INTERVIEW: R. Michael Green, Defense PKI chief

Featured eBooks
NASCIO 2025 Special Report
Changing Workforce
Future of Tech Infrastructure
Insights & Reports
4 steps to successful data governance programs for government
Presented By Carahsoft
Download Now
The agility mandate: How government agencies are rethinking work to deliver faster
Presented By Atlassian
Download Now
By GCN

By GCN

|

As director of the Defense Department's Public-Key Infrastructure Program Management Office, R. Michael Green helps set and implement PKI policy for use across Defense.

GREEN: We plan to initiate the acquisition for the Defense Department's target Class 4 architecture early in the first quarter of fiscal 2001. The implementation strategy for the DOD Public-Key Infrastructure is practical and based on an evolution toward higher levels of assurance.The Class 3 PKI, employing some of the best currently available commercial PKI standards and technology, will transition over time to the next generation of PKI represented by the Class 4 architecture. The objective baseline certificate level for DOD sensitive-but-unclassified messaging will be at the Class 4 level of assurance. That is not to say that there won't be some unique DOD requirements that will continue to best be met by the Class 3 PKI. I'm thinking of possibly the tactical user.GREEN: Simply put, the difference between a hardware-based solution and a software-based solution comes down to a question of assurance. Hardware can be more readily verified than software, can be made more resistant to tampering and can afford greater protection to the PKI users' private keys.GREEN: There have been some misconceptions floating around about DOD's use of the Netscape components. First, DOD is not issuing Netscape certificates. The DOD certificates are completely standards-compliant and can move between a variety of applications from a variety of vendors.There is nothing unique about the certificates that would prohibit other vendors from creating compatible certificates. In fact, we have already approved four interim external certificate authorities'Digital Signature Trust Co. of Salt Lake City, General Dynamics Corp., Operational Research Consultants Inc. of Alexandria, Va., and VeriSign Inc. of Mountain View, Calif.'that have produced DOD-compliant certificates. DOD trading partners and vendors use these certificates today.DOD's objective is to field a PKI that is based on standards and employs appropriate commercial components. Unfortunately, in some cases there is no widely accepted industry standard. A prime example is the registration interface between the end entity and the certificate authority. No matter which certificate authority products are chosen, some number of vendor-specific or de facto standards must be selected.During the inception of the DOD PKI, the Netscape Certificate Authority was a component that DOD already had in place and that we had tested. An existing licensing agreement that DOD had with Netscape gave us the ability to provide Netscape clients at no additional cost to DOD.The Netscape products address a number of DOD requirements, namely the crypto-module meets the Federal Information Processing Standard 140-1. They provided a recovery mechanism for the confidentiality key. And, the Netscape client provided a native capability for subscriber-to-certificate-authority registration.Although it is currently fielded, we are in no way tied to or committed to it in the future. It is fully our intent to use other vendors and products in future DOD PKI implementations. Keep in mind that until July, the DOD PKI was still in the pilot phase.GREEN: I'd say that the DOD PKI faces challenges in the areas of ensuring interoperability between vendor components and establishing DOD's directory infrastructure.With respect to interoperability, we have established an effort with DISA to test PKI components at the Joint Interoperability Test Command at Fort Huachuca, Ariz. Initially our focus at JITC will be on testing cards and readers to support the fielding of smart cards as PKI tokens. Using smart cards as an example, our vision for interoperability would be for DOD users to be able to use their access card with PKI credentials installed across any number of off-the-shelf smart-card readers. Today a lack of standardization does not make this a given.The DOD directories will perform a critical role in certificate validation and distribution of public-key certificates. Our identification of the PKI-specific directory requirements and their integration in the larger DOD directory structure is a significant challenge.GREEN: Our experience with DMS has given us some very valuable lessons. Primary among them is that there is a great risk venturing out too far in front of the pack with a new technology.When DMS development began in the early 1990s, the commercial PKI industry was not yet in its infancy, so DOD, by necessity, developed its own. When the marketplace realized the huge commercial potential of electronic commerce and PKI, and developed a commercial PKI and chose different algorithms, protocols, standards and architecture in their PKIs than did DOD, we could not keep up with the pace of innovation. Commercial industry is good at determining the business case, and they picked up quickly on the schism between what DOD was doing and what was going on in the marketplace.The DOD PKI Program Management Office has a commitment to minimize the use of custom products as we migrate away from the current Class 4 PKI. For example, we have deployed the current Class 3 DOD PKI using mostly commercial, off-the-shelf technology. As I mentioned earlier, we have established a test center at JITC to test commercial PKI applications and products to see if they are interoperable with the DOD PKI, what we call public-key enabled or PKE.We've also learned some valuable lessons about our technological architecture choices. Decentralizing the certificate authority function proved to be too expensive to support. While it does offer the user community some degree of flexibility, the difficulty in maintaining several hundred'or thousands in the original architecture'certificate authorities at an adequate security level is too resource-intensive.Similarly, the use of a relatively expensive end-user token became unsupportable. We've learned that it is not practical to go for the armor-plated Rolls-Royce solution for every application. Our new philosophy is to gain widespread use of PKE applications by first fielding technology that is easy to use while providing tangible security benefits.

R. Michael Green

As director of the Defense Department's Public-Key Infrastructure Program Management Office, R. Michael Green helps set and implement PKI policy for use across Defense.

Previously, Green was chief of the Customer Support Services Office with the National Security Agency's Information Systems Security Organization. In that job, he assisted with information security within NSA and supported military and national security organizations throughout DOD.

Green also served as chief of the agency's National Information Infrastructure Program Management Office, which supported the Clinton administration's information technology initiatives.

In previous management positions, Green has directed the development of technology and standards for automated, secure electronic-key management techniques; led development of new digital secure voice applications; and led teams fielding microwave protection methods for commercial switched networks.

He also assisted research and development groups in creating special mathematical tools.

Green represents NSA on the Council of Representatives to the National Communications Systems, the Security Working Group of the Chief Information Officers Council and the State Department's Overseas Security Advisory Council.'

Green, a Washington native, received a bachelor's degree in mathematics from the University of Maryland.

GCN:'What's the status of deploying Class 4 certificates for the transmission of unclassified, mission-critical but high-level information over unencrypted lines? Will Class 4 certificates be used as the baseline for sensitive-but-unclassified messaging, or will you stick with Class 3 certificates, a slightly less-secure level?





GCN:'Explain the difference between hardware and software encryption?



GCN:'Some vendors have complained that the department is too reliant on Netscape Communications Corp. through Defense Information Systems Agency site licensing agreements. What's your view?













GCN:'What are some of the technical challenges you are facing in making certificates available? What are some of the early adopters saying about how the technology is working?

What's More



  • Age:54

  • Family: Wife, Marjory; three sons

  • Car: Toyota Camry

  • Last movie seen: "The Green Mile"

  • Favorite Web site: www.iatf.net

  • Motto: "Be on time, play hard, play smart, have fun."

  • Dream job: Professional golfer









GCN:'What are some of the lessons DOD learned from the Defense Message System deployment?









NEXT STORY: NARA serves up records via Web

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.