AITSF Position Paper. PKI Governance in Australia

Transcription

1 AITSF Position Paper PKI Governance in Australia Prepared by Stephen Wilson, SecureNet V 1.0 April 2003

2 AITSF Position Paper on PKI Governance in Australia April 2003 Page 2/5 Abstract This paper presents the position of the Australian IT Security Forum (AITSF) for input to the current deliberations on a National Authentication Framework in Australia, in the particular area of PKI. The AITSF, through consultation with its members, and open dialogue with government, has arrived at a set of considerations and recommendations aimed at streamlining the usage and evaluation of PKI in appropriate applications, and enhancing the commercial predictability of the evaluation process, without in any way compromising the proper strong levels of security that have been standardised by Project Gatekeeper. Underlying assumptions in current PKI governance Current PKI governance models tend to be based on several general assumptions which date back many years, many of which should be updated in line with experience of PKI in practice. Assumption (a) Digital signatures may be used to authenticate stranger-to-stranger transactions, where the principal parties the Subscriber, the Relying Party and the CA1 have not met before and have no legal relationship. (b) In a digitally signed transaction, there might be no context other than the digital signature and certificate with which to decide whether to accept or reject the transaction. (c) The digital certificate may be general purpose and may serve to identify the Subject in a relatively wide range of transaction types. Experience Stranger-to-stranger e-commerce remains rare and complex to support. In most digital certificate applications today, the subscriber, RP and CA are all closely related. Most digital signature applications today are integrated with business applications, rich in context, such as government form submission. Most digital certificates issued today are used in a relatively limited range of applications. Experience of PKI in practice To date, PKI has not generally been deployed successfully in retail e-commerce settings, such as Internet banking and shopping. Instead, PKI has been more dominant in B2G and some B2B applications, such as: 1 This paper, in common with the two NEAC reports on legal liability in PKI, does not separate the Registration Authority (RA) function from the Certification Authority. We use the term CA to include both the RA and the backend CA.

3 AITSF Position Paper on PKI Governance in Australia April 2003 Page 3/5 corporate taxation reporting personal income tax returns e-health customs reporting patent applications (US). Practical experience in Australia leads to some simplification of the above assumptions: (a) Digital signatures are most often used to authenticate parties who have an existing legal relationship. (b) PKI applications tend to have a relatively rich context, including special purpose application software, web-sites and so on. (c) A digital certificate is often issued by the entity which is also providing the service which will use the certificates in a relatively narrow range of transactions. Digital certificates in practice are most often used to automate electronic dealing between types of parties who are already dealing with one another off-line. Certificates are therefore usually used in a specific context where existing rules apply. Implications The main implications of practical experience and the simplification of the assumptions underlying the governance model include the following: Certificate usage can be better automated by application software. Since the context of most PKI-enabled applications is rich, software can probably select and invoke the appropriate certificate automatically, without user intervention. This can make the user s experience of PKI and key management more seamless. Certificate registration can be streamlined. Because most PKI applications occur within existing business contexts and are governed by existing rules, users should not need to be re-identified from scratch in order to be registered for digital certificates. PKI evaluation and accreditation can be streamlined. If PKI accreditation was to explicitly factor in the intended application as part of the target of evaluation, then existing contractual arrangements, liability provisions and regulations are applicable could be taken into account, to streamline the legal review and reduce the overall accreditation overhead. Objectives In formulating an Authentication framework in general (and PKI evaluation rules in particular), the AITSF believes that the following objectives should be included:

4 AITSF Position Paper on PKI Governance in Australia April 2003 Page 4/5 Maintain high standards for CA operations at present internationally accepted levels (equivalent to Highly Protected certified backend processes and personnel, and EAL4+ certified CA/RA technologies). Facilitate the appropriate usage of digital certificate technology in e-business, to improve risk management, reduce paper costs, and enable new types of services to be delivered on-line. Provide for light touch governance, minimising unnecessary government involvement and maximising the flexibility of business to deploy the technology. Allow for fitness for purpose, to allow streamlined deployment of PKI technologies, leveraging existing relationships between parties. Enhance the commercial predictability of the accreditation process, so that service providers undergoing accreditation can better plan for the outcomes and in turn provide better certainty to all users (we suggest that commercial predictability of accreditation is more important than cost per se). Shorten accreditation times, but without compromising quality. Support a recognition framework that focuses on the fitness for purpose of certificates issued in different domains, facilitating cross border trading. Exemplars The following systems and processes provide useful precedents and benchmarks to inform PKI governance models: The AISEP (Australasian Information Security Evaluation Program) is a highly respected product certification process for cryptographic technologies, managed by the DSD (Defence Signals Directorate). It uses commercial test houses which are accredited by NATA (National Association of Testing Authorities, Australia) and licensed by the DSD. Gatekeeper Accreditation CA shows how the formerly controversial idea of a root CA can be modified, with the focused objective of facilitating interoperability, and without changing liability arrangements of the scheme. Mutual Recognition Arrangements (MRAs) amongst APEC economies show how technically complex testing and assurance processes can be recognised across borders. The International Laboratory Accreditation Cooperation (ILAC), the Asia Pacific Laboratory Accreditation Cooperation (APLAC) and the International Accreditation Forum (IAF) are non-government bodies that facilitate the validity of evaluations across different jurisdictions. tscheme is a light touch European accreditation process for PKI. Considerations / Recommendations The AITSF submits that the government should consider the following, in evolving the pioneering Gatekeeper PKI programme:

5 AITSF Position Paper on PKI Governance in Australia April 2003 Page 5/5 Examine whether Gatekeeper accreditation can be streamlined by taking account of the intended usage of a given CA s certificates and any associated legal relationships between the intended parties which serve to control liabilities and facilitate registration. Allow for Evidence of Identity rules to be varied in order to streamline registration for certain types of certificates, in keeping with the intended usage of those certificates and existing business rules which would govern such usage. Consider the application of AISEP principles in order to help outsource parts of the accreditation process. This might be facilitated through a partnership between government authorities (such as NOIE and DSD) and a not-for-profit accreditor such as JAS- ANZ (established under a treaty between the Governments of Australia and New Zealand) or NATA (a non-government, not-for-profit, government-recognized accreditor of organisations in which technical competence is a key requirement).