by the sender's certificate

authority (CA), the receiving agency has to determine that the certificate

carrying that public key originated from a trusted source. The Federal Bridge

Certificate Authority currently under construction allows that verification

to take place through a so-called "trust path."

Next, the recipient agency has to determine that the certificate has

sufficient trust relative to the transaction taking place — a financial

transaction might require a higher trust level than a non- classified e-mail

message, for example. The FBCA can also enable this verification by knowing

the receiving agency's trust policy.

Finally, the FBCA allows the receiving agency to determine that the certificates

being exchanged are still valid and have not been revoked.

If all three of these requirements are met — something the FBCA determines

automatically — the transaction can be completed.

The FBCA prototype uses two CA products, one from Baltimore Technologies

and the other from Entrust Technologies Inc.; both of them interoperate

within the FBCA. Any agency CAs that can interoperate with either of those

products will be able to interoperate with each other. The intent is to

include a range of CA products in the FBCA, with the goal of allowing interoperability

with any CA product or service an agency may choose to work with.

When agencies have been cleared by the PKI Policy Authority to connect

to the FBCA, the bridge will issue a certificate to the agency CA that contains

the details of the trust policy that allows the agency to interoperate with

other agencies.

All the agency then needs is the client/server software that will conduct

the certificate trust path validation and authentication on its end.

The benefit of this arrangement, according to Richard Guida, chairman

of the Federal PKI Steering Committee, is that the bridge need only be powered

up once a week to issue the certificates to agencies. That means the FBCA

will need very little maintenance and will be extremely hard to hack. The

only thing that needs to operate around-the-clock is a small directory that

supplies copies of certificates to users.

About the Author

Brian Robinson is a freelance writer based in Portland, Ore.

Featured

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.