PKI: A necessary evil

• By Brian Robinson
• Sep 03, 2001

For years, government agencies have acknowledged that public-key infrastructure

a combination of encryption software, digital certificates and other technology

provides the most reliable way to secure online transactions. Unfortunately,

PKI can be arduous and costly, so agencies have shunned it. But now it's

crunch time.

Governments are working furiously to build secure Web portals through

which citizens and companies can perform transactions with government. Many

states are requiring digital signatures. And compliance with federal legislation

such as the Health Insurance Portability and Accountability Act which

sets regulations for safeguarding health care information mandates the

use of highly secure online systems.

All of this has jump-started PKI, said Sunil Misra, managing principal

of Unisys Corp.'s Worldwide Enterprise Security Practice.

"There's been a tremendous increase in the number of [requests for proposals]

and implementations over the past six months," Misra said.

But that doesn't mean it's getting any easier to build PKIs. "We are

right at the edge of PKI use in state and local governments," said Bryan

Ichikawa, executive director of Spyrus Inc., a San Jose, Calif., PKI vendor.

"The applications are still not quite ready, and there's still some resistance

to its deployment."

It could be another two or three years before there is widespread deployment

of PKIs perhaps by then there will also be a consensus on how best to

build them. In the meantime, wherever you look, you can find a different

approach and different lessons to learn.

Washington: A Case for Outsourcing

Washington's governmentwide PKI has been in place since last November and

provides the kind of global approach to online security that Scott Bream,

the state's PKI program manager, said is necessary if the government is

to use the Internet to conduct business.

"We had tried user IDs and passwords, and we still do use them in certain

circumstances," he said. "But one user ID per application is just not a

good way to go to present a single [government] face to industry and the

citizen."

Once state officials decided to go with a PKI, the problem was how to

implement it. They could build and manage their own PKI since they had the

necessary databases and components. But the more Bream and his colleagues

analyzed the situation, the less that option made sense.

"We wanted to make the PKI as broadly applicable as possible because

then you can do business not only with companies, but also with entities

such as the federal government," he said.

While running several pilot projects, Bream and his team learned how

complicated that could be. It was very complex to take on the cost and legal

liabilities for the authentication duties of a certificate authority (CA),

handle the issuing of certificates, manage certificate repositories and

account for the funding needed for the software, hardware and employees

to accommodate all of this.

All of that plus the fact that creating and running its own PKI would

have taken the government well outside its core competencies persuaded

Bream to outsource development and management of the PKI and the CAs.

There was one major proviso, however.

"We still own the certificate policy," Bream said. "We think it's important

that the people who do business with us look on us, and not some outside

organization, as the trusted personality that's backing the certificates.

So we establish the policy that the certificates are issued against."

All in all, Bream said it has turned out well. Departments such as Social

Services, Health and Labor have already started using the certificates,

and other applications, such as tax filing and reporting, will soon be online

as well. None of that would have happened yet, Bream said, if state officials

hadn't outsourced the PKI.

"Time to market is what pushed us in that direction," he said. "If we

had to do it all ourselves, we would probably still be involved in putting

it all together."

Florida: It's a People Thing

The need for a PKI became obvious in the early days of Florida's Criminal

Justice Network, an intranet that links state law enforcement agencies

such as the courts, sheriffs and police with state attorneys' offices.

The idea behind the network was to share information among law enforcement

workers. Because much of the material was sensitive, security was essential.

It took Tom Watkins, chief of production systems services at the Florida

Department of Law Enforcement, a year just to put together the policies

for the CA. But it wasn't the complexity of the PKI that surprised him.

"I've been in IT for over 30 years," he said, "and I've never encountered

a more difficult task than presenting the idea of a certificate to the IT

staff, let alone the end users. They've been so used over the years to the

idea of using individual passwords for people and applications, they were

completely stumped at first by the notion of a general identity contained

in a certificate."

And then there was the issue of how the certificates would be issued.

Several companies have made a business of issuing digital certificates,

but agency officials were not interested in a prepackaged solution. "We

require a more severe validation and authentication of the people getting

the certificate," he said.

Watkins' group developed a Web-based process for applying for certificates.

But rather than adopting a wholly automated process, they instead chose

to designate a point person in each agency to validate employees' applications

for digital certificates. That person confirms and physically checks the

information presented in the application. Once approved, the applicant can

continue with the online process for obtaining a certificate.

It took some two-and-a-half years to develop the PKI to the "fairly

sophisticated" environment now in place, Watkins said. More than a year

of that was spent in defining the right components.

"You can slap together a PKI," he said. "But if you don't get all of

the underlying operational complexities sorted out first, you can also really

botch it up."

Virginia: Sometimes Simple is Best

Virginia officials have thought about building a PKI for years and even

tried various pilot projects. But they're still uncertain about where and

how PKI fits the state's needs.

Robert "Chip" German, director of policy and strategic planning for

the University of Virginia's Office of Information Technologies, one of

the lead organizations in the state's adoption of digital signatures, said

the pilot projects proved simplicity was the key.

The push for a PKI stalled over the inability to identify an application

that would make PKI essential and easy to use, despite its complexity and

cost. So now the idea is to get people experienced in dealing with the simpler

forms of digital certificates, which would be applied only in restricted

cases. Later, the practice could be expanded across agencies.

The initial Virginia On-Line Transaction Certificates will be based

on open standards and used for identity only. The policy will be kept as

generic as possible so that CAs that want to issue certificates can easily

meet the minimum requirements. But the PKI working group recommends that

certificates be high-assurance only so employees will learn to safeguard

their digital certificates.

Each subscriber will be issued two certificates one for digital signatures

and the other for short-term "targeted transmission" encryption. Cryptographic

keys will not be managed by a third party, eliminating yet another layer

of complexity.

Officials hope to issue a request for proposals by September, German

said, and then quickly deploy the PKI.

Robinson is a freelance journalist based in Portland, Ore. He can be reached

at hullite@mindspring.com.