Case Study: US Department of Defense
Over the past decade, the US Department of Defense (DoD) has spent considerable time and resources on developing one of the world’s largest Public Key Infrastructures (PKI), consisting of over 4 million users with a total of over 13.5 million digital certificates. At the center of the DoD PKI initiative is the Common Access Card (CAC) Program. The program was developed to improve security for all employees worldwide who send email, digitally sign documents and access secure systems.
At the program’s outset, small pilot communities found the technology very effective, yet as the user base grew, shortcomings in the original architecture became apparently, namely that it did not scale. Nevertheless, government regulations embraced the security aspects of the technology, requiring that all email be digitally signed in order to validate the authenticity and protect the integrity of the message. Until recently, this process required downloading over 30 megabytes of validation data from a central, secured location which typically took more than an hour to complete. To avoid waiting, many individuals found ways to circumvent the security system, by using alternate email options, such as webmail. With millions of users in the DoD, the cost of lost productivity, as well as new security concerns was significant.
To address the DoD’s needs, CoreStreet introduced a new architecture - called Distributed Online Certificate Status Protocol (D-OCSP) - that cuts validation time to 65 milliseconds and requires the download of a file no larger than a few hundred bytes. In addition, the technology provides increased security without necessitating costly, secured responders. In effect, CoreStreet’s technology made validation completely transparent to the end user, eliminating many of the concerns brought up by previous technologies.
According to Gil Nolte, Director of the PKI Program Management Office at the U.S. Department of Defense, “People waited so long for CRLs to download that it cost us tremendously in productivity and drove people to circumvent the security built into our systems.
“With the new architecture from CoreStreet, the process is so quick that it is transparent to the user, and we’re now able to ensure the security and validity of digitally signed communications.”