Note: this blog entry is a copy of one that I originally posted on Intelink-U. Sadly, nobody there had any Federal Bridge success stories to share. Since all the references are available on the public Internet, I thought it would be interesting to publish it to a wider audience and see if I got any positive replies.
According to a 2001 paper by Peter Alterman, Ph.D., instead of creating a single PKI solution for the entire Federal enterprise, the Federal PKI Steering Committee decided to create a consolidated PKI infrastructure, consisting of discrete Federal Agency PKIs interoperating through a non-hierarchical Bridge certification authority (CA). This solution of theirs is known as the Federal Bridge CA.
In the paper, Dr. Alterman made a number of predictions regarding PKI in the Federal government and ended with this hopeful sentence, “In as little as ten years, engineers, computer scientists and users will wonder what all the fuss about PKI was back at the turn of the millennium. With luck, we will still be around to explain it all to them.”
It’s now 2009, so while 10 years haven’t actually passed, I believe enough years have passed to ask whether the Federal Bridge is performing as advertised. There’s a July 2008 DoD memo that approves certain external PKI infrastructures. To date, however, I can send encrypted emails only to others within the DoD; I can’t send encrypted emails to anybody in the 13 other agencies/companies that have been JITC-certified for DoD interoperability.
I’m curious whether *anybody* in the Federal government is actually taking advantage of the Federal Bridge. Or do we taxpayers simply pay for lots of people to make policy and perform tests, while the actual implementation gets left to agencies that don’t really want to work together anyway?