Illinois builds ramp to fed PKI bridge
- By Dibya Sarkar
- Mar 16, 2003
Illinois Digital Signature/Public Key Infrastructure Project
One day, Americans will be able to get their confidential benefit and health information securely online from federal agencies. Businesses will be able to set up shop in minutes instead of weeks through the Internet. And state and federal agencies will be able to share critical data and file sensitive reports with one another quickly and reliably.
For Illinois' private and public sectors, that day is fast approaching.
The state is poised to become the first to cross certify its enterprisewide public-key infrastructure with the federal government's Federal Bridge Certification Authority. Essentially, the two entities are establishing a trusted relationship by recognizing and accepting digital certificates — which are unique and secure electronic identities or credentials — issued by each government.
It's that trust that will enable the development of applications that require transactions between federal and state governments. Illinois, in turn, plans to work with local governments and businesses that need to conduct secure transactions with government.
"It's very important to us because we think it opens up a whole multitude of opportunities for citizens and businesses to be able to manage their relationships, to be able to facilitate cross- jurisdictional applications, to be able to simplify and unify things, and to be able to just collaborate a lot better," said Georgia Marsh, associate director of the Illinois Department of Revenue.
Marsh, who has been a key player in the state project that began 18 months ago with the federal government's help, said the state is the first to file an application to be certified and is likely to be approved soon.
"Through a relationship between the [Federal Bridge Certificate Authority] and Illinois PKI, federal agencies will have the ability to determine the level of assurance and legitimacy of credentials issued by Illinois to its employees, businesses and citizens," said Judy Spencer, chairwoman of the Federal PKI Steering Committee.
"And the reverse is also true," she added. "Illinois will have the means to validate credentials issued to federal employees by their agencies."
Federal officials said about six other states have followed suit and some may also become cross-certified with the federal government before the year's end.
Spencer said the federal government would espouse a common environment that could support different certificates.
In reality, there isn't just one PKI model across the country or within the federal government.
"There are a number of enterprise PKIs, all with unique aspects," Spencer said. "So with the federal bridge, what we're doing is providing a common reference point for trust so that people can interoperate while enforcing their own policies using the technical solutions that best meet their needs."
Marsh said any individual or business can buy an Illinois certificate, but the real advantage of the certificates is what can be done with them. The state — which purchases its digital certificates from Entrust Inc. but manages them itself rather than set up a third party as a certificate authority — is focusing on first providing businesses with applications that may need a certain level of authentication.
Illinois is planning to provide online counseling to small business owners who would require privacy and confidentiality.
"The biggest concern that citizens and businesses have about doing online government is the whole issue of security and privacy," Marsh said. "What this does is this equalizes the whole thing and takes that out of the equation." Authentication, verification and nonrepudiation are also advantages, she added.
Several officials said cross-certification would broaden the breadth of e-government including some of the Bush administration's 24 e-government initiatives such as e-authentication and one-stop business compliance.
Catherine Maras O'Leary, chief information officer for Cook County, Ill., the country's second-largest county, said the county plans to piggyback on the state system to save money and facilitate important data exchange with state and federal agencies.
Ray Bjorklund, vice president of market intelligence and chief knowledge officer for Federal Sources Inc., a McLean, Va., market research company, said PKI cross-certification would be the basis for sharing — privately and securely — critical information among public safety and health agencies.
"It's a richer implementation of e-government," he said. "So you get down to a deeper level and the PKI relationships are going to be critical to make transactions more meaningful and protected."
Marsh said that states and the federal government are exploring significant cross-jurisdictional applications. They include emergency response, treasury cash management, national security, business tax filings, passports, selective service registration, retirement benefits, online voting, regulatory filing and environmental reporting, she said, adding that some will require a higher level of authentication than others.
"Ultimately, what we're headed toward is one-stop shopping, so that [citizens] can get on and they don't have to get certification throughout 17 different federal agencies, their state government, their city government or county government," Spencer said.