A Zions Bancorp. subsidiary has won a federal government contract that could be a breakthrough in the use of digital certificates and banks' role in providing them as a safeguard for electronic commerce.
The General Services Administration has awarded the Zions unit, Digital Signature Trust Co., a three-year contract to be part of a potentially massive effort to provide digital certificates and signatures for virtually any kind of electronic transaction or document transfer between government agencies and the public.
Digital Signature Trust, known as DST, will not be the only company playing the role of certificate authority for the federal ACES program Access Certificates for Electronic Services. But as the first contractor, accompanied by 29 subcontractors including the American Bankers Association and several prominent consulting firms, DST can claim an important symbolic victory for itself and for the argument it has been making for bank involvement in e-commerce security.
Digital certificates are credentials that authenticate parties to an on-line transaction. DST, which was approved in January 1998 by the Office of the Comptroller of the Currency as an operating subsidiary of Zions First National Bank in Salt Lake City, would be a key participant in the binding of these credentials to legitimate personal or business identities. Derived from those certificates, which are based on complex data encryption formulas, would be a digital signature unique to a given transaction, providing assurance of completion and accuracy.
ACES, under development for two years, represents a set of guidelines for federal agencies to follow as they evolve toward paperless document processing. The Government Paperwork Elimination Act, signed into law in October 1998, set a three-year deadline for agencies to give the public the option of interacting with the government electronically. Digital certificates could come into play, for example, in filing Social Security or tax forms or in suppliers' bids for government contracts.
"This is the first comprehensive public key (cryptography) technology offering that government agencies can take advantage of," said Judith Spencer, program manager of ACES at the General Services Administration. "If successful, it will provide the public with a way of communicating across the board with their government."
No other agencies have formally committed to the program. But Ms. Spencer said the Department of Education is likely to make its student loan program available on-line using ACES.
She said ACES lays the groundwork for future use of public key infrastructures, or PKIs, throughout the government. Many industry observers anticipate a spillover effect in the private sector, where PKIs are growing rapidly but not yet in mass-market contexts.
ACES, which awaits the General Services Administration's certification of DST's technology and services, is expected to become operational within 90 days.
The decision in DST's favor -- the contract terms were not disclosed -- was influenced, Ms. Spencer said, by the company' close ties to ABAecom, the American Bankers Association's digital trust subsidiary, which relies on DST to offer certification capabilities to banks and other financial institutions.
"It is a great opportunity for the banking industry because we can hopefully work with banks to become registration agents for their customers" in dealings with the government, said Scott Lowry, president and chief executive officer of DST.
Mr. Lowry said the coordinated ACES standard eliminates the need -- and expense -- for each agency to set up its own certification system. "A citizen who gets an ACES certificate can use that same certificate to interact with any federal agency participating in the ACES program," he said.
DST, which was the first registered certificate authority under Utah's pioneering digital signature law, will be relying on the 29 subcontractors for various aspects of technology, support services, and systems integration work for ACES.
In addition to the American Bankers Association, DST subcontractors include companies with extensive government contracting experience, including Booz-Allen & Hamilton of New York; Computer Sciences Corp. of El Segundo, Calif.; Microsoft Corp. of Redmond, Wash.; and PricewaterhouseCoopers of New York.
Charles Walton, an expert in digital certification and the president of Caradas Inc., a Boston-based consulting company, said banks in recent years have made significant investments in public key technology. Apart from a handful of institutions, most have failed to establish a viable commercial use for it, but he said that will change as the Internet becomes more of a mainstream commercial medium.
The DST contract "is an enormously important step," Mr. Walton said.
"The federal government has finally gotten its act together in public key infrastructure," he added. "It has the potential for being the biggest PKI in the world."
The technology's privacy and nonrepudiation characteristics -- the latter make it impossible for someone to deny that a given transaction was legitimately initiated -- will appeal to federal agencies that would want to guarantee funds are distributed to intended beneficiaries and to be sure that exchanges of sensitive information comply with privacy laws.
Dennis Fischer, commissioner of the General Service Administration's Federal Technology Service, said in a statement: "This is a major milestone in the government's ability to provide the necessary security technology to enable our electronic processes. I believe it will be invaluable as we move into the Internet environment."
