Federal PKI bridge gets private peer

The Federal Bridge Certification Authority in May recognized an aerospace industry bridge for validating digital certificates, enabling secure communications between government agencies and contractors that issue their own certificates.

The bridge, operated by CertiPath LLC of Herndon, Va., is the first private-industry bridge to link with the FBCA. Cross-certification extends the federal public-key infrastructure and helps enable e-government, said Peter Alterman, chair of the Federal PKI Policy Authority.

“The government has got to get out of the business of issuing credentials to users of its systems and get into the business of trusting credentials issued by others,” he said.

Digital certificates act as electronic IDs, but the party or application accepting the certificate must have a way of validating it. When a foreign certificate is submitted to an application, it’s passed along to the federal bridge, which verifies that it was issued by an organization whose policies have been accepted by the bridge. The bridge also can check with the issuing authority to ensure the certificate is still valid.

The relationship between the federal bridge and CertiPath is unique because CertiPath itself is a bridge that cross-certifies certificates issued by aerospace contractors. CertiPath is a joint venture of ARINC Inc. of Annapolis, Md., Exostar LLC of Herndon, Va., and SITA of Geneva, Switzerland. VeriSign Inc. of Mountain View, Calif., issues certificates to the CertiPath bridge for bridge-to-bridge trust.

The organization spent three years trolling for money and defining the technology and policies needed, said president and CTO Jeff Nigriny.

“We had a large number of companies that wanted to be the source of authority for their employees’ identities,” he said. But employees on government contracts needed certificates issued by an agency trusted by the federal bridge. “It would be much better if we could have a single credential.”

It also would be better for the government. “The federal government is not in a position to cross-certify every company out there,” Nigriny said.
Boeing Co. was the first company to receive bridge-to-bridge certification through CertiPath. The company’s 153,000 employees now can use digital certificates from Boeing’s PKI to access federal resources.

Other certificate authority bridges are being developed, including one for the pharmaceutical industry and one for the higher education community. Both would like to cooperate with government, but so far neither has cross-certified with the federal bridge.

About the Author

Connect with the GCN staff on Twitter @GCNtech.

Featured

  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.