Kansas kicks off statewide PKI project

Kansas today began issuing digital certificates to employees to use with a planned statewide public-key infrastructure from VeriSign Inc. of Mountain View, Calif.

Ultimately, Kansas plans to issue certificates to all its employees for use on the PKI created by VeriSign Inc. of Mountain View, Calif., said Ron Thornburgh, secretary of state for Kansas. The statewide PKI effort has been in development for six years with representatives from 15 organizations.

Kansas took a statewide approach to avoid having to integrate separate systems later, said Janet Chubb, assistant secretary of state.

"We didn't want to have to establish the communication among silos," Chubb said. "Unlike the federal agencies, we didn't want to have to start connecting multiple providers of PKI or electronic systems in five years."

Although other states have been issuing digital certificates, none has issued them throughout all its agencies under one PKI, said Barry Leffew, vice president of VeriSign's public sector group.

During the project's first year, the state will issue certificates to 1,500 employees at two agencies.

It will phase in their use to all of its 90 state agencies, 55 of the state's higher education institutions and eventually to city and county employees as well as citizens conducting business with the state.

"Eventually we see limitless opportunity," Thornburgh said.

The 1,200 employees in the Kansas Revenue Department's E-Lien program are receiving the first certificates. Another 300 will go to employees in the Treasurer's Office.

No tax dollars were used to develop the infrastructure. Instead, Information Network of Kansas, a public-private partnership, provided a grant to help cover administrative costs for the first three years of the project, VeriSign officials said.

The administrative fees for the first year total $100,000. The state will pay a $40,000 annual renewal fee per subsequent year.

Agencies might need to hire vendors to help with the implementation. Thornburgh said it would be up to each one to determine whether or not it needs help implementing systems for the PKI or issuing the certificates.

He expects these expenses to be limited, however. So far, "there has not been a single need to replace or upgrade any technology or hardware for the implementation," Thornburgh said.

VeriSign will be the certification authority, accepting liability if any certificates are tampered with. The state will serve as the registration authority, checking the identity of the certificate holders.