The U.S. military has started the process of making critical changes to its public-key infrastructure , which uses digital certificates for e-mail and Web security, in order to cope with scalability problems.

In the eight years since the U.S. Department of Defense started using the PKI certificate management system it bought from Netscape Communications, it has issued more than 16 million digital certificates. Most of them are stored on the department's common access smartcard, which is the main ID card used by the Army, Navy, Air Force and Marines.

Along the way, the military also has revoked 10 million certificates as personnel and network needs change. That huge certificate revocation list (CRL) - which has bloated to over 50M bytes in file size - is the crux of the problem facing the Defense Department, because the entire CRL is supposed to be downloaded daily to every PKI user's desktop at the department from servers acting as distribution points.

The time-delay and bandwidth consumption of this large file download, even when there's a high-speed LAN available, is a source of dissatisfaction to military planners. In addition, the download is poorly adapted to the needs of mobile units and ships.

The Defense Department is seeking to eliminate CRL downloads by deploying a new set of PKI appliances called Online Certificate Status Protocol (OCSP ) responders, which store CRLs and automatically provide short answers to desktop users about whether a certificate is good or bad instead of forcing them to download a whole certificate list.

"If you have an official DOD e-mail account, you also get an e-mail digital certificate," says Gil Nolte, director of the Defense Department's program management office for PKI at the National Security Agency. Nolte says about 4 million certificates are in use in the military today. A digital certificate links a person's identity with a unique pair of public-private encryption keys that can be used for purposes such as signing and encrypting electronic documents, verifying sender identity and document validation.

The old Netscape certificate management system - which changed hands from Netscape to AOL in 1998 and then from AOL to Red Hat in December - is still in use, and Red Hat last week announced at LinuxWorld that it had renamed it Red Hat Certificate System.