state had distributed several hundred identification certificates, generally of the high-security variety. Differences among the security levels lie in how applicants are authenticated and how the digital signature is stored, according to Kolodney.
At the high-security level, applicants must appear before a notary with two pieces of photo identification. The notary then submits the information to the certification authority. The authority verifies the application and assigns the applicant a digital identification, which is stored either in a smart card or a device called a key fob that plugs into the USB port on a users PC. In addition, applicants are given a pass phrase or an identification number.
Initiating a secure transaction requires both the hardware device containing the digital ID and the pass phrase or number. "We like to say that you have to have something and you have to know something," Kolodney said. "That is a security matter, because to lose [the digital identity] you have to lose the physical device and the pass phrase at the same time."
Initial users of Washingtons high-security certificates include lawyers seeking confidential client records and health-care professionals seeking communicable disease data, said Kolodney. In addition, the states public retirement system envisions using the certificates to allow members to change addresses, job status and other information electronically.
At the standard-security level, users apply for the digital certificates online. The identifications are issued with minimal verification and loaded directly into a users Web browser.
"Theres really no security associated with it other than youve asked for it and gotten it. So it represents you to that extent," Kolodney said. He expects standard certificates to replace state-issued passwords used for electronic tax filing applications and other common transactions.
Washingtons intermediate-level certificates fill the gap between the two extremes. Like the high-security signature, intermediate IDs require storage of the certificate in a smart card or key fob. But they dont require a notarized application.
Users pay an annual fee for their certificate based on its security level. Standard certificates cost less than $20 per year. High-security certificates cost about twice that amount, plus a one-time fee for the smart card or key fob hardware. Standard certificates carry a liability limit of $1,000 per transaction. The limit for intermediate certificates is $10,000, and high-security certificates may be used for transactions valued as high as $50,000.
Illinois currently issues a single high-security certificate. The state expects to expand the certificate options later on, but its keeping the initial roll out simple to avoid confusion and to develop the processes needed for a wider implementation, said Reynolds.
So far, Illinois is giving certificates to users it can readily and positively identify, such as Medicaid providers that regularly deal with state health agencies. But while face-to-face identification of trusted business partners works on a small-scale basis, Illinois officials acknowledge that meeting the governors goal of issuing digital IDs to as many as 1 million citizens and businesses over the next 18 months demands a different approach.
"These are people who come to us multiple times in a year, and they come to us in a known context," said Crossland. "Down the road, weve got to figure out how to register John Q. Citizen who just pops up on the Web and says, I want a certificate. And thats a little more complicated."
Ultimately, Illinois expects to develop a suite of certificates covering multiple security levels and create online application processes for at least some of them.
"Were working our way through these various applications and talking about the levels of certificates we might want to have. Weve looked at four levels and weve looked at five," said Crossland. "If you go with the five-level model, youre going through a state-police vetting process at the highest