Next Windows to work with Pentagon's PKI

Microsoft Corp. officials have agreed to alter the next- generation Windows operating system so that it will accommodate the existing digital certificate being used on Defense Department Common Access Cards.

The agreement will help the Pentagon avoid issuing new, application-specific digital certificates for millions of Common Access Cards, which are being issued with a generic public-key infrastructure identity certificate. The move could give the Pentagon an incentive to quickly migrate to the successor to the Windows 2000 operating system.

The Pentagon plans to issue Common Access Cards, also known as smart cards, to 3.2 million people by Sept. 30, 2002. When inserted in a PC Card reader, the cards give authorized users access to a network.

In mid-May, Micro.soft officials sent a letter to Mike Green, the program management officer for DOD public-key infrastructure, committing to the use of DOD's identity certificate for smart card log-ins under the next-generation Windows system, said Pat Arnold, Microsoft Federal's director of information assurance. The successor to Windows 2000, code-named Blackcomb, is expected to be released in "a couple of years," said Keith Hodson, a Microsoft spokesman.

DOD and Microsoft officials met with members of the Internet Engineering Task Force (IETF)—an international community of network designers, operators, vendors and researchers—in March to discuss the agreement, Arnold said. IETF was consulted because Microsoft is using PKINIT, an IETF- produced public-key cryptography, for initial authentication in Blackcomb, Arnold said.

"PKINIT is how you marry up key operations and Kerberos," he said. Kerberos is the Massachusetts Institute of Technology- developed secret-key cryptography that provides strong authentication between client and server.

The smart card log-in feature of Windows 2000—the system used on Navy Marine Corps Intranet PCs and servers—uses application-specific certificates, Green said. "What we told [Microsoft] is "That's not the way we designed the DOD certificate,' " he said.

Within the next two years, there could be thousands of PKI- enabled DOD applications, Green said. If Microsoft continues to make its PKI log-in application-specific, users might have to add digital certificates to their smart cards for every new application.

"If we let Microsoft do that, we know the next week someone else would want to do it," Green said. "We didn't want to get in that game." He called the agreement "a very good decision on both parts. A good compromise."


What's in a Name?

The operating system being developed under the code name Blackcomb will

be the first that Microsoft Corp. releases as part of its .Net strategy,

which the company describes as a framework for the next generation of distributed


Whistler was the code name for the operating system that became Windows

XP, which is to be released this fall.

The names were derived from Whistler and Blackcomb mountains in Vancouver,

British Columbia, the site of a ski resort that is about a five-hour drive

from Redmond, Wash., the home of Microsoft.


  • Cybersecurity
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    NDAA process is now loaded with Solarium cyber amendments

    Much of the Cyberspace Solarium Commission's agenda is being pushed into this year's defense authorization process, including its crown jewel idea of a national cyber director.

  • Defense
    DOD photo by Senior Airman Perry Aston  11th Wing Public Affairs

    How DOD's executive exodus could affect tech modernization

    Back-to-back resignations raise concerns about how things will be run without permanent leadership in key areas from policy to tech development.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.