When PKIs Learn to Connect

As overhyped technologies go, PKI was among the all-time greats. Five years ago, it was being touted as the cure-all for enterprise security woes and an absolute necessity for organizations of any size. But after years of failed pilot projects, maddeningly complex implementation problems and vendor flameouts, customers abandoned public-key infrastructure, and advocates of the technology had few successful implementations to cite.

Since then, however, the technology has matured, and customers have realized that it can be effective in specific applications. A prime example of this is the Federal Bridge Certification Authority. The 2-year-old project has united the trust infrastructures of a handful of federal agencies, and officials are looking to extend the initiative to private industry groups and foreign governments.

The FBCA arose of necessity. When the interest in PKI implementations was at its peak three or four years ago, a number of government agencies began laying the groundwork for their own internal certification authorities. As sometimes happens in the federal government, most of these initiatives were ad hoc, with the principals having no idea that other agencies were working on similar projects.

This meant that each agency was developing its own policies and procedures for cross-certification, as well as selecting its own vendor. The agencies were looking to hook their infrastructures together, but there was no agreement on how to do it.

Enter the FBCA. The fact that the federal government, never known for its efficiency or innovation, is the driving force behind the initiative only adds to the wonder at its success.

“There was some recognition within the federal PKI community that the agencies were building their own PKIs with interoperability in mind. But how do you get them to interoperate?” said Gary Moore, senior architect at Entrust Inc., based in Addison, Texas, and one of the vendors involved in the establishment of the FBCA. “People assumed they could buy a [certificate authority] and turn it on without any policy.”

Technically, the FBCA is not a PKI implementation; instead, it is the bridge through which implementations at individual agencies can cross-certify so that they can communicate with one another. The system is primarily used for secure e-mail right now. The architecture resembles a hub-and-spoke design, with the General Services Administration acting as the hub and each agency or organization representing a spoke. The GSA runs the physical servers that house the CA and acts as the clearinghouse for the documentation detailing what agencies need to do to cross-certify with the FBCA.

Those policy documents are, in fact, the heart and soul of the FBCA effort. As each agency implemented its PKI before the FBCA existed, they also developed policies and procedures for issuing credentials, revoking certificates and dozens of other mundane operations. When the FBCA was proposed, it quickly became apparent that the effort would fail without a defined master policy to govern all these issues.

“This was done as a very collaborative project. But the real crux is the policy issues and interoperability policy,” said Judith Spencer, chairwoman of the Federal PKI Steering Committee at the GSA, in Washington. “If youre on the outside of the trust environment, we had to agree on a way to get you on the inside. The technical stuff is easy. There are always smart people to figure that out. But never underestimate the politics. Policy is always the long pole in the tent.”

Since its establishment in 2001, the FBCA user community has grown to more than 2 million, and Spencer is now at work on an effort to extend the trust environment beyond the Beltway. She has had discussions with a group from the aerospace industry, as well as people in the higher-education community, about tying into the FBCA. Several states have also expressed interest in cross-certifying with the FBCA.

Most intriguing, however, is the possibility of extending the bridge outside the United States. Spencer has had preliminary discussions with governments in Asia and Europe and said that, aside from the obvious political issues, there isnt much standing in the way of foreign governments hooking into the bridge.

In fact, she envisions the FBCA eventually being the main portal into the federal government. This goal is one that could hardly have been imagined just three or four years ago, when PKI was among the most-maligned and overhyped technologies in the marketplace.

“Right now it does everything we wanted it to do,” Spencer said. “The idea behind PKI is to enable trust in a business environment. We have a lot of momentum right now. Bad PKI is bad PKI, but if you do it right, it can be foolproof.”