Igniting PKI

Growth is steady but not as fast as some expected.

by / July 29, 2003 0
Although use of public key infrastructure (PKI) has not exploded at the state government level as many expected, the technology has found its niches and continues to grow in some jurisdictions.

PKI's potential, according to state government users, remains high despite a lull in growth over the last couple of years. Several factors -- including a lack of education, the economy and 9-11 -- may have contributed to the slowdown. But jurisdictions that ventured forward on PKI years ago continue to make progress. Growing use of digital signatures by the federal government may also trigger greater adoption among states.

Washington and Illinois are two PKI pioneers that rolled out high profile digital signature programs in 2000.

Washington's PKI grew from use by three initial agencies to eight agencies using about 26 applications, and the state is close to interoperating with the federal government.

Illinois worked diligently the last two years, and through trial and error developed in-house an enterprise-wide, self-managed PKI, according to Georgia Marsh, associate director of the Illinois Department of Revenue. "Rather than sitting around and waiting for 10 years to find out what is best, we're going to test things and do research, so we can set a path and other states can follow."

Those early implementations are helping pave the way for other states implementing PKI -- there are now at least six states that have implemented enterprise-wide PKI, according to Karen West, vice president of sales for Digital Signature Trust (DST).

"Washington really pushed it," West said. "The other states we've brought on have been much quicker boarding. When we first started doing this, it might have taken us six months to get a state up and running. Now we can do a full-blown PKI in 30 days or less."

Today, states can build on what Illinois and Washington have learned.

"[States] are more educated today than they were three years ago," West said. "Three years ago it was, 'Here's what a certificate is, and here's what PKI stands for.' Today it's more application design and helping them understand how they can re-engineer their processes, so they can use this technology."

Another factor that should generate more PKI implementation at the state level is the development of PKI at the federal level, according Tim Polk, PKI program manager at the National Institute of Standards and Technology. "The federal PKI is gaining momentum as an internal tool," he said. "PKI isn't being deployed as rapidly as we had hoped, but the schedule probably has been as rapid as we could rationally have expected."

Assuming Risks
Scott Bream, Washington's PKI program manager, said digital signatures can solve a lot of problems, but acknowledged that the "management overhead" associated with these implementations -- which includes maintaining the technology and assuming the risks that go along with guaranteeing secure online transactions -- probably have slowed digital signature growth.

"If you've got somebody who wants to revoke a certificate at 11 on a Saturday night, can you be sure that if your policy calls for two people to be available to do that, that's going to happen?" he asked.

That's one reason Washington outsourced its PKI platform to DST. "If we failed to follow a process, if somebody got a certificate that wasn't what it claimed to be, if there was an electronic transaction and a loss resulted from it, we'd be liable for that loss," Bream said.

Illinois chose not to outsource its PKI and struggled more in gaining acceptance than anything else. "It's been difficult not because the technology hasn't been there, but because of the difficulty of changing people's opinions," Marsh said. "The basis for any public key infrastructure is not the certificates but the policies and procedures you follow, and how you issue your certificates and run your certificate authority."

PKI also may have suffered from misconceptions of what the technology can do.

"The concept of a signature that can be trusted in an electronic form and document that has the ability to have trust in that signature throughout time is an important concept," said Paula Arcioni, PKI directory and identity management manager for the New Jersey Department of Information Technology. "I just don't think your average business process owner, be it the private sector or the public sector, really grasps that concept yet. They haven't made that transition."

Nevertheless, New Jersey implemented a PKI that allows attorneys and insurance agents to eliminate the mounds of paperwork handled during workers' compensation transactions. The state is close to unveiling a PKI that will allow businesses to avoid the paperwork involved in applying for federal grants.

Like other jurisdictions, New Jersey's ambitious PKI plans of a few years ago have been scaled back somewhat. The state, however, continues to believe the digital signature is "an important element in transactions," according to Arcioni.

Complexity also contributes to sluggish growth. "PKI is an infrastructure, and infrastructures are hard to build," Polk said. "PKI is more work to establish than a password-based system, so people deploying just one 'low value system' will always choose passwords as a cost-effective solution."

Consultant Larry Kirsch, former senior vice president of CDW Government, said government was sold a "bill of goods" by vendors who promised PKI would solve all its problems. "Many of the PKI solution providers offered best-case scenarios to early adopters," he said. "It is as complex and difficult to implement as many of their peers have said, and management costs are much higher than they were led to believe."

