DOD looks to put pizzazz back in PKI

The U.S. military has started the process of making critical changes to its public-key infrastructure , which uses digital certificates for e-mail and Web security, in order to cope with scalability problems.

In the eight years since the U.S. Department of Defense started using the PKI certificate management system it bought from Netscape Communications, it has issued more than 16 million digital certificates. Most of them are stored on the department's common access smartcard, which is the main ID card used by the Army, Navy, Air Force and Marines.

Along the way, the military also has revoked 10 million certificates as personnel and network needs change. That huge certificate revocation list (CRL) - which has bloated to over 50M bytes in file size - is the crux of the problem facing the Defense Department, because the entire CRL is supposed to be downloaded daily to every PKI user's desktop at the department from servers acting as distribution points.

The time-delay and bandwidth consumption of this large file download, even when there's a high-speed LAN available, is a source of dissatisfaction to military planners. In addition, the download is poorly adapted to the needs of mobile units and ships.

The Defense Department is seeking to eliminate CRL downloads by deploying a new set of PKI appliances called Online Certificate Status Protocol (OCSP ) responders, which store CRLs and automatically provide short answers to desktop users about whether a certificate is good or bad instead of forcing them to download a whole certificate list.

"If you have an official DOD e-mail account, you also get an e-mail digital certificate," says Gil Nolte, director of the Defense Department's program management office for PKI at the National Security Agency. Nolte says about 4 million certificates are in use in the military today. A digital certificate links a person's identity with a unique pair of public-private encryption keys that can be used for purposes such as signing and encrypting electronic documents, verifying sender identity and document validation.

The old Netscape certificate management system - which changed hands from Netscape to AOL in 1998 and then from AOL to Red Hat in December - is still in use, and Red Hat last week announced at LinuxWorld that it had renamed it Red Hat Certificate System.

The Defense Information Systems Agency uses the product's PKI Certificate Authority to issue a CRL of the military's valid and revoked certificates. But with the file now so large, the military had to find a workaround.

The answer has been to install OCSP responders made by Corestreet, KyberPass and Tumbleweed, among the handful of others now being certified by the Joint Interoperability Test Center at Fort Huachuca, Ariz.

Each OCSP responder provides immediate validation of certificates by storing the CRLs and offering the user a simple "yes" or "no" response to the question of whether a certificate is revoked.

This cuts the data exchange for certificate validation from 55M bytes to a few hundred kilobytes, Nolte says. "It's replacing the download of the CRL," he says, adding that tests show 650,000 users can access an OCSP responder at the same time.