The Four Bridges Forum aims to bring trusted identity online
By Zack Martin, Editor, Avisian Publications
Trusting transactions online can be difficult. How does a user know who he’s dealing with on the other end of a computer?
To ease this concern the federal government created the Federal PKI Architecture, or the Federal Bridge. It enables government agencies to issue digital certificates that can be used to authenticate individuals for trusted transactions online.
Now organizations outside of the federal government are cross-certifying with the federal bridge for trusted transactions. Along with the federal bridge, there is CertiPath, which serves the defense and aerospace industries, Safe Bio-Pharma, for biopharmaceutical and healthcare industries and HEBCA, which serves the higher education sector in the United States.
Together, these organizations have formed the Four Bridges Forum to help facilitate trusted electronic business transactions their respective constituencies.
“As we move into the digital world there are tremendous efficiencies to be gained from going electronic,” says Mollie Shields-Uehling, president and CEO of the Safe Bio-Pharma Association. Fundamental to secure electronic transactions, she stresses, are digital identifications that enable us to recognize each other without creating “a tower of babble.”
This is what drove Safe Bio-Pharma, an association formed by U.S.-based pharmaceutical manufacturers, to investigate digital signature and PKI technology, says Shields-Uehling. “We need interoperable trusted identity management standards and a digital signature linked to that identity so people can do business across that bridge,” she says.
While pharmaceutical companies are encouraging the FDA to adjust its system so they can make regulatory submissions online using the Federal bridge, there are a number of ways PKI can help in the health care industry, says Shields-Uehling. Safe Bio-Pharma is working with the U.S. Centers for Disease Control and physicians in Minnesota on a cross jurisdictional public health surveillance project.
In the past it could take up to a week before physicians were able to recognize a public health threat and allocate medicine and resources to combat the problem, says Shields-Uehling. But physicians in Minnesota will be using digital certificates to enter and access information in order to potentially spot outbreaks earlier.
“Physicians could gain access using an HSPD-12 credential, login and get access to patient files,” says Shields-Uehling.
Another use case is for clinical investigators working on multiple research projects, she says. Entering an investigator’s office someone may see three laptops and two USB fobs and each will have a different sticky note on it with a different user name and password for the different trials. Having one trusted credential to file reports will make it easier for the investigators.
Defense and aerospace contractors have been using PKI for a longer time than the health care industry and there are established use cases with contractors using digital certificates to send information to the U.S. Department of Defense, says Jeff Nigriny, president and CEO at CertiPath.
The company has a new product that enables the PKI certificate on a FIPS 201 card to be authenticated for physical access control, Nigriny says. The physical access control system uses the federal bridge to authenticate the certificate.
Someone from the General Services Administration, DOD, or Boeing, as long as they have a valid digital certificate on the card can use it to access the Herndon, Va.-based CertiPath headquarters. “It leverages the same bridge mechanism and decides who can come to our offices,” Nigriny says.
One knock against PKI has been its high cost, but the organizations with the Four Bridges Forum are reducing costs through a shared-services model, says Shields-Uehling. Safe Bio-Pharma’s members pay for the digital signature technology through the fees paid to the association.
Nigriny says once you scale up with the number of standardized credentials cost is driven down. “One credential with multiple providers is how you drive down the cost,” he says.
Could the work of the forum eventually trickle down to everyday citizens?
Nigriny says PKI is on the path most technologies follow before being adopted by the public, with the government investing and using the technology, followed by business and then to citizens.
And the sooner the technology gets into the hands of individuals the better off everyone may be. “The identity fraud and social engineering attacks that we’re suffering today, especially in online environments, are largely rooted in us not having transactions based on face-to-face proofing,” Nigriny says. “Once you have, the strong binding of a person with the credential, we will see a number of our Internet social ills literally evaporate over night.”