PKI: What is it and what can it do for us?

Public-key infrastructure is a term that many of us in the federal government have been hearing lately. But what does it mean? What benefits can it offer?

Here's some background. One driver of the need for PKI is the Government Paperwork Elimination Act, which, among other things, requires the federal government to allow the use of electronic signatures to reduce the paperwork burden on the public. OMB's guidance to federal agencies, as described in GPEA, is to determine their customers' abilities to interact electronically with the agency. The guidance is to select an appropriate combination of technology and practice to cost-effectively minimize risks and maximize benefits to agencies and customers.

Another driver is customer expectation, based on their ability to interact electronically with industry and academia for such transactions as banking, purchasing and information gathering. Yet another driver is the need to protect our critical infrastructure, which is threatened by malicious electronic attacks.

So, what is PKI? It is an implementation of public-key technology, which is also known as "asymmetric cryptography." Typically, each user has two key-pairs. One key-pair is used for digital signatures, to ensure that the person sending the message is who he says he is. The other key-pair is used for encryption, to encode the message. In the case of both key-pairs, one key is public and the other is kept private.

The Federal Bridge Certificate Authority (FBCA) is the "translator" of disparate certificate authorities (CAs). It is designed as a non-hierarchical hub that maps levels of assurance and ensures that appropriate levels are "matched." The immediate focus of the FBCA is to provide a seamless "trust path" verification between federal agencies. The ultimate goal is to provide a bridge to external organizations that want to cross-certify with the Federal Bridge. Such external organizations can include state governments, industry, academia and foreign governments.

For more details, please refer to PKI Guidance and Documents, a page on the CIO Council's Web site, maintained by the council's Electronic Government Subcommittee.

I found the PKI Handbook especially useful. The full title of this document is "The Evolving Federal Public Key Infrastructure," written by the Federal Public Key Infrastructure Steering Committee of the CIO Council. In addition, there is a February 2001 GAO report that summarizes the availability of PKI products and services as well as implementation issues experienced by federal agencies trying to develop their own PKI infrastructure.

More information about the GSA ACES program, Access Certificates for Electronic Services, can be found at www.gsa.gov/aces. And for more information on the OMB's guidance to the GPEA, see either Selected OMB Memoranda to Heads of Federal Departments and Agencies or the aforementioned PKI Guidance and Documents.

Rice is deputy director of the Emerging IT Policies Division in the Office of Governmentwide Policy at the General Services Administration. She can be reached at nora.rice@gsa.gov.