Public Key Infrastructure: Examples of Risks and Internal Control Objectives Associated with Certification Authorities: GAO-04-1023R

Rhodes, Keith A.
August 2004
GAO Reports;8/10/2004, p1
Government Document
This letter is in response to a Congressional request that we examine our advice to executive branch agencies regarding commercial managed service public key infrastructure (PKI) solutions to see if the advice is consistent with current federal policy and private sector best practices. Specifically, over the past several years, staff from various agencies has asked for informal advice on these matters. Our informal advice was based on the control environment described to us by the agencies. This control environment, which is discussed later in this letter, resulted in the informal advice that the agencies may incur a greater burden in ensuring that a contract certification authority whose certificates are used in financial management applications has implemented an adequate system of internal controls than would be necessary if the certification authority were implemented internally. However, if agencies are willing to accept this potential increased burden by accepting and mitigating the potential risks (not all of which may be known and understood at this time) associated with commercial certification authorities contracting out, a certification authority may be able to provide the same level of security assurances as an internal certification authority. One key aspect of mitigating the risk will be the close involvement of agency personnel in the commercial implementation. We also told the agencies that until we were formally requested by an agency to review a commercial service provider's system, we could not express a formal position. To date, we have not received such a request.


Related Articles

  • Hidden code-breakers. Silk, Anne // New Scientist;9/20/2008, Vol. 199 Issue 2674, p18 

    A letter to the editor in response to an article on James Ellis, the inventor of public key cryptography, in the August 16, 2010 issue is presented.

  • GSA Awards Entrust $5M for Hosted PKI Agreement.  // TR2: Terror Response Technology Report;11/23/2011, Vol. 7 Issue 24, p15 

    The article reports that Entrust has received a four-year contract worth 4.5 million U.S. dollars from the General Services Administration (GSA) to continue providing hosted Public Key Infrastructure (PKI) services and digital certificates for the Homeland Security initiatives.

  • Developing e-Business Trust. Gerberick, Dahl // Security: Solutions for Enterprise Security Leaders;Sep2001, Vol. 38 Issue 9, p37 

    Focuses on the use of public key infrastructure (PKI) to ensure a strong degree of trust in electronic business transactions. Encryption; Digital certificates for authentication; Trusted online transaction; Considerations when implementing PKI; Issues need to be addressed to achieve network...

  • FROM THE TRENCHES. Tosi, Angelo // eWeek;12/04/2000, Vol. 17 Issue 49, p30 

    Focuses on the proper integration of public-key infrastructure (PKI) pilot system in the information technology department of companies in the United States. Barriers to PKI implementation; Necessity of creating a measurable success criteria for the PKI pilot; Importance of stakeholder...

  • Aircraft Identification Technique using Public-Key Cryptosystem. Abou-Loukh, Sadiq J. // International Journal of Computer Applications;Nov2014, Vol. 106 Issue 1-18, p1 

    A new approach for identifying a friend aircrafts from foe (IFF) using public-key cryptosystem is introduced. Two schemes of public-key cryptosystem namely: RSA and knapsack public-keys are considered, which provide higher security than conventional identification methods. The practical aspects...

  • Verifying X.509 Certificates on Smart Cards. Henniger, Olaf; Lafou, Karim; Scheuermann, Dirk; Struif, Bruno // Enformatika;2006, Vol. 16, p255 

    This paper presents a smart-card applet that is able to verify X.509 certificates and to use the public key contained in the certificate for verifying digital signatures that have been created using the corresponding private key, e.g. for the purpose of authenticating the certificate owner...

  • Quantum Secret Sharing of Secure Direct Communication Using One-Time Pad. Du, Ruigang; Sun, Zhiwei; Wang, Banghai; Long, Dongyang // International Journal of Theoretical Physics;Sep2012, Vol. 51 Issue 9, p2727 

    Instead of sharing some sifted keys, quantum secret sharing of secure direct communication (QSS-SDC) allows a dealer Alice to share her secret message directly with a group of agents, who can then cooperate together to restore her message in a later time. However, we notice that, in order to...

  • A PRIMER ON CHANGING INFORMATION TECHNOLOGY AND THE FISC. Peha, Jon M.; Strauss, Robert P. // National Tax Journal;Sep97, Vol. 50 Issue 3, p607 

    The article discusses the components of changing information technology and their potential implications for the funding the government. Information technology has one or more of the following essential functions: storing information; processing information; and moving information. When...

  • An enhanced searchable public key encryption scheme with a designated tester and its extensions. Chengyu Hu; Pengtao Liu // Journal of Computers;Mar2012, Vol. 7 Issue 3, p716 

    In a searchable public-key encryption scheme with a designated tester (dPEKS), only the designated server can test which dPEKS ciphertext is related with a given trapdoor generated by a user with a keyword w by using the server's private key, but learn nothing else. In this paper, we study the...


Read the Article

Other Topics