Skip to content.
|Networking government in New Zealand.
 
You are here: Home » Services » SEEMail » SEE PKI » S.E.E. PKI - Scope

S.E.E. PKI - Scope

Scope

Status of this document

This document is a working document for informational purposes. It does not represent official Government policy on PKI. Apologies to the US GAO for plagiarism of their useful document, "Information Security: Advances and Remaining Challenges to Adoption of Public Key Infrastructure Technology GAO-01-277 [741KB], February 26, 2001".

Introduction

The E-government Unit has directed the Secure Electronic Environment (S.E.E.) project to scope the development of a Public Key Infrastructure (PKI) for use among NZ government agencies. This will ensure that State sector agencies that decide to adopt Public Key Technology (PKT) for any purpose do so in a consistent manner governed by clear Government policy.

A logical way to address the uncertainties and risks involved in adopting PKI technology in the government is to establish and enforce a government wide management framework to guide the development and deployment of PKIs by agencies. Without such a framework, agencies risk building and buying systems that are not interoperable and thus may require costly, complex solutions to interact with a government wide PKI.

S.E.E. PKI sub-project

The S.E.E. PKI sub-project is undertaking this role. Its stated goal is to promote interoperable PKI solutions within the government, the development of common guidance, and the sharing of information so that agencies considering or deploying PKI solutions can benefit from those that have already done so.

In implementing these recommendations, the S.E.E. PKI sub-project team will work with other PKI organisations, to ensure broad acceptance within the government.

Where to from here

The S.E.E. PKI sub-project team will scope and implement a PKI to authenticate public servants to inter-agency applications like the S.E.E. Workspace and CFISnet. This is in keeping with the S.E.E. project principle "start small, learn, scale fast".

The encryption requirement for these applications is to prevent eavesdropping communications. This will be achieved by SSL/https. Encryption of stored material is not within scope. The project team has deferred encryption of individual e-mail due to e-mail client variability, product immaturity and the availability of S.E.E. Mail.

Legal digital signature / non-repudiation is not required, as most government interactions are between two parties that know each other, and already know their accountabilities/levels of trust. The risk of liability is low as government agencies cannot sue each other.

The advantages of developing an authentication only PKI are:

  • Significantly less documentation required
  • No liability issues c.f. digital signatures
  • Less key management required c.f. key recovery of lost encryption keys
  • No repudiation issues c.f. digital signature time stamping
  • No archival issues, c.f. recovery of encrypted information in the future
  • No archival issues, authentication is typically a real-time action c.f. long term authentication of digital signatures

To construct the PKI Management framework, the S.E.E. PKI sub-project will take the following specific steps:

  • Develop PKI policy guidance discussing a limited range of policy issues relevant to an authentication PKI-including appropriate usage, privacy and trust levels.
  • Ensure the preparation of a program plan for the authentication PKI. The program plan should define roles and responsibilities among participating agencies and identify milestones and resources needed to develop, deploy, and maintain a PKI and associated applications, including the need for PKI-related training.
  • Ensure the development and periodic review of technical guidance, as use of authentication PKI technology in the public and private sectors broadens and standards develop and mature.
  • Ensure, through ongoing oversight of information security activities, that agencies are adhering to authentication PKI policy and technical guidance, including providing justification for nonparticipation.
  • Define the required next steps for further development of the S.E.E. PKI, e.g. expanding the PKI to include certificates for encryption and/or adding digital signature/non-repudiation.

Why a PKI ?

E-government

Increasingly, Government agencies are using the World Wide Web and other Internet-based applications to to improve internal business operations.

However, with the potential for improvements in service delivery and productivity come many of the security risks faced by existing systems as well as new risks. In some cases, the sensitive information and communications that may be involved in these activities will require greater security assurances than can be provided by simple security measures, such as a single password to gain access to a system.

There are several forms of remote electronic authentication and electronic signature available, including but not limited to knowledge-based authentication (Personal Identification Numbers (PINs) and passwords), biometrics and PKI-based authentication (tokens, smart cards and digital certificates).

Digital certificates and their associated Public Key Infrastructure of hardware, software, policies, and people can provide these greater assurances of authentication, encryption, integrity and non-repudiation. Some electronic government functions, such as the dissemination of public information, probably do not need such rigorous measures. However, many important communications and transactions that involve sensitive personal and financial data cannot be safely conducted through purely electronic means until the critical security features such as those provided by PKI are enabled.

PKI Challenges

Full-featured PKI implementations-those that offer all of the security assurances needed for sensitive communications and transactions-are not yet commonplace in either the government or the private sector, and a number of substantial challenges must be overcome before the technology can be widely and effectively deployed.

