IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

States Work with Feds for PKI Interoperability

States Work with Feds for PKI Interoperability

The 1977 epic A Bridge Too Far recaptures one of the most fruitless battles of World War II -- a costly attempt to capture six bridges that connected Holland and Germany. A major gamble from the outset, the campaign led to defeat and more Allied casualties than in the entire Normandy invasion.

Fortunately, the folks at the Federal Bridge Certification Authority (FBCA) are having an easier time of it in an initiative aimed at handling some of the thornier questions in government security -- exactly who do you trust when it comes to the handing out and acceptance of digital certificates during e-Government transactions, how do states and federal agencies interoperate to make such certs usable across the government spectrum, and what will it really take to establish "digital" trust to make paperless e-government a reality?


The Cast
FBCA has gathered an impressive array of federal agencies, states and vendors in an effort to make the initiative a success. On the federal side, there is heavy involvement by the Department of Defense, National Security Agency, General Services Administration, Treasury and the Federal CIOs Council. From the vendor community Entrust Technologies and Baltimore Technologies are directly involved in the FBCA from the technology side, but other PKI/security vendors such as RSA, Cylink, Verisign and Spyrus are also coordinating with the project.

At the state level, Illinois is working closely with the FBCA in an interoperability pilot that will probably form the basis of how states share digital certificates with federal and possibly commercial entities. "We are just in the process of developing the cross-certification agreement between FBCA and the State of Illinois CA so we have not tested any applications yet," said Brent Crossland, Deputy CIO for the State of Illinois. "Our timetable is to have the agreement in place by September along with some initial applications." According to Crossland, Washington and New Jersey are also in discussions with the FBCA.


Who Cuts the Keys?
Whats it all about? Instead or relying on passwords and PINs, a public key infrastructure (PKI) is being promoted as a means of maintaining secure electronic transactions between agencies and properly authenticating users. In essence, PKI handles encryption, decryption, digital signatures and authentication of documents relayed over the Internet. You keep one "key" and hand out another "key" to others you do business with. That way, you can decrypt each others messages and digitally "sign" them.

But who makes the keys, who decides if another key is valid and generally acts as the point of trust concerning PKI relationships? That is where a Certification Authority (CA) enters the picture. A CA acts as the trusted issuer of certificates (containing the keys) to agencies, companies and individuals. In a small, relatively closed community, this works fine. Everyone agrees to trust a vendor, a bank or a government body to be the "keeper of the keys" and maintain the integrity of the system.

Unfortunately, it is hard to gain agreement on one central CA for all, and anyway, the resulting entity would be unwieldy in the extreme. So you end up with hundreds of CAs. Potentially one for every PKI vendor, government agency and transaction broker (bank, insurance company, etc) in the land. Now the problem becomes, "Can I accept certificates from another CA?"

Thats where the FBCA comes in. Each CA adopts its own certification policy that allows individuals and entities to determine the level of trust they can place in the electronic credentials (PKI certificates) issued by the CA. Similarly, the FBCA cross-certifies those CAs by mapping each CAs policies to a central "policy standard" adopted by FBCA.

"Think of the FBCA as facilitating peer-to-peer relationships among otherwise unaffiliated CAs," said Crossland. "The architecture is such that any party with a CA cross-certified with the Bridge CA can determine to what extent that party wants to trust certificates issued by any other partys CA that is cross-certified with the Bridge CA."

Obviously this mutual trust can also be accomplished with a one-to-one agreement between the two parties. But once you move beyond one or two partners in a PKI arrangement, the complexity of the trust relationships multiplies exponentially.

The real benefit of the FBCA comes, then, when you have CAs from many parties cross-certified. Each CA has to reach only one agreement -- with the FBCA. As long as it maps its policies to those of the FBCA and deals with other CAs who have similarly mapped their policies to the federal body, each party knows how much trust to extend to the offered certificates. This even makes it possible to use PKI for swift and secure e-government interactions with state and commercial entities.

"It is our hope to extend the issuance of cross certificates to state government and key industry groups to foster trust between these and the federal government," said Judith Spenser, Chairperson of the Federal PKI steering committee that oversees the Federal Bridge initiative.


State Benefits
How would this be of material benefit to the states? Crossland gives the example of using Illinois issued digital certificates with federal agencies. If he wanted Illinois certificates to be used by a single federal agency it would be much simpler to develop an agreement with that agency and cross-certify directly with that agencys CA. By cross-certifying with the FBCA, however, Illinois certificates can be interchanged with any federal agency that is also cross-certified with the FBCA.

"From an interoperating point of view the Bridge CA creates some standards," said Crossland. "Our CA policies and procedures are evaluated and, if accepted, given a level of credibility to the federal agencies."

He expects this system to allow secure interchange between state and federal levels but not between state agencies and citizens who had been issued certificates by a federal agency. Why? The Federal Access Certificates for Electronic Services (ACES) program (that facilitates secure online access to government information and services by the public through the use of public key infrastructure/digital signature technology, is based on a transaction charge.

