PKI: What is it and what can it do for us?
- By Nora K. Rice
- May 17, 2001
Public-key infrastructure is a term that many of us in the federal government
have been hearing lately. But what does it mean? What benefits can it offer?
Here's some background. One driver of the need for PKI is the Government
Paperwork Elimination Act, which, among other things, requires the federal
government to allow the use of electronic signatures to reduce the paperwork
burden on the public. OMB's guidance to federal agencies, as described in
GPEA, is to determine their customers' abilities to interact electronically
with the agency. The guidance is to select an appropriate combination of
technology and practice to cost-effectively minimize risks and maximize
benefits to agencies and customers.
Another driver is customer expectation, based on their ability to interact
electronically with industry and academia for such transactions as banking,
purchasing and information gathering. Yet another driver is the need to
protect our critical infrastructure, which is threatened by malicious electronic
attacks.
So, what is PKI? It is an implementation of public-key technology, which
is also known as "asymmetric cryptography." Typically, each user has two
key-pairs. One key-pair is used for digital signatures, to ensure that the
person sending the message is who he says he is. The other key-pair is used
for encryption, to encode the message. In the case of both key-pairs, one
key is public and the other is kept private.
The Federal Bridge Certificate Authority (FBCA) is the "translator"
of disparate certificate authorities (CAs). It is designed as a non-hierarchical
hub that maps levels of assurance and ensures that appropriate levels are
"matched." The immediate focus of the FBCA is to provide a seamless "trust
path" verification between federal agencies. The ultimate goal is to provide
a bridge to external organizations that want to cross-certify with the Federal
Bridge. Such external organizations can include state governments, industry,
academia and foreign governments.
For more details, please refer to PKI Guidance and Documents, a page on the CIO Council's Web site, maintained
by the council's Electronic Government Subcommittee.
I found the PKI Handbook especially useful. The full title of this document
is "The Evolving
Federal Public Key Infrastructure," written by the Federal Public Key Infrastructure
Steering Committee of the CIO Council. In addition, there is a February 2001 GAO report that summarizes the availability of PKI products and services as well as implementation issues experienced by federal agencies trying to develop their own PKI infrastructure.
More information about the GSA ACES program, Access Certificates for
Electronic Services, can be found at www.gsa.gov/aces.
And for more information on the OMB's guidance to the GPEA, see either Selected OMB Memoranda to Heads of Federal Departments and Agencies or the
aforementioned PKI Guidance
and Documents.
Rice is deputy director of the Emerging IT Policies Division in the
Office of Governmentwide Policy at the General Services Administration.
She can be reached at [email protected]