Skip to content.
|Networking government in New Zealand.
 
You are here: Home » Services » SEEMail » S.E.E. PKI: Paper 2 - Public Sector, Private Sector and Offshore CAs » 4 Candidates for CAs for NZ government agencies

4 Candidates for CAs for NZ government agencies

4.1 The public service CA

4.1.1 A government agency could run its own CA. Several agencies already do this internally.

4.1.2 Running a CA within government gives us complete ownership and control over all operations.

4.1.3 There is a fear that a single public service CA may not keep up with IT advances, or may not be responsive to individual agency needs. Such a CA may eventually be replaced by agency or private sector CAs.

4.1.4 We could also outsource operations while retaining all responsibility for strategy, funding and ownership.

4.1.5 Setting up a quality CA has a high initial cost.

4.2 The New Zealand private sector CA with NZ based operations

4.2.1 Baycorp ID Services Ltd (previously 128i Ltd) is currently the only CA in this category, however there is an expectation that others will emerge.

4.2.2 Baycorp ID Services certificates are already used to authenticate access to Treasury's CFISnet system, NZHIS, and ACC systems.

4.2.3 Some argue that the public service needs to hold "the keys to the nation" however we already contract the private sector to do work that brings them in close contact with sensitive information, including document destruction, building security, offsite computer tape storage, and in some cases entire IT operations are outsourced.

4.2.4 Some would be concerned if a New Zealand owned CA were bought by or developed strong relationships with a foreign company. In this case the considerations of 4.3 come into play.

4.3 The NZ private sector CA with offshore operations

4.3.1 The PricewaterhouseCoopers' BeTRUSTed CA was recently launched in New Zealand. The BeTRUSTed CA is governed by New York state law, and has physical operations in Australia, the US and the UK. A simpler arrangement can be imagined if an Australian CA opened an office in New Zealand.

4.3.2 It is more difficult to gain confidence in offshore operations. We can hardly send the SIS and GCSB to vet staff, physical security, processes and technology in other countries, but we can require evidence of similar vetting by trusted auditors to certain standards (refer decision paper 1), or by sister agencies of our SIS and GCSB. In the case of Australian based CAs, the federal government GateKeeper accreditation would probably satisfy our needs.

4.3.3 Governing law is written into a CA's Certification Practice Statement (CPS). Due to the need to protect the rights of relying parties (e.g. those that rely on a digital signature) in some cases it may be impossible for us to override the governing law provision in a CPS. BeTRUSTed are willing to change the CPS for New Zealand certificates to be governed entirely by New Zealand law.

4.3.4 We could have a separate contract with a NZ company over issues to do with performance, support and availability, and this contract could be governed by New Zealand law.

4.3.5 If the law of some foreign jurisdictions may be acceptable, then we could consider this aspect on a case-by-case basis.

4.3.6 The performance and reliability of a system relying on an offshore CA operation centre will be affected by Internet links outside NZ. We would need to be confident of excellent Internet connectivity from their operations centre to New Zealand.

4.3.7 Political disturbance beyond our control could potentially affect CA services. We would need to consider the stability of the region of the CA's operations on a case-by-case basis.

4.4 The completely offshore private sector CA

4.4.1 There are many such CAs, the best known being VeriSign in the US, but there are more and more CAs appearing across the globe.

4.4.2 The discussions regarding vetting and governing law of the NZ private sector CA with offshore operations (section 4.3) are applicable here.

4.4.3 By not being a NZ company, a CA cannot be readily bound to NZ law.

4.4.4 Without a local presence user registration and support is complicated, relationship development is more difficult, and there may be less commitment to meeting our specific needs.

4.4.5 We already trust security technology like firewalls from a range of other countries including the USA, France, Ireland and Israel. Admittedly this sort of product is often more readily replaced if something goes wrong with the product or the relationship with the supplier or country turned sour. Such products locally administered


[ Previous | Next ]