2 Recommendations

The S.E.E. Team recommends that the S.E.E. Steering Committee:

2.1.1 Note that authentication in an inter-agency environment requires a balance to be achieved between often-conflicting considerations of ease-of-use, cost, complexity, flexibility and security.

2.1.2 Agree that for low-risk systems controlling access to IN CONFIDENCE material, the combination of username and password is adequate.

2.1.3 Agree that for medium-risk applications controlling access to IN CONFIDENCE and SENSITIVE information, digital certificates with private keys, stored on removable hardware smart-tokens must be used.

2.1.4 Note that digital certificates with private keys, stored on removable hardware smart-tokens used within the S.E.E. will be called S.E.E. Keys.

2.1.5 Agree that S.E.E. Keys are not suitable for use as the sole mechanism for authentication to high-risk systems (e.g. those rated CONFIDENTIAL or above).

2.1.6 Agree that S.E.E. PKI agencies developing inter-agency web-based applications with a diverse user base, be directed to provide for the use of S.E.E. Keys. This will achieve the optimum long-term balance of ease-of-use, cost, complexity, flexibility and security.