Mike Lambert, Director of The Open Group Messaging Forum, and Ian Dobson,
Director of The Open Group Security Forum, provided an introduction
to The Open Group and the work of the forums sponsoring the session.
Rebecca Neilsen of Booz Allen Hamilton
provided an update on the External
Certification Authority (ECA) Program being implemented by the US Department of
Defense. The presentation addressed the background to the program and the current
status.
Wen Fang of Boeing addressed the work that
is necessary to ensure Application
Readiness in support of the DoD PKI mandate. Boeing has an email encryption
architecture based on the outcome of The Open Group Secure Messaging Challenge, which can
be adapted to support the requirements of the DoD. Wen highlighted the need to establish
processes for management of ECA certificates and the fact there are only eight weeks to
go to the implementation date.
Jacqueline Knoll of Boeing, in a
presentation entitled Contractors
Meet the Challenge, stresseed Boeing support for the DoD PKI mandate and its
objectives, but identified a number of practical concerns which are making it difficult
for Boeing (and other defense contractors) to comply with the program. There are a number
of technical issues relating to items such as key management, but the major concern
relates to the delayed establishment of External Certificate Authorities.
Andrew Gottfried of Lockheed Martin
presented the Lockheed Martin plan to become an External
Certificate Authority for the DoD. Lockheed Martin already make extensive use of
certificates for authentication and encryption and ideally would like to use the same
certificates for interactions with the DoD via the Federal Bridge Certification Authority.
In the interim they would like to be an approved ECA. Purchasing certificates from an
approved ECA until this is in place will result in significant direct (certificate
purchase) and indirect (management) costs.
Two of the companies who are currently authorized to issue IECA certificates and are
seeking to become approved External Certificate Authorities presented the status of their
programs. Both expressed frustration at the delays within the DoD and identified a lack of
awareness of the program, especially in small companies.
Keren Cummins of Digital Signature
Trust/Identrus gave an ECA
perspective on the ECA program. Keren gave a brief background to DST and how their
certificate programs operate. Keren identified some significant challenges associated with
the ECA program, including a lack of clear instructions from the DoD, onerous registration
requirements, and the transition from the interim program to the full ECA program.
Nick Piazzola of VeriSign provided an
overview of VeriSign
Digital Certificate Services. He specifically addressed the transition between the
IECA and ECA programs and steps to support bulk applications from large companies.
The subsequent discussion identified a major timing issue:
- The Certificate Policy document has not yet been published.
- Until this is complete, the process of approving External Certificate Authorities cannot
start .. this will take up to three months.
- There is no prospect of large Defense Contractors being approved as ECAs in time for the
April start-time.
Large defense contractors who wish to become approved ECAs face having to implement
THREE incompatible certificate management systems within a 12-month period, which will
cost them millions of dollars.
- They will have to buy certificates from existing INTERIM External Certificate
Authorities for use with any DoD systems and sites that require certificates from the
start of April.
- They will then have to buy certificates from the ECAs when they are approved.
- Finally, they will be able to issue their own certificates.
Members of the Messaging Forum agreed that the most sensible approach for the DoD to
take is to run traditional login/password systems alongside the new certificate-based
systems until two or more ECAs have been approved. This would not undermine the intent of
the mandate, but would save defense contractors (and hence the DoD) millions of dollars.
The DoD have an awareness program and it was agreed that The Open Group will assist in
building awareness through briefings at upcoming meetings. In Boston in July, there will
be a review of the operation of the program.
