Government Computer News
PKI gets shot in the arm from HSPD-12
FIPS-201 and mandate give agencies means and motive to develop apps
Digg
De.licio.us
Slashdot
TechnoratiEarly benefits of PKI
Secure e-mail, document signing and workflow. Requiring every employee to have a digital certificate makes it easier for agencies to perform these functions, which had been deemed too expensive, said Tim Polk, the National Institute of Standards and Technology’s PKI program manager.
Alternative to passwords. By placing a reader on the desktop, IT officials will no longer have to manage multiple user name and password databases. Agencies also can improve the security of virtual private networks to give telecommuters easier access to agency applications.
EnhancED physical security. Polk said that having digital certificates will make it easier for employees to get into other another agency’s building because the visitor can be authenticated quickly and given access only to authorized buildings and systems.
Network access. Dan Turissini, chief executive officer of Operational Research Consultants Inc. of Fairfax, Va., said agencies should consider deploying a common validation scheme using Online Certificate Status Protocol, and at the very highest levels they could set up applications to do authentication and validation to the network. This also would let agencies use the OCSP infrastructure for other applications used by a large number of employees.
But 11 years later, Polk, the National Institute of Standards and Technology’s PKI program manager, still is helping agencies adopt the technology.
“There has never been a killer app for PKI,” Polk said recently at a conference sponsored by Input Inc. of Reston, Va. “We spent a lot of time looking for it, but there was nothing so compelling that made agencies buy and install PKI to support one app.”
While that killer app still may never come, Polk said Homeland Security Presidential Directive-12 should provide the impetus for every agency to use PKI more widely.
Helps to have standards
“We needed a centralized driver because it was hard to compute return on investment,” Polk said. “HSPD-12 and [Federal Information Processing Standard] 201 change everything. It is not the killer app we have been looking for ... [but] a lot of pieces of the interoperability puzzle have been solved.”
Polk added that, because PKI is a central piece of FIPS-201, agencies and industry now have standards around which they can develop and implement software.
FIPS-201 standardized biometrics, and the key size and algorithm it will support.
“It used to be that, when you wanted to cross this divide, you had all these questions out there,” Polk said. “Now the hardest ones are resolved.”
But Polk isn’t unrealistic about how quickly agencies will adopt applications such as e-mail or single-sign-on capability using PKI.
Right now, Polk said, agencies are focused on meeting the letter of the HSPD-12 mandate, which was to have the ability to issue at least one card by Oct. 27, and issue compliant cards over the next two years. Polk instead is focusing on when agencies will be able to meet the spirit of the edict, when authentication becomes routine.
“If you look at the Department of Defense’s experience, it shows this takes a long time to get people used to using PKI as a part of business,” he said. “You definitely need some institutional fortitude.”
DOD has been trying to implement PKI since the mid-1990s, and only this past year did the Defense Information Systems Agency mandate its use, calling for systems to be in place by July 31. About 80 percent of DOD met the mandate, officials have said.
![1105 Government Information Group [valor]](/images/1105logo_website.gif "Government Computer News [valor]")
© 1996-2008 1105 Media, Inc. All Rights Reserved.
