Hoping to use the power of the Internet to boost the efficiency of service delivery, the federal government has launched the biggest effort to date at establishing online security and trust. Called Access Certificates for Electronic Services (ACES), the project is expected to contract with a number of certification authorities to offer digital credentials to millions of Americans for their online interactions with government. The credentials, known as digital certificates, use digital-signature technology to authenticate individuals and businesses when accessing, retrieving and submitting information with the government.
The ACES contract, currently out for bid and is expected to be awarded later this year, will most likely offer multiple awards, with as many as five or six certificate authorities for the public to choose from. "The certificates can be used by the public to sign for anything online," explained David Temoshok, ACES' director for government-wide policy. The goal of the project, according to Temoshok, is to adopt a standard, interoperable infrastructure so that all types of certificates of identify can be exchanged between agencies and the public. ACES will use a transaction-fee model that will cost the public nothing to use.
When announcing the RFP for the ACES contract, David Barram, with the General Services Administration (GSA) said, "The American people should have easy electronic access to government information. They can only do this if we make sure their privacy is protected. By developing a government-wide solution, this service will allow the government to present a common face to the public promoting convenience and user friendliness."
Once ACES takes hold, federal agencies can begin to engage in the kind of electronic-services delivery that has only been talked about at this point. Individuals could exchange everything from tax returns to student financial-aid forms with their respective agencies. The Social Security Administration, which has had to curtail public access to benefit estimate information due to the lack of security on the Internet, is expected to use ACES.
ACES could also become an effective means for state and local governments to assure security and trust with their Internet transactions. While ACES certificates will be restricted to federally funded programs, the architecture and standards for ACES could become the model for other public- and private-sector digital-certificate projects. "ACES is intended to kick-start public key use in both government and business," said Temoshok. "We want the business model to extend beyond the federal government."
Keys, Certificates and Transaction Fees
Last year, 50 million Americans had access to the Internet and spent between $8 billion and $13 billion on goods and services. Those numbers will be easily dwarfed by this year's figures. But few believe the Internet economy can grow beyond auctions, bookstores and investing services until it adopts an electronic means of establishing and verifying identify so that transactions can take place in a trusted environment.
In particular, the government sector has been stymied in its efforts to conduct electronic commerce because of that lack of trust. The most promising solution is a public key infrastructure (PKI), which uses digital-signature technology, as well as other security and verification components, to allow for secure transactions and communications to take place on a public network.
The central component is the digital certificate, which acts like a driver's license, authenticating the user while maintaining the integrity of any message or document in the transaction and providing complete confidentiality through encryption.
A user must apply for a digital certificate from a certification authority (CA). The CA issues the digital certificate to the applicant after verifying his or her identity. The certificate, like a driver's license, has an expiration date and can be renewed, revoked or reinstated if lost. So far, a small, but growing, number of firms have begun issuing certificates. They include Verisign, Digital Signature Trust Company and Entrust Technologies.