May 6, 2001 By Steve Towns
Illinois system passed its final testing in January and since then has issued a handful of digital certificates, said Reynolds. The state did, however, issue a number of certificates through the system before it reached full production for use in various pilot projects. Eventually, state IT officials expect as many as half of Illinois citizens -- or about 6 million people -- to seek a digital identity.
Unlike Washington, Illinois will provide digital certificates to citizens and businesses at no cost. Crossland said the move eliminates squabbles over who pays for the IDs.
"We just put the money in the budget and appropriated it. So we dont talk about [cost] anymore," he said. "Its always nice to take at least one issue off the table."
The Hard Part
Although PKI involves sophisticated cryptography, those involved in developing these systems say implementing the technology is easy compared with creating the regulatory and procedural framework to support it. In other words, they argue that digital identities and signatures are only as good as the rules behind them.
"Its not just the technology of the encryption or the signature, its the policy and practice that creates trust. And this is all about trust," said Kolodney.
"This is not a face-to-face transaction, this is a transaction over distance. So you have to substitute the inherent trust two people who know each other might have with some other kind of trust that is based on policy," he said. "That is a critically important element, and it takes months and months and months to work out."
In fact, Washingtons effort took several years, according to Kolodney. Besides passing legislation to make digital signatures a legal substitute for written signatures, the state developed 150 pages of policy that lays the ground rules for conducting PKI transactions. Among other things, the policies spell out how to identify citizens who apply for digital signatures, liability limits for digital transactions and the responsibilities of digital certificate issuers and recipients.
Similarly, Illinois poured significant resources into developing policies for its PKI system, said Reynolds. "We do want to make sure if were interacting electronically with somebody to renew their drivers license, for example, that they are who they say they are and that they are legally bound by that digital signature just as they would be by a written signature," she said.
Both states add that their certificate policies comply with standards developed by the federal government, facilitating electronic transactions between state and federal agencies. "All of these policy pieces are, by extension, part of the certificate," said Kolodney. "So just issuing the key doesnt get you very far."
Iowa CIO Richard Varn, whose office is preparing an RFP for a statewide PKI system, said the accuracy of existing government identification methods also plays a key role in the trustworthiness of digital identity systems. He noted that digital authentications largely will be based on traditional government identification systems -- those tracking births, deaths, marriage, drivers licenses and other vital statistics.
"We have to coordinate those systems first to make sure they have some relationship with each other," said Varn. He added that Iowa would consider using additional identification methods such as fingerprints and other biometric indicators.
Regardless of the identity data used, Iowa intends to approach the issue gingerly. Varn said citizens would decide how much private information they are willing to give up based on the types of electronic transactions they wish to conduct with the state.
"If you are forcing people to submit personal information like fingerprints for all purposes, for all times, then youve got a privacy debate," he said. "But if you are letting people say, I want to
You may use or reference this story with attribution and a link to