PKI: It's not who you are, but proving it

A conversation with Jeff Nigriny, president of CertiPath LLC

One of Jeff Nigriny's greatest challenges in advancing public-key infrastructures
(PKI) and federated identity management in government contracting has
been overcoming initial reluctance from his audiences. The learning curves are
steep, and listeners, even data security experts, are sometimes not interested in
the intricacies of the subject, said Nigriny, president of CertiPath LLC, a joint
venture formed by three large PKI providers, Arinc Inc., of Annapolis, Md.;
Exostar LLC, of Herndon, Va.; and SITA SC of Brussels, Belgium. CertiPath is a
third-party bridge that lets companies securely share information with one
another and federal agencies. Nigriny recently spoke with Washington
Technology staff writer Alice Lipowicz about PKI.


Q: How did you get involved in PKI?

Nigriny: I was working at Exostar in 2002,
creating file-sharing environments, working
on encryption and access controls, and I realized
that we could not prove identity. We
could not prove that Bob (the user) is Bob
(to whom the access credential was issued)
or that Bob is still employed on the project.
That is when I started working on identity
management.

Q: What is motivating the push to PKI and
stronger identity management?


Nigriny: We know that user names and
passwords are not enough. PKI is better. For
selling widgets, it may not matter so much,
but for architectural drawings for the next
generation of planes, it matters.

The main drivers are global defense agencies
and the Defense Department, which are
expected to begin requiring identity management
along the supply chain soon.

Meanwhile, some companies such as Boeing
are doing PKI on their own, some are in various
stages of developing it, and some are
using the services of providers such as
Exostar, Verisign, Arinc and SITA.

For CertiPath, we certify that Boeing's and
Lockheed Martin's data security, for example,
is equivalent to the Pentagon's
requirements. That assurance
applies to every entity we have
approved for the bridge.

Q: How does a company gain
access to the CertiPath bridge?


Nigriny: We have an application
process. It takes about 12
months for us to review a company and
determine it is trustworthy. Right now, we
have eight companies that are completed, six
in the pipeline and a few more anticipated.

Q: How much does PKI cost?

Nigriny: About $10 million over three years
for 100,000 employees.

Q: Which organizations are most advanced
with PKI?


Nigriny: Boeing has a huge competence in
this area. In government, DOD is the greatest
advocate.

Q: How is the work going to persuade contractors
and agencies of the need for PKI?


Nigriny: Five years ago, I would set up
three-hour meetings and people would say,
"Are you kidding me?" But we needed all
the time. It was a constant education
process.

Now, people have heard about buying PKI
certificates and eventually are thinking longterm
about issuing their own.

Q: With CertiPath's connection to the federal
PKI bridge, you have a competitive advantage.
Is it anti-competitive?


Nigriny: The companies that formed
CertiPath are competitive with one another. It
is a unique model. And there is nothing to prevent
another company from linking to the federal
bridge.

Q: What about federated identity
management?


Nigriny: What is your threshold
of pain? But seriously,
CertiPath is moving toward
certification of federation
capabilities as well.

Q: Do you enjoy working on topics that
evoke resistance?


Nigriny: I used to really enjoy the technical
side. Now what I find interesting is meeting
some of the smartest people active in the
IT security space. I like to meet interesting
people, and that is a big part of why I like it.

About the Author

Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

What is your e-mail address?

My e-mail address is:

Do you have a password?

Forgot your password? Click here
close
SEARCH
 Top 100 Slideshow
contracts DB

Trending

  • Dive into our Contract Award database

    In an exclusive for WT Insider members, we are collecting all of the contract awards we cover into a database that you can sort by contractor, agency, value and other parameters. You can also download it into a spreadsheet. Read More

  • Is SBA MIA on contractor fraud? Nick Wakeman

    Editor Nick Wakeman explores the puzzle of why SBA has been so silent on the latest contractor fraud scandal when it has been so quick to act in other cases. Read More

Webcasts