In Washington state, lawyers who want to check clients' worker's compensation claim files can tap into a state-run Web site where they can get the information immediately. Should the lawyers be in private practice, they can tap into the same site to file their quarterly taxes.

If it seems unusual for information of such a sensitive nature to be shuttled back and forth on the Internet, it is. But what makes it possible - and safe - is the use of digital certificates, an underpinning of public key infrastructure (PKI) technology. A digital certificate acts like an identification card in the online world, one that can offer a stronger level of authentication than a driver's license. When tied to a back-end authorization system, digital certificates become more powerful still, says Scott Bream, PKI program manager for Washington's Department of Information Services, based in Olympia.

"Some of the transactions we're doing we couldn't do without PKI," Bream says. PKI is used to grant users access to Transact Washington (http://transact.wa.gov), which acts as an entry point to applications owned by various state agencies. Key to making the site work is the policy infrastructure inherent in PKI that allows a single digital certificate to be used to grant access to myriad applications.

Two efforts that were on parallel tracks came together in Transact Washington. One was a project enabling the government to deal with digital signatures, as mandated by the Washington Electronic Authentication Act passed in 1997, as well as encryption. That got the state started down the PKI track and exploring digital certificates.

At the same time an effort was under way to create a sort of central authentication gateway that would support multiple back-end applications. "That mapped favorably to the use of digital certificates as a single credential to create a single sign-on environment," Bream says.

Transact Washington launched in December 2000, and so far about 1,000 certificates have been issued by Digital Signature Trust Co. (DST), the firm the state selected to provide its digital certificates and other PKI services. Users pay for the certificates, with fees ranging from $73 to $131, depending on type of certificate.

Among the benefits the project has provided thus far include a reduction in redundant efforts by various state agencies to issue credentials and authenticate trading partners and other users. "There's a cost associated with maintaining user IDs and passwords that essentially goes away with the use of certificates," Bream says.

There's also the intangible benefit that simplifying access to government agencies creates for citizens and businesses, he says.

The outsourcing decision
Before selecting DST as its service provider, the state of Washington looked at implementing its own PKI system. As Bream sees it, there are two basic parts to the equation. The first is the PKI infrastructure, which includes managing a highly secure data center to house the hardware and software used to create, issue, revoke and renew certificates. The second is the certificate authority (CA) aspect, which involves verifying the identity of an individual or business before issuing a certificate.

After conducting pilots in which the state served as its own CA and implemented all the PKI components, the decision was made to outsource. But it wasn't so much the technology that drove the decision. "The technology is not simplistic, but PKI is probably 60% legal and only 40% technology," Bream says. It was the legal aspects of the authentication process, including adhering to policies to be followed before issuing each certificate, that the state felt would be better left to a third party. "Although we issue drivers' licenses, the issuance of a certificate requires a level of rigor and diligence that's far in excess of that, at least in our opinion," Bream says.

It takes a large staff to be able to handle all the responsibilities of a CA on a 24x7 basis, Bream realized. It starts with verifying the identity of each person or company that applies for a certificate. The state offers three levels of identity assurance. At the highest level, applicants must complete a form and bring it to a Notary Public along with a state-issued ID or driver's license and one other form of identification.

That face-to-face validation is important on several fronts, Bream says. For one, it fulfills a requirement of the Health Insurance Portability and Accountability Act (HIPAA), a federal law that details privacy requirements for patient health records. The validation also means transactions conducted with the digital certificate bear the same legal weight under state law as those conducted in person with a written signature.

"The fact is the certificate is really a legal document, not a technical one," Bream says. DST understood that, he adds, and that was one of the reasons it was selected.

Indeed, Salt Lake City-based DST itself was founded in 1996, largely as a result of Utah passing a digital signature law, said Scott Lowry, CEO and president of DST. The company is a subsidiary of Zions First National Bank, and partners with the American Bankers Association in its PKI program. The ABA also owns a 22% stake in the company.

That background was important to Bream in selecting DST. He says the company has a hardened data center where it houses the servers and other infrastructure that support the PKI system. "They understood the importance of somebody being who they claim to be and why that's so vital to a business transaction," he says.

There are other advantages to outsourcing, including protection from technology obsolescence, an important consideration given that PKI is still a maturing technology.

One of DST's biggest selling points is that it backs up its certificates with an insurance policy, or Reliance Limit, that protects against losses incurred due to fraud that should have been prevented by DST, such as an improperly issued certificate. For the state of Washington, policy limits are $1,000 for standard certificates (those with the lowest authentication requirements), $10,000 for intermediate requirements and $50,000 for high.

Bream notes that the Reliance Limit follows the certificate wherever it goes, meaning it is accepted outside of government.

He also stresses that application providers - the various government agencies that tie in to Transact Washington - decide which of the three levels of assurance is most appropriate for their application. The state publishes policies that explain the processes and practices under which each type of certificate is issued, enabling application owners to make informed decisions.