"I doubt that any federal agency will want to assume that transaction charge for a certificate use at a State of Illinois agency and there is no need for the state of Illinois agency to pay the transaction charge since our certificates are issued at no charge," said Crossland.

Another way states will benefit from involvement in the FBCA is that applications are also being developed and piloted to automate the processes involved in PKI acceptance and determination of the levels of trust that can be extended/accepted by participating entities. At the low end of the trust scale, digital certificates validate the identity of interacting parties and permit interactions of a non-confidential nature. As you move up to higher levels of trust, policies and security procedures become more stringent until at the top levels there is a requirement for face-to-face interaction.

This brings up an important point. Ultimately, this project is establishing an infrastructure for secure e-government. It is actually it is a crucial ingredient in achieving the goal of paperless government.

"Since the FBCA now becomes a single conduit for trust," said Gary Moore, Entrusts federal technical director, "which is the foundation of e-business and e-government, then state and local agencies can leverage that infrastructure to move their existing processes online without the burden of having to repeat the process of establishing relationships with each agency that they deal with."
rty with a CA cross-certified with the Bridge CA can determine to what extent that party wants to trust certificates issued by any other partys CA that is cross-certified with the Bridge CA."

Obviously this mutual trust can also be accomplished with a one-to-one agreement between the two parties. But once you move beyond one or two partners in a PKI arrangement, the complexity of the trust relationships multiplies exponentially.

The real benefit of the FBCA comes, then, when you have CAs from many parties cross-certified. Each CA has to reach only one agreement -- with the FBCA. As long as it maps its policies to those of the FBCA and deals with other CAs who have similarly mapped their policies to the federal body, each party knows how much trust to extend to the offered certificates. This even makes it possible to use PKI for swift and secure e-government interactions with state and commercial entities.

"It is our hope to extend the issuance of cross certificates to state government and key industry groups to foster trust between these and the federal government," said Judith Spenser, Chairperson of the Federal PKI steering committee that oversees the Federal Bridge initiative.


State Benefits
How would this be of material benefit to the states? Crossland gives the example of using Illinois issued digital certificates with federal agencies. If he wanted Illinois certificates to be used by a single federal agency it would be much simpler to develop an agreement with that agency and cross-certify directly with that agencys CA. By cross-certifying with the FBCA, however, Illinois certificates can be interchanged with any federal agency that is also cross-certified with the FBCA.

"From an interoperating point of view the Bridge CA creates some standards," said Crossland. "Our CA policies and procedures are evaluated and, if accepted, given a level of credibility to the federal agencies."

He expects this system to allow secure interchange between state and federal levels but not between state agencies and citizens who had been issued certificates by a federal agency. Why? The Federal Access Certificates for Electronic Services (ACES) program (that facilitates secure online access to government information and services by the public through the use of public key infrastructure/digital signature technology, is based on a transaction charge.

"I doubt that any federal agency will want to assume that transaction charge for a certificate use at a State of Illinois agency and there is no need for the state of Illinois agency to pay the transaction charge since our certificates are issued at no charge," said Crossland.

Another way states will benefit from involvement in the FBCA is that applications are also being developed and piloted to automate the processes involved in PKI acceptance and determination of the levels of trust that can be extended/accepted by participating entities. At the low end of the trust scale, digital certificates validate the identity of interacting parties and permit interactions of a non-confidential nature. As you move up to higher levels of trust, policies and security procedures become more stringent until at the top levels there is a requirement for face-to-face interaction.

This brings up an important point. Ultimately, this project is establishing an infrastructure for secure e-government. It is actually it is a crucial ingredient in achieving the goal of paperless government.

"Since the FBCA now becomes a single conduit for trust," said Gary Moore, Entrusts federal technical director, "which is the foundation of e-business and e-government, then state and local agencies can leverage that infrastructure to move their existing processes online without the burden of having to repeat the process of establishing relationships with each agency that they deal with."

Moore gives the example of a citizen in Illinois with a state-issued identity, once the FBCA is fully operational (he predicts this to occur within 12 to 18 months). That individual could use that digital certificate to securely file taxes at a state, local and federal level, check their earnings statements with the SSA, apply or a fishing license and perhaps renew a driving license. All with a single identity.

But there are quite a few challenges to be surmounted before that paperless utopia is upon us. How do you get around paper-intensive and face-to-face interactions to establish identity and trust, particularly for the issuance of high-trust level certificates? Currently, many CAs require an applicant to download a form, print it, complete it, and take it to a notary or government office along with a drivers license and other ID for face-to-face verification. Only then would the applicant be trusted with a digital cert.

While the FBCA still uses this model in its registration process, it is also experimenting with Web registration. "Face-to-face registration provides a higher level of assurance for the certificate and is primarily used for sensitive or financially high-risk transactions," said Spencer. "I expect that at some point in the future, even these highest levels will be accomplished electronically, but that is still a few years off."

For more information on the FBCA, visit the Web site.

Drew Robb is a Los Angeles-based writer specializing in technology issues. Forward comments about this story to whanson@govtech.net.
Sign up for GovTech Today

Delivered daily to your inbox to stay on top of the latest state & local government technology trends.