Skip to content.
|Networking government in New Zealand.
 
You are here: Home » Services » SEEMail » SEE PKI » S.E.E. PKI - RFP templates

S.E.E. PKI - RFP templates

Standard RFP template

Government agencies wishing to secure web-based applications, for access by authorised public servants, should consider using the S.E.E. PKI. In this case, the following technical requirements will ensure the vendor provides sufficient detail to consider any proposed PKI solution.

  1. The system must authenticate users with S.E.E. Key digital certificates - http://see.govt.nz/pki/
  2. The system must create an access audit log entry when this form of authentication is used to access the system.
  3. There must be no way to use alternative authentication mechanisms like username/password to access the system except from the console, i.e. the user must not be prompted for username and password
  4. The server must be configured to specify which CAs are trusted, and this list must be easy for the system administrator to maintain.
  5. The server must check the client certificate against the CRL or OCSP service specified in the certificate to confirm that the certificate has not been revoked.
  6. The server must drop the connection if the certificate has been revoked, the certificate is expired or not yet valid, or if a current CRL or OCSP response is unavailable, the signature is not good, or if the certificate has not been issued by a trusted CA.
  7. Access to the server must be denied if certificate status services are unavailable, e.g. if the current CRL is unavailable or the OCSP server is down or inaccessible.
  8. The system must be configured to require good encryption algorithms: 3DES, AES and/or RC4. The system should use 3DES rather than RC4 if possible. If the system is configured to support AES, it must also be configured to support 3DES or RC4.
  9. The crypto libraries should be FIPS evaluated.
  10. Random key generation should be demonstrably good.
  11. Private keys should be stored in hardware modules.