Although use of public key infrastructure (PKI) has not exploded at the state government level as many expected, the technology has found its niches and continues to grow in some jurisdictions.
PKI's potential, according to state government users, remains high despite a lull in growth over the last couple of years. Several factors -- including a lack of education, the economy and 9-11 -- may have contributed to the slowdown. But jurisdictions that ventured forward on PKI years ago continue to make progress. Growing use of digital signatures by the federal government may also trigger greater adoption among states.
Washington and Illinois are two PKI pioneers that rolled out high profile digital signature programs in 2000.
Washington's PKI grew from use by three initial agencies to eight agencies using about 26 applications, and the state is close to interoperating with the federal government.
Illinois worked diligently the last two years, and through trial and error developed in-house an enterprise-wide, self-managed PKI, according to Georgia Marsh, associate director of the Illinois Department of Revenue. "Rather than sitting around and waiting for 10 years to find out what is best, we're going to test things and do research, so we can set a path and other states can follow."
Those early implementations are helping pave the way for other states implementing PKI -- there are now at least six states that have implemented enterprise-wide PKI, according to Karen West, vice president of sales for Digital Signature Trust (DST).
"Washington really pushed it," West said. "The other states we've brought on have been much quicker boarding. When we first started doing this, it might have taken us six months to get a state up and running. Now we can do a full-blown PKI in 30 days or less."
Today, states can build on what Illinois and Washington have learned.
"[States] are more educated today than they were three years ago," West said. "Three years ago it was, 'Here's what a certificate is, and here's what PKI stands for.' Today it's more application design and helping them understand how they can re-engineer their processes, so they can use this technology."
Another factor that should generate more PKI implementation at the state level is the development of PKI at the federal level, according Tim Polk, PKI program manager at the National Institute of Standards and Technology. "The federal PKI is gaining momentum as an internal tool," he said. "PKI isn't being deployed as rapidly as we had hoped, but the schedule probably has been as rapid as we could rationally have expected."
Scott Bream, Washington's PKI program manager, said digital signatures can solve a lot of problems, but acknowledged that the "management overhead" associated with these implementations -- which includes maintaining the technology and assuming the risks that go along with guaranteeing secure online transactions -- probably have slowed digital signature growth.
"If you've got somebody who wants to revoke a certificate at 11 on a Saturday night, can you be sure that if your policy calls for two people to be available to do that, that's going to happen?" he asked.
That's one reason Washington outsourced its PKI platform to DST. "If we failed to follow a process, if somebody got a certificate that wasn't what it claimed to be, if there was an electronic transaction and a loss resulted from it, we'd be liable for that loss," Bream said.
Illinois chose not to outsource its PKI and struggled more in gaining acceptance than anything else. "It's been difficult not because the technology hasn't been there, but because of the difficulty of changing people's opinions," Marsh said. "The basis for any public key infrastructure is not the certificates but the policies and procedures you follow, and how