A PROPOSAL FOR SECURING WEB COMMUNICATIONS AT NIH PURPOSE: There is a growing immediate need of NIH organizations to secure web communications via SSL from their web-based servers. These needs extend from security of intranet web sites including the encrypting of clear text passwords used for web authentication to encryption of survey sensitive information being sent to web servers at NIH by the public. Before SSL communication can to be enabled, a public key certificate has to be acquired by the server's administrator. Currently there are two options that an organization has. Both involve costly and resource intensive implementations. One can request a certificate from VeriSign or other commercial certificate issuer. Besides the individual cost of an organization paying for their own certificate, proving an organization's authenticity to a party outside of the government realm becomes a paper intensive and sometimes frustrating task. In a market that caters to a business mentality, commercial certificate issuers that regularly rely on such proof of identity as articles of incorporation, business license, or a federal tax ID confirmation, fail to provide a streamlined way for government organizations at any level to get a server certificate in a timely fashion. With the additional overhead of government procurement, the time lag can be substantial. The second alternative is for an organization to create their own certification authority. They must utilizing their own resources to install and maintain such an authority. Organizations that are not educated in the ways of public key technology could be putting their web application authentication at risk as well as creating an infrastructure that is incompatible with later AMG PKI recommendations. PROPOSAL: The proposal being made here is to establish a NIH-wide server certificate authority that would issue certificates to NIH organizations running unprotected web servers allowing them to enable SSL communications on their servers. Not only would this provide for a NIH environment of encrypted access to NIH web applications but a controlled environment of server verification can be established that is more streamlined and timely than other alternatives. By providing this service to those who wish to participate, an immediate need can be fulfilled and secure NIH web communications can be an immediate benefit. By establishing a certificate authority for SSL servers only, many of the issues in establishing a certificate authority become simpler to implement and thus can be implemented without as much overhead as a NIH-wide general certification authority that issues personal certificates. For example, a directory server is not needed for server public key certificates since these public keys are not needed outside of the installation into the servers. DCRT/NSB has allocated resources for the implementation and administration of such a service. The service would provide for an application, approval, and renewal process for anyone requesting a server certificate. The service would provide guidelines to certificate users in the way of certificate installation and SSL issues. The service will be run in a production run machine with secure key management of the certification authority. This would be a free service offered to any NIH organization that agrees to the administrative certificate policies with proper approval from organizational authorities. The approval/review process for certificate applicants would have the backing of the AMG Technical Subcommittee so that server certificates can be issued on a legitimate basis within the scope of this service (e.g., not issuing certificates for certificate servers or personal certificates). This service is an interim solution to address the immediate needs at NIH that would be usurped when a more general NIH certificate authority is established by the AMG Technical Subcommittee.