Agencies to unveil e-signature prototype

The federal government is embarking on an initiative that could be the linchpin for revolutionizing government services and boosting the use of advanced Internet commerce.

The Office of Management and Budget, the General Services Administration and other agencies this week will be discussing a prototype of an electronic gateway for delivering federal services to businesses, consumers and other government entities utilizing electronic signatures and identification.

Some experts predict that the e-authentication project will serve as a model of how technology can boost the reliance on e-signatures. E-authentication is one of the 24 e-government initiatives approved by the President's Management Council, and experts said that increased government use of the technology also could propel several industries into a new realm of global commerce and boost the deployment of high-speed Internet services.

The Keys To E-Government Security

Officials at OMB and GSA have invited technology companies to join them Tuesday for e-Authentication Industry Day, which is designed to update businesses about the gateway and explore opportunities for government contracts. The portal seeks to enable citizens, businesses and state and local government agencies to obtain the keys for conducting government business over the Internet.

In the offline world, individuals or organizations can flash state-issued driver's licenses or some other government-approved document to verify their identities. But in the online world, a name and an Internet password are not sufficient evidence that the parties in government and business transactions are transmitting authentic information.

That explains the drive toward e-authentication and the new portal, begun in the mid-1990s by several agencies, including GSA, the National Institute for Standards and Technology and OMB.

"It came about as a reaction to trends that we at GSA saw happening in government," said Judith Spencer of GSA and the chairwoman of the Public Key Infrastructure Steering Committee. "Years ago, when we were pursuing the idea of e-government, and realizing ... before Congress mandated a commitment to electronic government services, [we decided] that as people became more comfortable with online [commercial] services, they would expect government to offer online government service."

The Defense Department began developing a system that provided the models for the move to public-key infrastructure (PKI) a third-party verification system. Under PKI, individuals obtain digital certificates, encrypted "keys" that let them send information sealed with the verification of a third party (usually the software companies that issue the keys).

That process ensures the recipient in a transaction of the sender's identity and the authenticity and security of the documents. The Clinton administration was seeking a technical solution to facilitate e-government transactions, Spencer said, and "the best in breed was PKI technology."

In 1996, nearly two-dozen agencies formed the PKI panel that Spencer heads, choosing that method over an agency-by-agency piecemeal approach to specific problems. The steering committee helped create the Federal Bridge Certificate Authority, which enables departments and agencies to issue digital certificates, Spencer said. She said the authority has a model policy based on four levels of trust in digital transactions -- everything from rudimentary protection such as a simple password all the way to "substantial assurance" that participants are who you say they are.

Under contract with the government, Digital Signature Trust and AT&T also worked with industry partners, such as VeriSign, to develop Access Certificates for Electronic Services, the foundation for current government-wide PKI solutions.

'The Enablers'

"We think of ourselves as the enablers," said Steven Timchak, GSA's e-authentication program manager. "E-authentication is not only about technology. ... What's equally important is that agencies are cooperating and working together to get it done."

Timchak's team, which includes participants from industry and government, is creating risk profiles and assessments for e-government transactions. Transactions that require high security likely will use digital certificates. The Defense Department has gone even further, combining PKI with biometrics-based "smart cards" for its employees.

A subsidiary of the defense contractor Mitre currently is building the prototype for the e-authentication project, which Timchak said is slated to be unveiled by September. GSA will bid a contract to develop the final product within the next year. Part of the "industry day" event is designed to create awareness among technology makers in order to promote the bidding process for the gateway's final implementation.

The prototype will connect to FirstGov, the federal government's Web portal, while it integrates with several of the 24 e-government initiatives.

Congressional mandates to reduce paperwork in federal agencies and laws such as the Health Insurance Portability and Accountability Act that set rules for transferring information electronically are proving to be major catalysts for developing the e-authentication infrastructure. A key deadline for the Government Paperwork Elimination Act, for instance, is October 2003.

"You just can't get there from here unless you are starting now," said Keren Cummins, vice president of government services at Digital Signature Trust.

Bumps In The E-Authentication Road

The implementation of online authentication faces some challenges. One of the major problems with the deployment of the e-gateway, for example, is the consolidation necessary to create one authority for issuing digital certificates to consumers and businesses. "We are asking some agencies to give up their rice bowls, and that is difficult to do," Timchak said.

Another hurdle is that the use of digital authentication in the private sector still lags. The process remains expensive, and it can only work if both parties to a transaction have the technology. Many observers hope a government push will spur private-sector adoption of the technology.

Yet in order to boost the overall acceptance of digital authentication and PKI, the system that GSA and other agencies are creating must be wholly interoperable.

The Federated Electronic Government Coalition, a trade group for security-technology firms, issued a report in May criticizing some federal PKI efforts. The report warned that without interoperability among the e-authentication approaches of federal, state and local governments and the private sector, a "disruptive technological approach" might be the end result.

But industry experts remain hopeful that authentication and the subsequent services it will enable will promote the adoption higher-speed services.

"Governments today have the opportunity to build the rhythms of national life into high-speed networks," the Information Technology Association of America states in its 2001 broadband report. "E-government presents government agencies with unprecedented options for round-the-clock, citizen-centric service delivery, and the American people with the chance to interact with the democratic process and institutions in new and compelling ways."