In Washington, that infrastructure is already in place.

"The policy is out there, the certificates are out there and the gateway is out there," Bream said. "All [agencies] have to do is register the applications with [the state] so people can get to it." But he said Washington tries to keep it as easy as possible. "If it doesn't warrant PKI, we're not going to push people into it."

Bream added that costly PKI isn't always the best way to fill agency needs, and this may serve as a roadblock to more implementation in state government. "It's a different kind of technology, and it may not be warranted in all cases," he said. "You can do electronic signatures that will work versus a digital signature in many cases. If it doesn't require the rollout and the deployment of PKI tools, that's probably the better way to go."

Multiple sources said confusion over the difference between electronic signatures and digital signatures is another factor, and that the Electronic Signatures in Global and National Commerce Act (E-Sign) -- a federal law that attempted to define legal requirements of a signed document -- was vague on technology and didn't explain the importance of choosing technologies to mitigate risk.

The term "electronic signature" encompasses a variety of ways, with varying levels of security, to verify an electronic document. Some types of electronic signatures are PINs, a digitized version of a handwritten signature and digital signatures.

A "digital signature" specifically refers to the use of public key cryptography to identify the originator.

There are other voids as well. Citizens must be able to obtain the electronic certificates needed to conduct digital signature transactions, and they need a reason to conduct highly secure electronic transactions in the first place.

"Citizens can get certificates, but there aren't a lot of applications where they're needed," West said. "If you look at what you do with your local government, how many things would you need a certificate for?
thority."

PKI also may have suffered from misconceptions of what the technology can do.

"The concept of a signature that can be trusted in an electronic form and document that has the ability to have trust in that signature throughout time is an important concept," said Paula Arcioni, PKI directory and identity management manager for the New Jersey Department of Information Technology. "I just don't think your average business process owner, be it the private sector or the public sector, really grasps that concept yet. They haven't made that transition."

Nevertheless, New Jersey implemented a PKI that allows attorneys and insurance agents to eliminate the mounds of paperwork handled during workers' compensation transactions. The state is close to unveiling a PKI that will allow businesses to avoid the paperwork involved in applying for federal grants.

Like other jurisdictions, New Jersey's ambitious PKI plans of a few years ago have been scaled back somewhat. The state, however, continues to believe the digital signature is "an important element in transactions," according to Arcioni.

Complexity also contributes to sluggish growth. "PKI is an infrastructure, and infrastructures are hard to build," Polk said. "PKI is more work to establish than a password-based system, so people deploying just one 'low value system' will always choose passwords as a cost-effective solution."

Consultant Larry Kirsch, former senior vice president of CDW Government, said government was sold a "bill of goods" by vendors who promised PKI would solve all its problems. "Many of the PKI solution providers offered best-case scenarios to early adopters," he said. "It is as complex and difficult to implement as many of their peers have said, and management costs are much higher than they were led to believe."

In Washington, that infrastructure is already in place.

"The policy is out there, the certificates are out there and the gateway is out there," Bream said. "All [agencies] have to do is register the applications with [the state] so people can get to it." But he said Washington tries to keep it as easy as possible. "If it doesn't warrant PKI, we're not going to push people into it."

Bream added that costly PKI isn't always the best way to fill agency needs, and this may serve as a roadblock to more implementation in state government. "It's a different kind of technology, and it may not be warranted in all cases," he said. "You can do electronic signatures that will work versus a digital signature in many cases. If it doesn't require the rollout and the deployment of PKI tools, that's probably the better way to go."

Multiple sources said confusion over the difference between electronic signatures and digital signatures is another factor, and that the Electronic Signatures in Global and National Commerce Act (E-Sign) -- a federal law that attempted to define legal requirements of a signed document -- was vague on technology and didn't explain the importance of choosing technologies to mitigate risk.

The term "electronic signature" encompasses a variety of ways, with varying levels of security, to verify an electronic document. Some types of electronic signatures are PINs, a digitized version of a handwritten signature and digital signatures.

A "digital signature" specifically refers to the use of public key cryptography to identify the originator.

There are other voids as well. Citizens must be able to obtain the electronic certificates needed to conduct digital signature transactions, and they need a reason to conduct highly secure electronic transactions in the first place.

"Citizens can get certificates, but there aren't a lot of applications where they're needed," West said. "If you look at what you do with your local government, how many things would you need a certificate for?

