AITSF Position Paper. PKI Governance in Australia



Similar documents
Gatekeeper PKI Framework. Archived. February Gatekeeper Public Key Infrastructure Framework. Gatekeeper PKI Framework.

E-Signature Issues in Cross-Border Single Window: A comparative analysis of Australia, the UK and China

UNCITRAL United Nations Commission on International Trade Law Introduction to the law of electronic signatures

Draft WGIG Issues Paper on E-Commerce

ROLE OF THE APEC SPECIALIST REGIONAL BODIES

Mutual legal recognition of electronic communications and electronic signatures and paperless trade facilitation: challenges and opportunities

Australian Business Number Digital Signature Certificate (ABN-DSC)

PKI Disclosure Statement

GATEKEEPER COMPLIANCE AUDIT PROGRAM

from PKI to Identity Assurance

Class 3 Registration Authority Charter

Radio Spectrum and Technical Standards Advisory Committee

Cyber Security Operations Centre Reveal Their Secrets - Protect Our Own Defence Signals Directorate

Operating a CSP in Switzerland or Playing in the champions league of IT Security

Sincerely yours, Kathryn Hurford Associate Director, Policy

Smart Open Services for European Patients Open ehealth initiative for a European large scale pilot of patient summary and electronic prescription

GlobalSign CA Certificate Policy

LEGAL FRAMEWORK FOR E-SIGNATURE IN LITHUANIA AND ENVISAGED CHANGES OF THE NEW EU REGULATION

TTP.NL Scheme. for management system certification. of Trust Service Providers issuing. Qualified Certificates for Electronic Signatures,

The Importance of PKI Today

Information Communication Technology

ARTL PKI. Certificate Policy PKI Disclosure Statement

Understanding Digital Certificates & Secure Sockets Layer (SSL): A Fundamental Requirement for Internet Transactions

How much do you pay for your PKI solution?

National Certification Authority Framework in Sri Lanka

ASEAN Central Banks Working Committee on Payment and Settlement Systems (WC-PSS) Strategic Report to the ASEAN Central Bank Governors Meeting

ENERGY MARKET REFORM

The National Internship Framework - Newsletter 2

Fujitsu Australia and New Zealand Provides Cost-effective and Flexible Cloud Services with CA Technologies Solutions

The Changing Nature of SANAS Accreditation

Finance and Accounting outsourcing e-commerce solutions. Financial Solutions

UKAS Guidance for bodies operating certification of Trust Service Providers seeking approval under tscheme

How To Respect The Agreement On Trade In Cyberspace

Information Security Registered Assessors Program - Gatekeeper PKI Framework Guide

Assessment Methodologies - Achieving Accreditation

PREQUALIFICATION INFORMATION

Australia-wide accreditation of programs for the professional preparation of teachers. A consultation paper

Transaction Security. Advisory Services

Thai Digital ID Co.,Ltd.

Gatekeeper. Public Key Infrastructure Framework

X.509 Certificate Policy for the Australian Department of Defence Root Certificate Authority and Subordinate Certificate Authorities

Compliance Guide: ASD ISM OVERVIEW

Legal issues relevant for paperless trade facilitation and electronic single window facilities

An Alternative Method for Maintaining ISO 9001/2/3 Certification / Registration

Information Governance

ehealth in support of safety, quality and continuity of care within and across borders

Improving Customer Service in the Global Supply Chain

THE AMBA DEVELOPMENT NETWORK (ADN)

Equens Certificate Policy

ABET s Global Engagement *

Enterprise SSL FEATURES & BENEFITS

Strengthening economic relations between Australia and New Zealand A joint study May 2012

Gatekeeper PKI Framework. February Registration Authority Operations Manual Review Criteria

Submission by. Tatts Lotteries. to the. Productivity Commission s Inquiry into Australia s Gambling Industries. March 2009

DIGITALEUROPE and European Services Forum (ESF) response to the Draft Supervision Rules on Insurance Institutions Adopting Digitalised Operations

Strategies for the implementation of a Public Key Authentication Framework (PKAF) in Australia

Genesis Energy delivers IT projects faster with standardised processes and CA Clarity PPM.

Teaching Qualifications - Full, Provisional and Non-Practising Registration

National Certificate in Business Administration and Computing (Level 3)

Danske Bank Group Certificate Policy

National VET Provider Collection Data Requirements Policy

Technology Strategy April 2014

The Importance of International Services Standardisation in Australia

Legal issues in Cross-border Paperless Trade and E-commerce: Experience from China

esign Online Digital Signature Service

How To Use Ncr Aptra Clear

Baltimore UniCERT. the world s leading PKI. global e security

Transaction Security. Training Academy

The Scottish Wide Area Network Programme

SUMMARY PRINCIPLES, RECOMMENDATIONS & IMPLEMENTATION GUIDELINES

Australasian Information Security Evaluation Program

International Laboratory Accreditation Cooperation. Laboratory Accreditation or ISO 9001 Certification? global trust. Testing Calibration Inspection

Helping our clients win in the changing world of work:

Authentication Scenarios India. Ramachandran

Overview of GFSI and Accredited Certification

TELSTRA RSS CA Subscriber Agreement (SA)

Transcription:

AITSF Position Paper PKI Governance in Australia Prepared by Stephen Wilson, SecureNet V 1.0 April 2003

