Feds Hold a Few ACES Up Their Sleeves

The federal government turns to certification authorities for securing public-sector Internet transactions.

by / August 31, 1999
Hoping to use the power of the Internet to boost the efficiency of service delivery, the federal government has launched the biggest effort to date at establishing online security and trust. Called Access Certificates for Electronic Services (ACES), the project is expected to contract with a number of certification authorities to offer digital credentials to millions of Americans for their online interactions with government. The credentials, known as digital certificates, use digital-signature technology to authenticate individuals and businesses when accessing, retrieving and submitting information with the government.

The ACES contract, currently out for bid and is expected to be awarded later this year, will most likely offer multiple awards, with as many as five or six certificate authorities for the public to choose from. "The certificates can be used by the public to sign for anything online," explained David Temoshok, ACES' director for government-wide policy. The goal of the project, according to Temoshok, is to adopt a standard, interoperable infrastructure so that all types of certificates of identify can be exchanged between agencies and the public. ACES will use a transaction-fee model that will cost the public nothing to use.

When announcing the RFP for the ACES contract, David Barram, with the General Services Administration (GSA) said, "The American people should have easy electronic access to government information. They can only do this if we make sure their privacy is protected. By developing a government-wide solution, this service will allow the government to present a common face to the public promoting convenience and user friendliness."

Once ACES takes hold, federal agencies can begin to engage in the kind of electronic-services delivery that has only been talked about at this point. Individuals could exchange everything from tax returns to student financial-aid forms with their respective agencies. The Social Security Administration, which has had to curtail public access to benefit estimate information due to the lack of security on the Internet, is expected to use ACES.

ACES could also become an effective means for state and local governments to assure security and trust with their Internet transactions. While ACES certificates will be restricted to federally funded programs, the architecture and standards for ACES could become the model for other public- and private-sector digital-certificate projects. "ACES is intended to kick-start public key use in both government and business," said Temoshok. "We want the business model to extend beyond the federal government."

Keys, Certificates and Transaction Fees

Last year, 50 million Americans had access to the Internet and spent between $8 billion and $13 billion on goods and services. Those numbers will be easily dwarfed by this year's figures. But few believe the Internet economy can grow beyond auctions, bookstores and investing services until it adopts an electronic means of establishing and verifying identify so that transactions can take place in a trusted environment.

In particular, the government sector has been stymied in its efforts to conduct electronic commerce because of that lack of trust. The most promising solution is a public key infrastructure (PKI), which uses digital-signature technology, as well as other security and verification components, to allow for secure transactions and communications to take place on a public network.

The central component is the digital certificate, which acts like a driver's license, authenticating the user while maintaining the integrity of any message or document in the transaction and providing complete confidentiality through encryption.

A user must apply for a digital certificate from a certification authority (CA). The CA issues the digital certificate to the applicant after verifying his or her identity. The certificate, like a driver's license, has an expiration date and can be renewed, revoked or reinstated if lost. So far, a small, but growing, number of firms have begun issuing certificates. They include Verisign, Digital Signature Trust Company and Entrust Technologies.

The vendors who are awarded a contract for ACES will have to establish a method of verifying the identity of certificate applicants. According to Temoshok, this could be through face-to-face contact or online. Vendors will also have to register certificate users, provide the key pairs for encrypting messages and documents, validate certificates on a 24-by-7 basis, renew, suspend and revoke certificates when necessary and bill participating government agencies based on transaction volume.

The ACES pricing model is both unusual and somewhat controversial. The GSA knew the project would never work if agencies had to purchase the certificates for users. "You won't find a federal agency that will pay as much as $30 (the cost of a typical certificate) a pop using taxpayer money," said Temoshok.

So the ACES project team turned to the model used by banks with automated teller machines. Let a third-party vendor build the infrastructure for the system and only when a transaction takes place does the bank pay a fee. Similarly, participating agencies won't spend a cent on ACES until the public begins to use it. "We didn't want any single agency to have to bear all the PKI-construction costs to issue certificates," explained Temoshok. "We believe there are companies well positioned to make that investment and recoup their costs [through the transaction fees paid by the agencies]."

But the transaction fee plan is controversial. In order for it to work, the feds have to forecast a fairly substantial transaction volume, before a single certificate has been issued, to encourage investment from vendors. These predictions on usage for an entirely new online service are often nothing more than guesswork. Temoshok is confident the model will work based on the interest in ACES among several key federal agencies, including the departments of Education and Veterans Affairs as well as the Social Security Administration.

Given the huge potential for ACES to open up the electronic-commerce market, state and local governments have been following the project with interest. Public Technology Inc. , the research and development organization for local governments, sees ACES as having an influence on local government attitudes towards the use of certificates. Except for a pilot project involving PTI and a handful of local jurisdictions, there has been little activity in regards to digital certificates.

But that's beginning to change. "As the federal government develops applications, the activity will influence local officials," said Cindy Kahan, PTI's senior vice president. "Once you have those pockets of experimentation, they can reach a volume level where the use of certificates starts to take off." In addition, PTI is in the final stages of discussion with Digital Signature Trust (DST) to issue PTI-branded certificates to local governments. DST is one of the bidders for the ACES contract.

States, through the Electronic Commerce Coordinating Council (EC3), have been providing ACES with feedback through EC3's affiliation with the Internet Council, which is part of the National Association of Clearing House Authorities. But it's still too early to tell what impact ACES could have on electronic commerce, according to Kara LaPierre, director of operations for EC3. "It's not clear how ACES will be extended to the states," she said in reference to the fact that ACES is limited to federal agencies and federally funded programs.

So while a state agency receiving federal funds may participate in ACES, other state agencies would not, complicating what is already a complex issue for states. The solution would be to develop software that can read multiple forms of certificates, whether they are from ACES or from some other, yet-to-be-determined publicly funded system. "Our goal is for any trusted certificate to be accepted by the agencies," said Temoshok. "We want to do this in an open environment so that all trusted certificates can be transferable and migrate beyond the
federal government."

To meet that end, GSA is developing a software program known as CAM (certificates arbitration module). Information on CAM and the ACES project are online.