Washington boasts digital trust
- By Dibya Sarkar
- Jan 07, 2001
Washington home page
Washington state agencies doing business electronically with the private
sector can now be sure that companies and individuals are who they say they
are.
By December, the state's new security architecture and transaction gateway
— called Transact Washington — will accept digital certificates, which are
secure electronic identities that cannot be tampered with or forged. The
gateway is designed for businesses and individuals conducting frequent Web
transactions with the state.
"A digital certificate, as we use them, is really an electronic credential;
this person is who he claims to be," said Scott Bream, a state government
spokesman.
Utah-based Digital Signature Trust Co., which is licensed by Washington
as a third-party certification authority, helped the state develop what
Bream called a process and policy of trust. DST will do background checks,
approve and register those who apply for digital certificates.
He said Washington is the first state to devise a policy by issuing
three measurable types of digital certificates — standard, intermediate
and high. "Trust is one of those things that's hard to quantify," he said.
"What we're trying to do is develop an infrastructure of trust at three
different levels."
For example, a person or business applying for a certificate at the
high- assurance level would have to appear in person, present two forms
of identification and undergo a rigorous background check, he said. That
person would be issued a hardware token, such as a smart card, and a password.
Obtaining a certificate at the standard level is "a little bit down
the food chain of absolute security," Bream said. In those cases, users
can apply via the Internet and be issued a password. When users with digital
certificates link to Washington's new business portal, they must pass through
several more layers of security. Digital certificates are checked against
a published directory of both valid and revoked or expired certificates,
created and maintained by DST. If approved, users must key in a password
for entry.
"You have this very heavy vault door that you're able to leverage very
securely but very easily with a digital certificate," Bream said. Users
can also send legally binding documents with the digital certificate, which
acts as a sort of digital signature.
State agencies can restrict access to databases depending on what type
of assurance certificate a user has. Bream said agencies dealing with medical
data would most likely only accept high-assurance certificates, whereas
businesses obtaining tax information may only need a standard certificate.
The state's new transaction gateway would allow a business or individual
with a valid digital certificate to have a single, secure entry point to
deal with multiple state agencies. Bream said the certificate would act
like a passport to access a range of government services in a seamless process.
"We wanted to create a single face of government," he said.