"We probably thought at one point that the driver's license bureaus would be likely candidates to use or issue these," West continued. "It turned out they're not. It's mainly that there haven't been a lot of consumer applications needed."

West said she believes motor vehicle agencies eventually will adopt PKI as drivers' licenses become more standardized, but exactly how they'll use the technology is unknown.

There will be other consumer applications as well. West predicted the mortgage industry will adopt PKI as counties implement electronic filing and electronic recording.

PKI Finds Niche
PKI already has carved niches in health care and law enforcement.

"Probably the No. 1 area where it has taken hold is health care," West said. "HIPPA has a lot to do with that, and the feds have a lot to do with that -- medical agencies and providers who want a higher level of authentication. The information they're passing around is pretty sensitive, so they have quite the need."

West said PKI mostly is used for access control to patient records and signing documents. "There's very little encryption among our clients, but a lot of signing and a lot of access control," she said. "When a doctor sees a patient, they put their progress notes in and digitally sign it."

The eight Washington agencies using PKI are doing so mainly to process and move "high value" information, such as communicable disease data handled by the state's Department of Social and Health Services (DSHS). The DSHS also works on a contractual basis with rehabilitation clinics, and a lot of information is passed back and forth.

"[PKI] allows them to input and process the information about progress the patients are making, etc.," Bream said. "That's a lot of personal identifiable medical information that we're able to move back and forth very quickly. It allows us to generate reports very quickly, and that's the kind of stuff the Legislature is looking for."

In law enforcement, judges in Utah and California use PKI to sign warrants, and some courts are looking forward to having lawyers use it to file papers.

All of Utah's law enforcement personnel have a digital signature, giving them access to the FBI's Bureau of Criminal Identification database.

Part of the reason the implementation took hold in Utah is that digital certificates were given to law enforcement officials for the Winter Olympics Utah hosted in 2000, according to West. "Once we got a contract in place and it started getting used, the other agencies started to say, 'Well, all we have to do is applications, and we can go to DST and get certificates.' We set it up once, and anyone in the state can use it."

The Benefit of Interoperability
Other government organizations use digital signature technology to promote interoperability among jurisdictions.

For instance, Pennsylvania's Integrated Justice Network now uses PKI from VeriSign to facilitate sharing of criminal records between state and federal law enforcement agencies. That kind of interoperability with the federal government was one goal of the Washington PKI program from the outset.

Meanwhile, the Illinois Department of Revenue's PKI system promotes electronic interaction between government and business, particularly small business.

The system allows businesses to avoid paper-based license application processes, for instance, which can take weeks to complete. Businesses may sercurely file all the necessary paperwork online and begin doing business more quickly, and interoperability will better enable Illinois businesses to take advantage of federal grants, according to Illinois' Marsh.

West said federal programs, especially programs that facilitate the transactions of business processes, have come a long way. "The feds are now beginning to look at opening up their programs to the states," she said. "They're funding some of the state programs. As more people begin to use this, especially other governments, the state governments realize there's something there for them."

Washington recently completed a pilot with the Social Security Administration to test use of the state's certificates outside state lines. Most state PKI implementations involve internal transactions. But with the recent adoption of PKI by the federal government, states are beginning to look at expanding transactions to include entities outside the state, including federal agencies.

"It's a test of the interoperability, and trying to slice through different boundaries or layers of government with a single credential," Bream said. "We didn't have any glitches with it, and that proved we could use [the certificates] outside the state for other things."

Interoperability with the federal government is key to PKI growth at the state level, according to West. "The more places you can use these things, the more likely you're going to use them," she said. "All states file with the federal government. All the health-care agencies in the state work with the [Centers for Disease Control and Prevention, the National Institutes of Health, and the United States Department of Health and Human Services]."

Here to Stay
Digital signatures may not be used everywhere, but most believe the technology is here to stay.

"It hasn't gone away and probably won't because it's the right thing to do," Bream said. "When you keep looking at what it provides in terms of security and authentication, it still provides those values, and there's really nothing to the fore to replace it."

Polk said PKI shouldn't be seen as a "gold-plated" attempt to solve all the organization's problems. "Security should always be commensurate with need, rather than aiming for perfection," but he agreed PKI has its place. "Authentication of users is a critical aspect of many applications," he said. "Typically user authentication is achieved through PINs and passwords, but for high-value propositions, PINs and passwords are simply unacceptable."
Jim McKay, Justice and Public Safety Editor Justice and Public Safety Editor