- By Brian Robinson
- Jun 19, 2000
When one agency receives an electronic transaction created using a private
key that corresponds to a public key issued by the sender's certificate
authority (CA), the receiving agency has to determine that the certificate
carrying that public key originated from a trusted source. The Federal Bridge
Certificate Authority currently under construction allows that verification
to take place through a so-called "trust path."
Next, the recipient agency has to determine that the certificate has
sufficient trust relative to the transaction taking place — a financial
transaction might require a higher trust level than a non- classified e-mail
message, for example. The FBCA can also enable this verification by knowing
the receiving agency's trust policy.
Finally, the FBCA allows the receiving agency to determine that the certificates
being exchanged are still valid and have not been revoked.
If all three of these requirements are met — something the FBCA determines
automatically — the transaction can be completed.
The FBCA prototype uses two CA products, one from Baltimore Technologies
and the other from Entrust Technologies Inc.; both of them interoperate
within the FBCA. Any agency CAs that can interoperate with either of those
products will be able to interoperate with each other. The intent is to
include a range of CA products in the FBCA, with the goal of allowing interoperability
with any CA product or service an agency may choose to work with.
When agencies have been cleared by the PKI Policy Authority to connect
to the FBCA, the bridge will issue a certificate to the agency CA that contains
the details of the trust policy that allows the agency to interoperate with
All the agency then needs is the client/server software that will conduct
the certificate trust path validation and authentication on its end.
The benefit of this arrangement, according to Richard Guida, chairman
of the Federal PKI Steering Committee, is that the bridge need only be powered
up once a week to issue the certificates to agencies. That means the FBCA
will need very little maintenance and will be extremely hard to hack. The
only thing that needs to operate around-the-clock is a small directory that
supplies copies of certificates to users.
Brian Robinson is a freelance writer based in Portland, Ore.