The PKI Payoff

Find opportunities — and win them.
Public-key infrastructure is a double-edged sword for most agencies.It is a complex technology that is a burden to implement, and it is a tool that powers a wide array of agency applications and services.With PKI, a third-party entity vouches for the bona fides of two interacting parties. Those parties might be a bank and its card-carrying customer or an agency and its smart card-carrying employees. The vouching is in the form of digital certificates ? actually large numbers ? issued by a certificate authority to the trusted parties.Although PKI certificates from different vendors are generally equivalent, agencies have many options to consider before choosing a provider.Agencies might be looking for a supplier of smart cards. They may need hardware such as card readers, or software such as personnel tracking systems.Consulting services can help integrate PKI with existing systems. Indeed, combinations of consultants with different expertise could be necessary to implement various agency applications and services. Technical support and maintenance services are always important considerations.As with any new implementation, there will be resistance to change, so "management has to organize itself and lead," said Dr. Peter Alterman, assistant chief information officer for electronic authentication at the National Institutes of Health. Alterman is chairman of the Organization for the Advancement of Structured Information Standards' Federal PKI Policy Authority and a member of the OASIS IDtrust Steering Committee.In addition, although a PKI digital certificate might just be numbers, the infrastructure itself ? hardware, software, services ? is not cheap. "The actual PKI technology is trivial compared to the budget and management issues," Alterman said.A key decision for agencies is determining whether the agency or a contractor will administer the PKI system. "IT needs to ask whether they really want to take on the physical security responsibility," Alterman said. This could involve coordinating information technology with human resources and building security to a greater extent than usual."PKI is like an electrical outlet," said Vijay Takanti, vice president of security services at Exostar LLC, of Herndon, Va. "Once you have it, you can plug all kinds of apps into it."For example, federal agencies work with many state and local agencies on an ongoing basis or in emergencies. The Homeland Security Department might partner with state and local law enforcement; federal health agencies could exchange information with hospitals or public health authorities; money might flow among federal, state and local agencies. It would be convenient to identify trusted people, exchange confidential information and allow secure transactions.Unfortunately, state and local agencies can't use shared-services providers. So even though these groups have to work together, they can't use the same PKI system.They can, however, still use PKI to solve their problems. Providers such as CertiPath LLC, of Herndon, Va., offer bridge services for just this purpose.CertiPath is a joint venture of Exostar, Arinc Inc., of Annapolis, Md., and SITA, of Geneva. CertiPath cross-certifies entities to a common standard, and CertiPath is directly cross-certified with the Federal Bridge Certificate Authority.Agencies need to think about ways to re-engineer their business processes to take advantage of PKI. Prime candidates for PKI include:PKI's potential in securing e-mail is one use agencies find attractive. The Defense Department and the United Kingdom's Ministry of Defence already have such systems. PKI certificates encrypt e-mail on the sending end and decrypt it on the receiving end. The process is transparent to users and makes for a new level of secure communications.Encryption is an obvious application of PKI but not enough agencies appreciate what PKI-encrypted files can accomplish. An encrypted file is not only unreadable by outsiders but also essentially stamped as belonging to your agency.Establishing such ownership credentials is valuable.PKI-based agency applications will attract users and grow larger and more popular. That's why PKI solutions must scale well. If you anticipate deploying solutions at multiple locations, make sure the product can handle that.Although most agencies will begin by using managed services or an SSP, at some point, many will want to spread their wings and fly under their own power. In the PKI world, that means becoming a certificate authority with the ability to create, distribute and manage certificates. Ideally, contractors should have programs to transition agencies from managed services to in-house responsibility.The next iteration of PKI is called a public-key environment. For example, if an operating system and several software applications offer PKI-compatible capabilities already, you have a PKE. It's far simpler adding new PKI-based applications within such an environment because so much support is available.Many software vendors are quietly adding PKI support to their products. They know that PKI is only going to get bigger.

From scale to service, be ready to answer these questions from your customers.

  • What requirements and mandates does the agency have to satisfy that involve public-key infrastructure? The most common include Homeland Security Presidential Directive 12 and Federal Information Processing Standard 201.

  • What other federal agencies does your customer need to share information or credentials with? What systems, protocols and providers are they using? How would your customer's PKI systems map to theirs?

  • With what nonfederal agencies must your customer share information or credentials? What systems, protocols and providers are they using?

  • What is your experience operating managed and hosted services?

  • What do your service-level agreements cover? What kinds of disaster recovery features are in place?

  • What kind of auditing do you undergo? When was the last audit, and what were the results?

  • What business processes does your customer need to change to implement PKI technology?

  • Do you offer training for new users?

  • Does your customer want to manage the PKI system or should a contractor do it? What are the trade-offs of the different approaches?

  • Will physical security be part of the solution? Who will be responsible?

  • What are the operating system requirements of these solutions? Do operating systems already in use have PKI capabilities?

  • What existing software will PKI be integrating with? Does this software have PKI support? If not, what other software options are there?

  • If the agency is seeking to perform PKI-based information sharing with other agencies, what kind of application interoperability will be necessary? Ensure that vendors use nonproprietary technologies and protocols, which may include:

    * X.509 certificates.

    * Public Key Cryptographic Standards (PKCS 1, 7, 10, 11, and 12).

    * PKIX (CMP, CRMF).

    * Lightweight Directory Access Protocol.

    * Online Certificate Status Protocol.

    * Simple Certificate Validation Protocol.






  • "PKI is like an electrical outlet. Once you have it,
    you can plug all kinds of apps into it."
    Vijay Takanti, Exostar LLC













    PKI possibilities












    • Interagency communication and cooperation.
    • Risk-associated activities, such as identity cards.
    • Confidentiality and privacy concerns.
    • Financial transactions.







    Plan for PKI success










    Edmund X. DeJesus is a freelance technical writer in Norwood, Mass.

    NEXT STORY: Let's get flexible