Arizona test-drives PKI

• By Dibya Sarkar
• Mar 31, 2002

Arizona's Motor Vehicle Division is testing use of public key infrastructure

to secure online transactions with commercial firms, potentially setting

the stage for broader use, including, one day, smart driver's licenses,

a state official said.

In the pilot program, which started in January, MVD provided three private

investigative companies with digital certificates so they can obtain certain

motor vehicle records, bypassing the manual process, said Jamie Rybarczyk,

a systems architect with the state Department of Transportation.

PKI technology allows users to securely and privately conduct transactions

with companies or government agencies through a browser. Transactions are

encrypted, providing the decryption key only when a user's identify has

been authenticated with a digital certificate.

"We believe, along with everybody else, this is the wave of the future,"

Rybarczyk said.

Usually, private investigators — who are court-authorized to get information

from MVD — must wait in line, fill out a form requesting the specific information,

show proper identification and authorization, pay a small fee, and then

wait for the attendant to obtain the data from a mainframe terminal, he

said.

By using digital certificates, the investigators can connect to the

MVD intranet through a Virtual Private Network, fill out an online form,

digitally sign it and get results quickly, he said. "This is the perfect

application to allow people to access this online so they can do this from

their own office," he said, adding they can do it any time of the day.

The pilot program still has several months to go, but so far it's a

success. Rybarczyk said.

To Rybarczyk's knowledge, the MVD is the first agency in Arizona testing,

but the potential for PKI is great, he said. For example, digital certificates

could be stored in a "smart" chip on driver's licenses, which could be inserted

into a card reader to initiate an online transaction. But that's in the

future, he added.

For the pilot program, MVD is beta-testing a product called eTrust PKI

2.0 from Islandia, N.Y.-based Computer Associates. Rybarczyk said the product,

scheduled for general availability in April, is user-friendly and scalable

if digital features are added to licenses.

Barry Keyes, vice president of Computer Associates' eTrust Security

Solutions division, said PKI is used in government, especially by law enforcement

agencies, because it provides a high level of confidentiality and integrity.

With PKI, he said, either a vendor can manage the technology and issue

the digital certificates, or a government agency controls the registration

and certificate issuance process. However, widespread use has not yet caught

on and one problem is the complexity in implementing and managing the technology,

he added.

It takes less than an hour to implement eTrust PKI 2.0, Keyes said,

and the bundled product contains a built-in directory and self-contained

Online Certificate Status Protocol responder, providing real-time validation

of user identities.