PKI's Model Citizen

Since centralizing operations and creating a common infrastructure for state agencies two years ago, the Illinois Public Key Infrastructure has blossomed into a model for other state PKIs that have been languishing under lack of buy-in from constituent agencies. The $5 million infrastructure provides a central framework that agencies can use for encrypted communications, multifactor authentication to access other agency resources and, most popular of all, digital signatures for e-government forms.

As of October, agency and citizen users of the Illinois system had taken out nearly 113,000 digital signatures – up from 5,600 in 2003 – with 13,000 daily log-ins. Built on Entrust Authority, the Illinois PKI is successful because it took on the burden of managing the keys while enabling a wide variety of agency uses.

“To make a large PKI network like this work, you need buy-in. And to get buy-in, you need elegant technology that can easily be used for multiple cryptographic and digital signature applications,” says Gregg Kreizman, a Gartner research director. “Illinois did this. And they did so without charging for it. That’s also key.”

The Central Management Services (CMS) department maintains certificate authorities and stores the digital certificates in its secure Lightweight Directory Access Protocol directory. Once users’ credentials have been validated and cross-checked against their state driver’s licenses and other criterion, they’re issued a roaming certificate that can be used across other participating agencies. “A user name and password access the certificate, but that certificate is not stored on the user computers,” says Mike Garretson, [Ed: acting?] manager of compliance assurance with the Illinois Environmental Protection Agency’s Bureau of Water in Springfield. “That one digital ID will then interoperate with other state agencies using the network.”

Garretson’s office in 2004 launched an e-forms application to replace a particularly cumbersome monthly wastewater treatment reporting process. It took a year to create the digital forms in HTML – an unusually long time due to the complexity of the forms and their fields. But once the forms went live, businesses immediately began using them. Now, 1,364 wastewater operators and other like businesses are filing digital facilities discharge monitoring reports for 1,440 permit holders.

Digitally signed e-forms are the most common use of the PKI, says Mark Anderson, PKI manager in the CMS Bureau of Communication and Computer Services (BCCS) in Springfield. His office is also getting frequent inquiries on its uses for signed encrypted e-mail forms, desktop encryption and Web-based access. The Illinois PKI is also enabling new forms of secure access to cross-agency resources. For example, the Illinois State Police, together with the state Terrorism Task Force, is piloting an emergency responder credentialing system, so that emergency workers in the field someday will be able to access public health, fire, policing, transportation and other associated system information as needed to do their jobs.

“With this system, we can also streamline appropriate access to perimeter areas and keep out those who don’t need to be in,” says Kirk Lonbom, assistant deputy director of the Information and Technology Command division of the Illinois State Police. He adds that system will soon support smart cards and ultimately support biometric authentication over the PKI.

Through its connection to the Federal PKI, the Illinois PKI provides state agencies access to federal agencies and vice versa. This is particularly important for emergency responders where jurisdictions are involved, says Lonbom.

“We’re at that stage where our infrastructure is in place to allow secure and efficient connection to e-government services,” adds Doug Kasamis, acting CIO for Illinois. “Now it’s the state’s challenge to create more of these types of services to our constituents.”