State and local governments are only beginning public-key infrastructure
plans, but they already have a looming problem.
At some point, agency PKIs will have to interoperate, and government
systems will have to communicate with those of commercial vendors. How well
this works could determine the ultimate success of government PKI.
A solution under development by the federal government could be the answer.
The Federal Bridge Certification Authority (FBCA) is a way to create
so-called trust paths between user groups. By "cross-certifying" individual
certificate authorities (CAs) through the FBCA, which acts as a trusted
third party, any user that needs to accept a PKI certificate from another
body to conduct a transaction will know the certificate can be trusted,
no matter which CA issued it.
The FBCA won't be operational until the end of this year at the earliest.
But it's already sparking enthusiasm among some states. Virginia is all
but committed to using it as the model for its own PKI and for future expansion
of electronic transactions between it and the federal government.
New Jersey and Georgia have also been in close consultation with the Federal
PKI Steering Committee, the Treasury Department body overseeing development
of the FBCA, and other states have reportedly expressed interest in the
federal bridge, including California and Washington, as well as the city
and county of Los Angeles.
"The bridge will be needed at some point," said Patricia Edfors, director
of government operations for Baltimore Technologies, a CA vendor that provides
PKI solutions to federal and state governments as well as to private companies.
"States will do what they need to do [on PKI], and the federal government
will do what it needs to do, and they will not agree on all of the rules
they use," Edfors said. "The FBCA will speed up the the communication between
the two sides. Otherwise, it will take years for them to negotiate the necessary
agreements."
State governments realize the need for PKIs to communicate, she said,
since interoperability has become a constant in government requests for
proposals. "But that doesn't mean they necessarily know what [inter- operability]
means," she added.
If parties want to create trust paths between each other now, they either
have to use the same vendor as a CA and issuer of certificates — and even
here there may be different "flavors" of certificates — or else develop
their own CA trust lists, and deal with all of the interpretation and management
protocols involved.
The FBCA does all of this automatically by forming a non-hierarchical
hub that matches CAs according to terms and policies agreed upon with each
of the participating parties.
Within the federal government, for example, a policy authority under
the auspices of the Federal PKI Steering Committee agrees with each of the
participating government agencies on the levels of assurance under which
they would accept certificates from other agencies. This policy authority
would then map that agency's policy to the FBCA certificate policy.
States who use this as a model for their own systems would form their
own policy authority to map their agencies' PKIs to the state bridge CA
policy. That state bridge would then interoperate with the FBCA to allow
state agencies to conduct transactions with federal agencies or, presumably,
with other states that also interoperate with the FBCA.
"Ideally, we'd like to find a "killer application' that the state and
local governments need to interoperate with a federal agency that could
drive this and make it happen sooner," said Richard Guida, chairman of the
Federal PKI Steering Committee. "We're just beginning to tap the tip of
the iceberg with this. But the expectation is, as people become more aware
of the FBCA, the applications will arise."
Because the federal policy authority was expected to be in place in
July, some months ahead of the FBCA itself, any state government that already
has a PKI in place could apply to be qualified through the policy authority
to have its CAs cross-certified with the federally approved CAs. However,
Guida said, "We don't expect it because no state is near to that yet. It's
more likely to happen in early 2001."
Virginia's formal connection with the FBCA began with a report last
summer that had as a core assumption the expectation that there would be
multiple PKIs throughout its government. The report also suggested that
Virginia explore the federal bridge concept. Before then, said R.F. "Chip"
German, director of policy and strategic planning in the University of Virginia's
Office of Information Technologies, "it was more a case of what we knew
couldn't be done [about interoperability] than could.
"Then [Guida] made a presentation to us about the FBCA. The technical
people became intrigued with the notion of the bridge, and it quickly became
the potential answer for them," German said. "Then we got up to speed on
the policy side."
The University of Virginia is researching the viability of the bridge
concept as it applies to state government PKIs.
Unlike in the federal government, where there are already agency PKIs
installed that need to interoperate, Virginia will deploy the bridge concept
early enough that it can be used to dictate the policies that the state
agencies will use to issue certificates. That will simplify things because
the optimum certificate policy for the Virginia bridge can be worked out
ahead of time.
A prototype of the state bridge is already operating, German said, and the
next steps will be detailed in a report due out in September. However, he
said, "it's my opinion that the bridge will be a core part of the state
PKI environment going forward. It will be one of the major considerations
for an overall PKI implementation in Virginia, for dealing with multiple
hierarchies and multiple CAs."
New Jersey is also a "big fan" of PKI, according to Don Johnson, the
state's director of advanced technology research. But unlike Virginia,
New Jersey has taken a more homogeneous route and is disallowing multiple
PKIs throughout the government. It's only using VeriSign Inc.'s digital
certificates.
However, Johnson said, as the state begins to interact more with organizations
outside of the government, which will have their own CAs and certificate
policies, the FBCA approach will become more applicable.
"For that reason we consider ourselves a business partner with the federal
government," he said. "At least [Guida's group] has started to develop a
way of dealing with multiple, different CAs. They have an understanding
of the trust issues involved and, crucially, they've developed the client
software that allows [inter- operability] to happen."
How relevant the FBCA is to state governments depends on their approach
to PKI. For Virginia, New Jersey and other states that have opted to install
full PKIs, the relevance is obvious. But it's less so for states like Massachusetts,
which has decided that a full PKI deployment is not the way to go.
It's too complicated and expensive, and it doesn't agree with the state's
current approach, said Dan Greenwood, Massachusetts' special counsel for
e-commerce.
"We prefer to use mature technologies such as Secure Sockets Layer on
top of the infrastructure we have in place now," he said.
Nevertheless, Massachusetts probably will maintain contact with Guida's
committee.
"If you equate a CA with [an electronic] contract, it might be helpful
in the future to be able to map from one contract to another, and then the
FBCA model could be useful for that," Greenwood said. "There's also simply
an inherent value in keeping a relationship open between state and federal
governments."
The future of the FBCA now rests with Congress. A prototype was successfully
demonstrated in April, and a production version is due to go up by the end
of this year.
—Robinson is a freelance journalist based in Portland, Ore.
