|Networking government in New Zealand.

Tabs

Site map Access Keys Contact us About this site

You are here: Home » Services » SEEMail » S.E.E. PKI: Paper 1 - Governance and Accreditation » 5 How can we decide whether a CA is a good CA for

5 How can we decide whether a CA is a good CA for

5.1.1 The S.E.E. PKI Team has developed a simple Certificate Policy to which Certification Authorities must adhere. This is an industry standard way of promoting common standards among CAs and can cover technical, legal, and service issues.

5.1.2 Certificate Policy standards mirror Certification Practice Statement standards making it very easy for a CA or the E-government unit to compare our requirements with a CAs practices.

5.1.3 However some issues cannot be readily specified in a Certificate Policy, for example Issue Paper 2 points to a need to look at trade agreements and international relations when considering offshore CAs. Such aspects will require case-by-case attention and research.

5.1.4 One of the most important tests will be whether the proposed certificates work with existing systems. In most cases, CAs will be required to produce certificates that work with our existing systems, but in some cases it may highlight problems with existing systems that need to be updated to keep up with technology advances.

5.1.5 Independent audit can give us confidence in CA compliance with standards. The audit will generally check the CA's compliance to its Certificate Policies and/or Certification Practice Statement, but should also audit to more general information security standards such as NZS 4444 / ISO17799. It could also cater for other customers by auditing against CATRUST (which is specifically targeted at CAs or the programmes of other governments like Australia's GateKeeper.

5.1.6 We propose that CAs will be required to provide recent audit reports. Some CAs may have already been audited for other work, e.g. Gatekeeper for Australian government work, and this audit may be sufficient for our needs.

5.1.7 As work in other jurisdictions is still developing as to how CAs should be audited, we propose a gradual increase in auditing standards over time. This should also reduce costs reflected back at government. Initially we recommend requiring CAs gain ISO 9001 compliance, and submit the results of an independent audit report against a baseline set of security standards. In future, we may require CATRUST or other audits.

[ Previous | Next ]