Defense weighs digital signature switch to match other agencies
The Defense Department is considering a switch in its program to secure digital signatures for external transactions in order to align itself with the rest of the federal government.
The department is examining whether it should adopt or at least recognize the Access Certificates for Electronic Services (ACES) public key infrastructure (PKI) program established in 1999 by the General Services Administration to provide trusted transactions for citizens and businesses.
PKI provides a hack-proof way to verify that the holder of a private key actually signed a document, as recognized by certified holders of a matching decryption key.
Defense and GSA working groups are meeting on technical and policy issues about once a month, trying to work through differences in the programs used by each. A decision on which system to use could come by summer, sources said.
Defense is not considering a change to its internal PKI, under which service men and other authorized users have ID cards, both physical (with a photo) and digital, sources noted.
For external contracts, Defense currently is using a commercially based interim external certification authority (IECA), according to Keren Cummins, vice president of government services at Digital Signature Trust (DST).
DST is one of three companies authorized by GSA to support the ACES program. The others are Operational Research Consultants (ORC) and AT&T, which uses VeriSign. DST, ORC, VeriSign and General Dynamics are contracted with Defense. But because there are two systems, contractors must use two certifications.
"Vendors are saying, 'Why do I need two certificates?'" Cummins said. "Any federal agency but DoD can accept ACES."
Contractors pay $175 for an IECA certificate from DST, while the agencies pay the cost of ACES certificates, she said. Vendors feel ACES provides sufficient security for contractors, Cummins said. "You can create such a high security standard that no one opts in. Then you have nothing."
Technical interoperability between the ACES and IECA systems should not be a problem, said David Temoshok, PKI policy manager at GSA. The business and legal issues are being worked out, he said.
"We hope to have DoD to a point where it can, as it says, 'merge,' " Temoshok said. "If we issue a certificate to a government contractor, [Defense] should be able to recognize that certificate."
Liability is one issue still being examined. Defense places more liability on the contractor than GSA, another source said. This is more expensive for the contractor, the source said.
ACES is available government-wide. Temoshok said he can see a number of agencies, such as the Treasury Department, Patent and Trademark Office, NASA and the Agriculture Department's National Finance Center moving to ACES. The Commerce Department recently opted in.
Temoshok noted that e-government is one of the five elements of the President's Management Agenda. "We as government can be leaders in moving forward in the use of electronic programs," he said.
"It's not easy, but this is the kind of work, if you're really interoperable, that you need to work at," Temoshok said.