First, in order to develop an interoperable government wide system, agency PKIs will have to work seamlessly with each other, yet current PKI products and implementations suffer from interoperability problems. Ensuring the ability of agency PKIs to process certificates from all potential sources in a consistent manner will require that application software, certificates and related infrastructure conform to some minimum standards.

Second, because full-featured organisational PKIs are rare in the New Zealand government, it is not yet known how well this technology will truly scale and interoperate as its use grows. New Zealand government agencies have only limited experience with PKI, and much of it is based on pilot projects or relatively small-scale applications. Some examples around Government are the Treasury CFISnet, with some 200 certificates, including one user in each government agency and NZHIS with 400 certificates.

Third, adoption of the technology may be impeded by the high cost associated with building a PKI and enabling software applications to use it and maintaining it. These costs can easily add up to millions of dollars.

Fourth, an effective PKI-at any level within the government-will require well-defined policies and procedures for ensuring that an appropriate level of security is maintained on an ongoing basis. Establishing such policies will require resolution of a number of sensitive issues in areas such as governance, management of policies and standards, privacy protection, encryption key recovery, and how employees will be expected to identify themselves and secure their electronic PKIs.

Finally, as with any security technology, the success of a PKI implementation will depend on how well people interact with the system and how well the system is implemented. Thus, agencies will be faced with the challenge of training and involving both users and system administrators in the adoption of a significant new technology.

There is much that must be accomplished in order to support widespread interoperable PKI services across Government. It is unlikely there can be a "one size fits all" approach to PKI technical solutions, architecture or policy. Rather what may be required is a broad range of solutions to meet individual agency e-business needs.

Critical Success Factors

Privacy

While people are increasingly willing to use the Internet to transact business, they are concerned about controlling when, how, and to what extent personal information is collected and used. If the Government PKI is not properly implemented and managed, the technologies could also lead to the abuse of personal information necessary to the functioning of the PKI.

This means that when technologies such as PKI are implemented, extra care must be taken to avoid improperly gathering or using personal information.

Maintaining trust

Having established a certain level of trust for a PKI, an agency will have to develop implementation policies for establishing and maintaining that trust level. For example, policies are needed that focus on issues such as what information will be included in digital certificates, how individual users will obtain digital certificates, and how user private PKIs will be protected.

The higher the level of trust, the more stringent the process of user identification that will be required to create and assign digital certificates. If users are to present positive identification in person in order to get their certificates, for example, then registration authorities must be set up with trained, trusted personnel to operate them.

If smart cards are to be used to protect users' private PKIs, smart card standards and a process to distribute and manage the smart cards will be necessary.

Furthermore, the agency will have to develop a policy for determining which sources they will accept digital certificates from.

Most important, once appropriate governance and management of policies and procedures have been developed and implemented, an additional process will be needed to ensure that required assurance levels do not degrade over time. For example, agencies may be required to conduct periodic audits of their PKIs to ensure that policies and procedures are being followed.

Some agencies will not wish to run their own Certification Authorities and Government standards will be required for the outsourcing of this function.

Training

Training will be vital to a successful PKI. Public key technology is complex and difficult to grasp. As with any other technology used to provide security, the assurance provided by a PKI will be only as good as the practices and procedures of the users and administrators who maintain the system on a daily basis. For example, if administrators do not properly configure and maintain the PKI software and hardware, vulnerabilities may be exposed that an attacker could exploit. Likewise, if users do not properly safeguard their private PKIs, or do not know how to properly interact with the PKI functions in their application software, other vulnerabilities will be opened for potential exploitation.

Application Development Guidelines

Guidelines will be needed for application developers, detailing how to build a application that works using the PKI.

Future Issues

The following issues do not fall within the scope of the authentication work, but will be applicable when the work is expanded to include encryption certificates and digital signatures.

Encryption PKI recovery

If the keying material associated with the encrypted data becomes lost or unusable for any reason, then that data will be effectively lost unless some means exists to recover the keying material. Accordingly, agencies will need to establish policies on escrowing and distributing the keying material necessary to recover such data.

Digital signatures / non-repudiation

Agencies will need to develop policies for electronically archiving digitally signed documents possibly for long periods of time. Public key certificates, even very old ones, will be maintained in association with electronic documents for the long term, and the ability to properly process the security information and maintain the level of assurance will also have to be preserved.

Agencies may have to produce these business documents as evidence, thus requiring a process for tamper-proof audit trails to show that the integrity of the data is assured. In addition to digital signature verification, agencies will also have to address other related issues, such as maintaining the validity and security of transaction time stamps and other requirements for legal proof.