PKI: A necessary evil
- By Brian Robinson
- Sep 03, 2001
For years, government agencies have acknowledged that public-key infrastructure
a combination of encryption software, digital certificates and other technology
provides the most reliable way to secure online transactions. Unfortunately,
PKI can be arduous and costly, so agencies have shunned it. But now it's
crunch time.
Governments are working furiously to build secure Web portals through
which citizens and companies can perform transactions with government. Many
states are requiring digital signatures. And compliance with federal legislation
such as the Health Insurance Portability and Accountability Act which
sets regulations for safeguarding health care information mandates the
use of highly secure online systems.
All of this has jump-started PKI, said Sunil Misra, managing principal
of Unisys Corp.'s Worldwide Enterprise Security Practice.
"There's been a tremendous increase in the number of [requests for proposals]
and implementations over the past six months," Misra said.
But that doesn't mean it's getting any easier to build PKIs. "We are
right at the edge of PKI use in state and local governments," said Bryan
Ichikawa, executive director of Spyrus Inc., a San Jose, Calif., PKI vendor.
"The applications are still not quite ready, and there's still some resistance
to its deployment."
It could be another two or three years before there is widespread deployment
of PKIs perhaps by then there will also be a consensus on how best to
build them. In the meantime, wherever you look, you can find a different
approach and different lessons to learn.
Washington: A Case for Outsourcing
Washington's governmentwide PKI has been in place since last November and
provides the kind of global approach to online security that Scott Bream,
the state's PKI program manager, said is necessary if the government is
to use the Internet to conduct business.
"We had tried user IDs and passwords, and we still do use them in certain
circumstances," he said. "But one user ID per application is just not a
good way to go to present a single [government] face to industry and the
citizen."
Once state officials decided to go with a PKI, the problem was how to
implement it. They could build and manage their own PKI since they had the
necessary databases and components. But the more Bream and his colleagues
analyzed the situation, the less that option made sense.
"We wanted to make the PKI as broadly applicable as possible because
then you can do business not only with companies, but also with entities
such as the federal government," he said.
While running several pilot projects, Bream and his team learned how
complicated that could be. It was very complex to take on the cost and legal
liabilities for the authentication duties of a certificate authority (CA),
handle the issuing of certificates, manage certificate repositories and
account for the funding needed for the software, hardware and employees
to accommodate all of this.
All of that plus the fact that creating and running its own PKI would
have taken the government well outside its core competencies persuaded
Bream to outsource development and management of the PKI and the CAs.
There was one major proviso, however.
"We still own the certificate policy," Bream said. "We think it's important
that the people who do business with us look on us, and not some outside
organization, as the trusted personality that's backing the certificates.
So we establish the policy that the certificates are issued against."
All in all, Bream said it has turned out well. Departments such as Social
Services, Health and Labor have already started using the certificates,
and other applications, such as tax filing and reporting, will soon be online
as well. None of that would have happened yet, Bream said, if state officials
hadn't outsourced the PKI.
"Time to market is what pushed us in that direction," he said. "If we
had to do it all ourselves, we would probably still be involved in putting
it all together."
Florida: It's a People Thing
The need for a PKI became obvious in the early days of Florida's Criminal
Justice Network, an intranet that links state law enforcement agencies
such as the courts, sheriffs and police with state attorneys' offices.
The idea behind the network was to share information among law enforcement
workers. Because much of the material was sensitive, security was essential.
It took Tom Watkins, chief of production systems services at the Florida
Department of Law Enforcement, a year just to put together the policies
for the CA. But it wasn't the complexity of the PKI that surprised him.
"I've been in IT for over 30 years," he said, "and I've never encountered
a more difficult task than presenting the idea of a certificate to the IT
staff, let alone the end users. They've been so used over the years to the
idea of using individual passwords for people and applications, they were
completely stumped at first by the notion of a general identity contained
in a certificate."
And then there was the issue of how the certificates would be issued.
Several companies have made a business of issuing digital certificates,
but agency officials were not interested in a prepackaged solution. "We
require a more severe validation and authentication of the people getting
the certificate," he said.
Watkins' group developed a Web-based process for applying for certificates.
But rather than adopting a wholly automated process, they instead chose
to designate a point person in each agency to validate employees' applications
for digital certificates. That person confirms and physically checks the
information presented in the application. Once approved, the applicant can
continue with the online process for obtaining a certificate.
It took some two-and-a-half years to develop the PKI to the "fairly
sophisticated" environment now in place, Watkins said. More than a year
of that was spent in defining the right components.
"You can slap together a PKI," he said. "But if you don't get all of
the underlying operational complexities sorted out first, you can also really
botch it up."
Virginia: Sometimes Simple is Best
Virginia officials have thought about building a PKI for years and even
tried various pilot projects. But they're still uncertain about where and
how PKI fits the state's needs.
Robert "Chip" German, director of policy and strategic planning for
the University of Virginia's Office of Information Technologies, one of
the lead organizations in the state's adoption of digital signatures, said
the pilot projects proved simplicity was the key.
The push for a PKI stalled over the inability to identify an application
that would make PKI essential and easy to use, despite its complexity and
cost. So now the idea is to get people experienced in dealing with the simpler
forms of digital certificates, which would be applied only in restricted
cases. Later, the practice could be expanded across agencies.
The initial Virginia On-Line Transaction Certificates will be based
on open standards and used for identity only. The policy will be kept as
generic as possible so that CAs that want to issue certificates can easily
meet the minimum requirements. But the PKI working group recommends that
certificates be high-assurance only so employees will learn to safeguard
their digital certificates.
Each subscriber will be issued two certificates one for digital signatures
and the other for short-term "targeted transmission" encryption. Cryptographic
keys will not be managed by a third party, eliminating yet another layer
of complexity.
Officials hope to issue a request for proposals by September, German
said, and then quickly deploy the PKI.
Robinson is a freelance journalist based in Portland, Ore. He can be reached
at [email protected]