"By using a certificate, we're able to adopt an enterprise-wide policy surrounding the issuance of that credential that is known and understood," Bream says.

That solves a problem inherent in user ID and password authentication, which is that individual owners issue them, typically under a policy that is not known or published. Consequently, each user ID and password is only good with the issuing application.

Application owners still maintain control over the access control lists that govern who can use their applications, Bream notes. "The fact that you have a certificate doesn't give you carte blanche over any application that accepts one," he says. "It only allows you to gain access to those to which you've been granted access by the application owner."

The state is also employing the Tivoli Policy Director authorization engine to present users with a customized view of Transact Washington. As a user applies for and is granted access to different applications, Policy Director ensures those applications appear on the user's individual "My Transact" page. This obviates the need for users to navigate through a generic list of applications that may not apply to them, Bream says.

While application owners have final say over who gets access to their applications, DST is still responsible for verifying the validity of digital certificates. Each time a certificate is presented to Transact Washington, the certificate is checked against a certificate revocation list (CRL) housed by DST to ensure that the certificate itself has not been revoked for any reason.

Application integration
Application owners are increasingly tying in to Transact Washington as they see the benefits it provides.

The first batch of applications was related to worker's compensation. Different applications offer information for employers, lawyers, doctors, insurers and others. Another application lets job placement agencies review client information in the process of assisting those needing rehabilitation to return to the workforce.

Other applications in various stages of development include:

  • A state Department of Social and Health Services application that will let employees from various clinics access information to assist people with drug and alcohol dependencies.
  • A Department of Health application that will allow county health jurisdictions to view and update information, such as on communicable diseases.
  • An application that will allow users to work seamlessly with the three government agencies involved in the tax filing process: the Departments of Revenue, Labor and Industries, and Employment Security.

Some of these applications were developed with PKI in mind. In those cases, they are designed to read information out of the digital certificate to create a key that is passed back to the application. The key identifies the owner of the certificate. If the application owner has granted that person the rights and permission to use the application, they are allowed access.

For applications designed to be used with user IDs and passwords, DST helped the state develop a process that lets them accommodate certificates. It takes about 40 hours of development time to make the transition, which essentially involves mapping certificate information to the application's mechanism for accepting user IDs and passwords.

The state is also getting into applications that take advantage of PKI capabilities beyond mere authentication - including digital signatures and encryption.

One digital signature application is already deployed for the Department of General Administration's State Motor Pool, which is a fleet of vehicles available for use by people conducting state business. The application allows purchases from local service providers and dealerships to be approved online by affixing multiple digital signatures to an electronic form. Data can then be automatically extracted from the form and entered into the state's accounting system, thus dramatically streamlining the process vs. its paper-based predecessor.

Other digital signature applications in the works pertain to contract and work authorization signing, the submission of electronic inspection reports and requests for grant funding, Bream says.

Discussions are also under way with the state's legal and law enforcement communities regarding the use of encryption. The Office of the Attorney General is expected to be the first to deploy the technology, as early as this summer, he says.

Lessons learned
Now that he's got some PKI experience under his belt, Bream can offer words of advice to those undertaking similar projects. "Let your business requirements drive your technology, and understand who your users are," he says. "Don't do PKI for the sake of doing PKI."

What it comes down to is having applications that can take advantage of the technology, so you don't wind up with a PKI infrastructure that nobody uses. "If we didn't have applications that were up and running right away, it'd probably still be sitting there."

Another key consideration is whether you want to be your own CA. That comes with a heavy cost when you consider all the time and staff it takes to authenticate the identity of each individual who applies for a certificate.

Similarly, owning the PKI infrastructure comes with its own set of risks and should only be undertaken by a company flexible enough to deal with changes in the technology. "Are you willing to make sure you stay abreast of those changes?" Bream asks. "There's a cost associated with that."

It's also important to remember that PKI requires a level of user involvement that most applications don't. You can roll out Office 2000 overnight and it's there when users turn on their PCs the next day. That's not the case with digital certificates, which requires the collection of personal information from end users.

"One of the lessons learned there is trying to anticipate what people's questions will be, how they're going to interface with the certificate application process, and how to make that process as seamless and intuitive as possible," Bream says. "That's really a big challenge, making the issuance of a certificate a consumer-friendly process, while still maintaining a high level of security."

Feedback
So far, users like what Transact Washington gives them, which is the ability to complete a transaction faster than they could do before. "For trading partners, it's just a nominal cost of doing business," Bream says. "They've found in some cases it gives them a competitive edge and they really like that."

Asked if he would make all the same choices if he had the chance to start over, Bream admits, "Nothing is that perfect." But he struggles to come up with a more concrete answer. He's clear they made the right decision to outsource. "It's reduced our overhead and our administration of PKI to a minimal level."

"At this point, no regrets," Bream says. "[The PKI implementation is] really starting to progress and, frankly, we're happy with where it's going."