DOD nears launch of departmentwide PKI

The Defense Department soon plans to release guidelines that will lead to a departmentwide public-key infrastructure architecture that would ensure the integrity and confidentiality of data throughout the agency.

For months DOD has wanted to move from multiple, small PKI pilots to a single PKI architecture with a common policy, but the department had not developed guidelines on how to make the switch. With the imminent release of the "DOD PKI Road Map," DOD information assurance officials may have the guidance they need to make the PKI architecture a reality.

The guidance will address issues such as merging existing components, outsourcing PKI services and using emerging PKI technologies.

DOD hosts numerous pilots, such as a medium-assurance PKI and a Naval Acquisition PKI, and the Defense Message System has its own PKI.

But the various pilots offer "no set of standards or basis for interoperability," said Richard Schaeffer, director of infrastructure and information assurance within the Office of the Assistant Secretary of Defense for Command, Control, Communications and Intelligence. The road map will focus on "what's the most efficient process, architecture and structure [for PKI services] for the department."

A DOD certificate policy document, which will be released with the updated road map, will address what levels of assurance are applicable and what minimum level the department will accept. "We expect that initially there will be support for two levels of assurance," Schaeffer said.

Officials with the Naval Acquisition PKI pilot welcome the DOD PKI concept. "The plan has always been: When the DOD PKI is robust enough...we'll migrate to it," said Charlene Tallman, the command information systems security program manager for the Naval Supply Systems Command.

"PKI is one of the most critical things that DOD will do but also one of the most complex," Schaeffer said. "Trying to get it right without a vision and structure - without a road map - is fruitless."

The road map will establish a vision for a single type of user registration workstation that can order keying material for any DOD voice or data communications system, classified or unclassified, although delivery mechanisms for the keys will differ - a dramatic move, Schaeffer said. But one must be careful in implementing the concept, one security expert warned. Such workstations would be "an attractive target."

The road map also will address the use of third-party, outsourced PKI services such as those from VeriSign Inc., which already claims 10 DOD PKI pilots. The use of "third-party mechanisms" is doable technically, so the remaining issues are legal ones, Schaeffer said. What would be the liability, for example, of a contracting officer if an external certificate authority passed along as valid an invalid certificate? Accepting external CAs, if they meet DOD specifications, by signing their credentials with the DOD PKI root key might be the answer, he said. The road map will be technology neutral, Schaeffer said.

-- Adams is a free-lance writer based in Alexandria, Va.