AITSF Position Paper on PKI Governance in Australia April 2003 Page 2/5 Abstract This paper presents the position of the Australian IT Security Forum (AITSF) for input to the current deliberations on a National Authentication Framework in Australia, in the particular area of PKI. The AITSF, through consultation with its members, and open dialogue with government, has arrived at a set of considerations and recommendations aimed at streamlining the usage and evaluation of PKI in appropriate applications, and enhancing the commercial predictability of the evaluation process, without in any way compromising the proper strong levels of security that have been standardised by Project Gatekeeper. Underlying assumptions in current PKI governance Current PKI governance models tend to be based on several general assumptions which date back many years, many of which should be updated in line with experience of PKI in practice. Assumption (a) Digital signatures may be used to authenticate stranger-to-stranger transactions, where the principal parties the Subscriber, the Relying Party and the CA1 have not met before and have no legal relationship. (b) In a digitally signed transaction, there might be no context other than the digital signature and certificate with which to decide whether to accept or reject the transaction. (c) The digital certificate may be general purpose and may serve to identify the Subject in a relatively wide range of transaction types. Experience Stranger-to-stranger e-commerce remains rare and complex to support. In most digital certificate applications today, the subscriber, RP and CA are all closely related. Most digital signature applications today are integrated with business applications, rich in context, such as government form submission. Most digital certificates issued today are used in a relatively limited range of applications. Experience of PKI in practice To date, PKI has not generally been deployed successfully in retail e-commerce settings, such as Internet banking and shopping. Instead, PKI has been more dominant in B2G and some B2B applications, such as: 1 This paper, in common with the two NEAC reports on legal liability in PKI, does not separate the Registration Authority (RA) function from the Certification Authority. We use the term CA to include both the RA and the backend CA.

AITSF Position Paper on PKI Governance in Australia April 2003 Page 3/5 corporate taxation reporting personal income tax returns e-health customs reporting patent applications (US). Practical experience in Australia leads to some simplification of the above assumptions: (a) Digital signatures are most often used to authenticate parties who have an existing legal relationship. (b) PKI applications tend to have a relatively rich context, including special purpose application software, web-sites and so on. (c) A digital certificate is often issued by the entity which is also providing the service which will use the certificates in a relatively narrow range of transactions. Digital certificates in practice are most often used to automate electronic dealing between types of parties who are already dealing with one another off-line. Certificates are therefore usually used in a specific context where existing rules apply. Implications The main implications of practical experience and the simplification of the assumptions underlying the governance model include the following: Certificate usage can be better automated by application software. Since the context of most PKI-enabled applications is rich, software can probably select and invoke the appropriate certificate automatically, without user intervention. This can make the user s experience of PKI and key management more seamless. Certificate registration can be streamlined. Because most PKI applications occur within existing business contexts and are governed by existing rules, users should not need to be re-identified from scratch in order to be registered for digital certificates. PKI evaluation and accreditation can be streamlined. If PKI accreditation was to explicitly factor in the intended application as part of the target of evaluation, then existing contractual arrangements, liability provisions and regulations are applicable could be taken into account, to streamline the legal review and reduce the overall accreditation overhead. Objectives In formulating an Authentication framework in general (and PKI evaluation rules in particular), the AITSF believes that the following objectives should be included:

AITSF Position Paper on PKI Governance in Australia April 2003 Page 4/5 Maintain high standards for CA operations at present internationally accepted levels (equivalent to Highly Protected certified backend processes and personnel, and EAL4+ certified CA/RA technologies). Facilitate the appropriate usage of digital certificate technology in e-business, to improve risk management, reduce paper costs, and enable new types of services to be delivered on-line. Provide for light touch governance, minimising unnecessary government involvement and maximising the flexibility of business to deploy the technology. Allow for fitness for purpose, to allow streamlined deployment of PKI technologies, leveraging existing relationships between parties. Enhance the commercial predictability of the accreditation process, so that service providers undergoing accreditation can better plan for the outcomes and in turn provide better certainty to all users (we suggest that commercial predictability of accreditation is more important than cost per se). Shorten accreditation times, but without compromising quality. Support a recognition framework that focuses on the fitness for purpose of certificates issued in different domains, facilitating cross border trading. Exemplars The following systems and processes provide useful precedents and benchmarks to inform PKI governance models: The AISEP (Australasian Information Security Evaluation Program) is a highly respected product certification process for cryptographic technologies, managed by the DSD (Defence Signals Directorate). It uses commercial test houses which are accredited by NATA (National Association of Testing Authorities, Australia) and licensed by the DSD. Gatekeeper Accreditation CA shows how the formerly controversial idea of a root CA can be modified, with the focused objective of facilitating interoperability, and without changing liability arrangements of the scheme. Mutual Recognition Arrangements (MRAs) amongst APEC economies show how technically complex testing and assurance processes can be recognised across borders. The International Laboratory Accreditation Cooperation (ILAC), the Asia Pacific Laboratory Accreditation Cooperation (APLAC) and the International Accreditation Forum (IAF) are non-government bodies that facilitate the validity of evaluations across different jurisdictions. tscheme is a light touch European accreditation process for PKI. Considerations / Recommendations The AITSF submits that the government should consider the following, in evolving the pioneering Gatekeeper PKI programme:

AITSF Position Paper on PKI Governance in Australia April 2003 Page 5/5 Examine whether Gatekeeper accreditation can be streamlined by taking account of the intended usage of a given CA s certificates and any associated legal relationships between the intended parties which serve to control liabilities and facilitate registration. Allow for Evidence of Identity rules to be varied in order to streamline registration for certain types of certificates, in keeping with the intended usage of those certificates and existing business rules which would govern such usage. Consider the application of AISEP principles in order to help outsource parts of the accreditation process. This might be facilitated through a partnership between government authorities (such as NOIE and DSD) and a not-for-profit accreditor such as JAS- ANZ (established under a treaty between the Governments of Australia and New Zealand) or NATA (a non-government, not-for-profit, government-recognized accreditor of organisations in which technical competence is a key requirement).

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information