Q&A with Department of Defense's Gilbert C. Nolte

Gilbert C. Nolte
Director of the U.S. Department of Defense PKI Program Management Office

Nolte heads up a joint National Security Agency and Defense Information Services Agency public key infrastructure effort for the DoD. The dual-agency organization was formed in 1999 to unify and streamline PKI efforts within the DoD. Nolte, who works for the NSA, reports to the CIO of the Defense Department.

Your PKI implementation was initially built for digital signatures. Why did it evolve into an e-mail-based system?

It quickly evolved with e-mail because it's the app most people have on their desktops, but it really started as a way to sign an electronic transaction--the target application was our Defense Travel System. It also had a longer-term tie to the federal government's Paperwork Reduction Act. We're trying get away from it being [so] e-mail-centric.

There were some initial scalability problems with the PKI. How did you resolve them?

DoD is a 4 million-person population, so we have a large PKI. Our first problem was distributing it--how do you get a [digital] certificate into every person's hands, and how do you get people to use the certificates? Initially, we delivered software certificates, but then we migrated toward a smart-card program, with an ID card that has memory to carry the certs.

We had some performance issues in PKI issuance: The system was huge. On any given day [during the provisioning process], we were doing 10,000 to 15,000 certificates, about 1 million-plus per year. Worldwide, we had an operation of over 1,600 workstations you could go to [to] get your smart card/PKI. All of these could be hitting the enterprise at one time, and we had issues when we were doing a backup--everyone couldn't get access to it. So we worked through the timing of this, which was a simple fix. Over 90 percent of DoD's population has PKI smart cards. ... We still issue as many as 20,000 certificates per day.

Then the big [performance] issue became certificate validation, knowing whether a cert had been revoked. We use certificate revocation lists [CRLs], so every time a certificate is revoked, lost or stolen, it's put on the CRL. Because our enterprise is so large, the CRL grew [very large]. To validate a transaction, you have to get a good chunk of the CRL to validate it.

And if someone got promoted, their cert expired, so if they had saved their e-mail with the key in their old card, how would they get that old e-mail? We had a manual, two-person key-recovery process. We found out [the problems with this] the hard way: One senior officer changed jobs but didn't have access to his old mail and it took days to get his old e-mail certificate recovered. Now we have automatic recovery of an old or expired encryption key.

What's your ultimate vision for the PKI?

This is an identity tool you can use to do things in a network environment. We're also working within the physical security world--how can you add something like biometrics and PIN numbers with PKI? Next, we'll be moving away from people to things. We've based our PKI on people living on the network, but we'll also [do so] for devices, applications, software objects, etc., which all can have an electronic identity to authenticate them. We already support PKI for Web servers.

Where is PKI authentication required within the DoD?

We're trying to facilitate common-sense usage. If I'm authenticating to a Web store of information and its financial data, I definitely want to use PKI to identify me and to create an SSL channel for my browser to access that Web server. [A departmentwide PKI policy] will be issued out of DoD CIO's office next year. The last policy, issued in 2001, was a broad mandate for signing all e-mails, but in reality, this never fully happened. It's time to update that--we're trying to get away from signing all e-mail.

What about integrating these digital IDs into your existing and new DoD applications?

We have a lot of older legacy applications and it's harder to get them into [the PKI]. Some of the military services have gone to informational Web portals, so [sometimes] they PKI-enable their Web portal [instead of the applications] below it, or some other things below it. Their portal is the front door, so if they PKI-enable it, it's not necessary to do so to the [applications] behind it.

What are the main security threats that PKI helps with?

Really knowing who is on your network and the notion of privilege--knowing who's doing what on our network.

What keeps you awake at night?

I worry about PKI awareness and education. I have to be a director and cheerleader in convincing people there's a need to have PKI, and in some cases, you have to argue 'what's the ROI?' But security technologies and ROI don't necessarily go hand in hand until a security incident occurs.

If security becomes an ROI argument, none of us is successful. It's tough to make people understand what this capability is and can do for you, and why they should use it.

www.securitypipeline.com/