GATEKEEPER PKI FRAMEWORK Drew Andison Team Leader Gatekeeper Australian Government Information Manag

1
GATEKEEPER PKI FRAMEWORKDrew AndisonTeam
Leader GatekeeperAustralian Government
Information Management Office
2
Public Key Infrastructure (PKI)

• The combination of
• encryption hardware and software,
• people,
• policies and procedures
• needed to create, manage, store and distribute
  Digital Keys and Certificates

3
What does PKI do?

• The strengths of PKI are that it offers
• Non-repudiation
• Authentication
• Confidentiality
• Integrity

4
What is a Digital Certificate?

• An electronic document digitally signed by the
  Certification Authority (CA) which
• identifies a key holder and the business entity
  he or she represents (as appropriate) and
• binds the key holder to a key pair (ie a Public
  Key and a Private Key) by specifying the Public
  Key of that key pair along with other information
  required by the Certificate Profile.

5
Certificate Profile (Sample)

• Mandatory Type
• Subject (Distinguished Name)
• Issuer (Distinguished Name)
• Version
• Serial Number
• Signature Algorithm
• Public Key
• Valid From Valid To
• Basic Constraints
• Key Usage
• CRL Distribution Point
• Authority Information Access
• Certificate Policies

• Extension Type
• Private Extension (ABN)
• Subject Alt Name
• Subject Key Identifier
• Authority Key Identifier
• Thumbprint algorithm
• Thumbprint

6
Digital Certificates
7
Gatekeeper

• Gatekeeper strategy released in May 1998
  (http//www.gatekeeper.gov.au)
• A formal process for the accreditation of
  certification service providers to Government
• Policies and standards for the use of public key
  cryptography and digital certificates across a
  distributed network (ie the Internet)
• A major element of the Governments
  e-Authentication Framework (AGAF)

8
ABN-DSC

• A multi-use certificate (B2G, B2B)
• Based broadly on the corporate credit card model
• Based around Australian Business Number as a
  unique identifier
• Common Certificate Profile
• Organisation responsible for all transactions
  conducted by certificate holders
• Delegated Registration Authority

9
Gatekeeper Review

• Administrative review
• Conducted to address perceptions of cost and
  complexity with Gatekeeper
• Joint Committee on Public Accounts and Audit
• Completed in September 2005
• Included Threat / Risk Assessment of ATO EOI
  processes
• Outcome the Gatekeeper PKI Framework (The
  Framework)

10
Gatekeeper PKI Framework

• Facilitates the deployment of digital
  certificates designed to meet specific business
  needs.
• Facilitates adoption of a risk management
  approach broadly aligned to the AGAF
• Compliance with Government Security Standards.
• Reduces the cost and complexity of producing,
  acquiring and using digital certificates.
• Fosters a competitive market for digital
  certificates.

11
Secure CA model
12
Framework Overview
13
Framework Benefits

• Flexibility
• Meet existing and emerging business needs
• Special Purpose certificates
• Communities of Interest
• Reduced cost
• Certificate push models
• Known Customer / Threat-Risk
• Less red-tape / paperwork
• Reduced complexity
• Fewer certificates categories
• Balance against flexibility

14
Special Purpose Certificates

• May operate across all categories of the
  Framework
• Device certificates
• Gatekeeper Type 3 certificates (device,
  application)
• Hosted certificates
• Third party management/use of Subscriber keys and
  certificates
• Corporate certificates
• Identifies Organisation only (not individual
  certificate holder)
• Digital credential
• Lifelong characteristics e.g. professional
  qualifications
• Regulatory applications where qualifications /
  occupation / authority are paramount
• Others ??

15
Known Customer

• Silver
• Known Customer standard
• Known Customer organisation
• Data, security, access, integrity
• Bronze
• Relationship
• Knowledge and history of dealings
• Community of Interest
• Rule based use of Relationship Certificates

16
Threat / Risk Assessment

• Equivalence to 100 point EOI check
• Independent Audit of EOI processes/systems
• Organisation as well as data holdings
• Data, security, access, integrity
• Establish Gatekeeper EOI Bindings
• Individual to documented identity
• Individual to Business plus authority
• Business to ABN

17
ABN-DSCs and the Framework

• No longer referred to as ABN-DSCs
• Silver Certificate
• Alternative EOI models
• Authorised Officer Model (application)
• Known Customer Model
• Threat / Risk Model
• Organisation remains responsible for certificate
  usage

18
Core Obligations Policy

• Assigns Core Obligations to PKI participants
• Certification / Registration Authorities
• Subscribers Relying Parties
• Known Customer Threat/Risk Organisations
• Communities of Interest
• Links to guidance on Liability Limitations
• Links to Gatekeeper Accreditation and Listing
  requirements

19
Latest Developments

• Proposal to change Category Titles
• Perception that colours imply strength (i.e
  Bronze is weak)
• Proposal to merge Silver Gold categories
• One General Purpose category
• Proposal to allow Relying Parties to distinguish
  between Silver certificates based on perceived
  EOI assurance
• Specifically with reference to ABN-DSC model
• based on ATO model of Primary Secondary
  Certificates
• Proposals considered by Gatekeeper Policy
  Committee
• Recommendations to Gatekeeper Competent Authority

20
PKI and E-Conveyancing

• Reduce or eliminate paperwork
• electronic document lodgement/storage
• Provide security for transactions
• Encrypted communications
• Provide traceability of transactions
• Non-repudiation principles
• Signing for legal effect

21
e-Conveyancing Issues

• Issues
• Firms
• Individuals
• Specific Certificates for specific transactions
• eg Digital Credential, Business Certificate,
  Corporate Certificate
• Hard versus Soft Certificates
• Law Societies and other licensing bodies
• Financial issues

22
Opportunities Next Steps

• Framework flexibility offers opportunities to
  develop business driven solutions
• Gatekeeper ensures back-end CA security
• Business risk models determine front-end
  systems / procedures
• Framework categories define identity assurance
  requirements
• Where to from here?
• Finalisation of Framework operational documents
• Approval by Competent Authority
• Redrafting if required
• Accreditation / Listing of service providers

23
Questions ?