PKI: It's not who you are, but proving it

Find opportunities — and win them.

A conversation with Jeff Nigriny, president of CertiPath LLC.

I was working at Exostar in 2002,creating file-sharing environments, workingon encryption and access controls, and I realizedthat we could not prove identity. Wecould not prove that Bob (the user) is Bob(to whom the access credential was issued)or that Bob is still employed on the project.That is when I started working on identitymanagement. We know that user names andpasswords are not enough. PKI is better. Forselling widgets, it may not matter so much,but for architectural drawings for the nextgeneration of planes, it matters.The main drivers are global defense agenciesand the Defense Department, which areexpected to begin requiring identity managementalong the supply chain soon.Meanwhile, some companies such as Boeingare doing PKI on their own, some are in variousstages of developing it, and some areusing the services of providers such asExostar, Verisign, Arinc and SITA.For CertiPath, we certify that Boeing's andLockheed Martin's data security, for example,is equivalent to the Pentagon'srequirements. That assuranceapplies to every entity we haveapproved for the bridge. We have an applicationprocess. It takes about 12months for us to review a company anddetermine it is trustworthy. Right now, wehave eight companies that are completed, sixin the pipeline and a few more anticipated. About $10 million over three yearsfor 100,000 employees. Boeing has a huge competence inthis area. In government, DOD is the greatestadvocate. Five years ago, I would set upthree-hour meetings and people would say,"Are you kidding me?" But we needed allthe time. It was a constant educationprocess.Now, people have heard about buying PKIcertificates and eventually are thinking longtermabout issuing their own. The companies that formedCertiPath are competitive with one another. Itis a unique model. And there is nothing to preventanother company from linking to the federalbridge. What is your thresholdof pain? But seriously,CertiPath is moving towardcertification of federationcapabilities as well. I used to really enjoy the technicalside. Now what I find interesting is meetingsome of the smartest people active in theIT security space. I like to meet interestingpeople, and that is a big part of why I like it.
One of Jeff Nigriny's greatest challenges in advancing public-key infrastructures
(PKI) and federated identity management in government contracting has
been overcoming initial reluctance from his audiences. The learning curves are
steep, and listeners, even data security experts, are sometimes not interested in
the intricacies of the subject, said Nigriny, president of CertiPath LLC, a joint
venture formed by three large PKI providers, Arinc Inc., of Annapolis, Md.;
Exostar LLC, of Herndon, Va.; and SITA SC of Brussels, Belgium. CertiPath is a
third-party bridge that lets companies securely share information with one
another and federal agencies. Nigriny recently spoke with Washington
Technology staff writer Alice Lipowicz about PKI.


Q: How did you get involved in PKI?

Nigriny:









Q: What is motivating the push to PKI and
stronger identity management?


Nigriny:























Q: How does a company gain
access to the CertiPath bridge?


Nigriny:






Q: How much does PKI cost?

Nigriny:


Q: Which organizations are most advanced
with PKI?


Nigriny:



Q: How is the work going to persuade contractors
and agencies of the need for PKI?


Nigriny:









Q: With CertiPath's connection to the federal
PKI bridge, you have a competitive advantage.
Is it anti-competitive?


Nigriny:





Q: What about federated identity
management?


Nigriny:





Q: Do you enjoy working on topics that
evoke resistance?


Nigriny: