Illinois puts pizazz back in PKI

In 1999 Illinois placed a big security bet on public-key infrastructure for e-commerce, but three years ago its PKI project faltered as state agencies foundered badly when issuing the digital certificates to citizens.

It wasn’t supposed to turn out that way. The state’s landmark Electronic Commerce Security Act had given digitally signed documents an equal legal status to wet-signature paper ones in 1999, putting Illinois on the cusp of the PKI revolution. “Over the next 18 months we hope to distribute over a million digital IDs to citizens and businesses to enable them to do business with the state of Illinois as an integrated secure Web-driven government,” proclaimed then-Governor George Ryan.

The idea was to decrease paper-based exchange in favor of electronic documents in every sphere of government on every level by having citizens submit digitally signed forms instead of written signatures.

Click to see: State of Illinois IT executives Doug Kasamis (right) and Mark Anderson have been immersed in reshaping the state’s once-disappointing PKI project.

In early 2001, that still sounded possible, as Illinois had the technology contracts in place -- primarily one with Entrust -- making digital-certificate registration, issuance and management software available to state agencies. But the agencies were flummoxed by the intricacies of PKI, in which sender and recipient can exchange encrypted and signed documents through a public-private key pair also used to verify contents haven’t been altered.

“By 2003, we had less than 6,000 certificates issued,” acknowledges Doug Kasamis, acting deputy director of the state's IT department, the Central Management Services (CMS) Bureau of Communication and Computer Services.

More wheels were coming off the wagon as Gov. Ryan, once praised for setting up a cabinet-level chief technology office, left office under a cloud of scandal that year, later being convicted of racketeering and fraud charges. By 2004, it was clear that something had to be done to save the PKI effort, whicht was failing despite the fact that Illinois was distributing certificates for free.

“We called this our ‘IT rationalization,’” says Mark Anderson, head of the PKI project. Basically, the state agencies and the IT department settled on a last-ditch plan to centralize the administration of PKI at the CMS level, having CMS do the technical work on behalf of the state agencies.

“We centralized the infrastructure, consolidating the servers and LANS,” Anderson says. “We run the master directory, the public-key and revocation list.”

CMS basically took over technical responsibility for issuing digital certificates, delivering them upon request to agencies over the state’s private-line network.

“Today, we’re the certificate authority,” says Kasamis about the CMS role. Illinois, which submits to an annual “eValidate” audit by Deloitte & Touche required by the state’s e-commerce PKI law, keeps the root keys on a server locked in an isolated room in the Springfield, Ill., data center. Illinois also stores what it calls the signature blob of all digitally signed content, which provides proof, if that’s ever needed, of what user certificate signed what content.