Skip to content.
|Networking government in New Zealand.
 

3 S.E.E. Key options

3.1 What's in a certificate?

3.1.1 A S.E.E. Key digital certificate may include some or all of the following identification information:

  • name of the individual

  • email address

  • name of the organisation they work for

  • name of the branch/unit in which they work

  • city, state and country in which they work

3.2 Issuing keys and certificates

3.2.1 The process of issuing S.E.E. Keys must be sufficiently rigorous that other parties can rely upon the information contained within them.

3.2.2 The issuing process for S.E.E. Keys must be applicable to the protection of information up to SENSITIVE classification.

3.2.3 The registration process shall be subject to regular review to assure continued compliance with standards, maintain currency with technological developments and minimise compliance costs.

3.3 Approaches to issuing certificates

3.3.1 There are three basic approaches to the issuing of digital certificates. These are the:

  • Business card approach: certificates that reflect the individual's right to represent an organisation. This is analogous to an employer providing the individual with a business card that contains the organisation's identifying details (logo, address etc). Unlike a business card, the certificate can be revoked once the individual ceases to work for the employer, and is not easily forged.

  • Passport approach: certificates for individuals that remain valid irrespective of the organisation for which they work. This is analogous to the possession of a passport that identifies the individual irrespective of context, and is therefore referred to hereafter as the passport approach.

  • Associate card approach: certificates that reflect the individual's external relationship with an organisation. Useful for organisations authenticating individuals outside their organisation, and outside S.E.E. with whom they have an existing relationship.

3.4 The business card approach

3.4.1 This is depicted in the following diagram.

Business card approach

3.4.2 The diagram shows an individual called Les who fills two distinct roles, one in the State Services Commission and one in the Ministry of Water. Les is issued with a separate digital certificate by each agency.

3.4.3 The proposed certificate distinguished (DN) name for a business card certificate is:

O=agency, CN=common name, E=email address, L=location, S=state, C=country

for example

O=Ministry of Water, CN= Les Battersby, E=les.battersby@minwater.govt.nz, L=-, S=-, C=NZ

3.4.4 This approach enables applications to authenticate individuals and authorise access to systems based on role and organisational affiliation without tight coupling of the certificate to identifying information held in a Directory.

3.4.5 When an individual leaves an organisation or ceases to fill a particular role, the organisation would need to revoke the corresponding certificate.

3.4.6 If an individual works for multiple organisations, they will need multiple certificates, as shown in the diagram. Each time they access a system, they will do so using one of their affiliations, i.e. selecting a certificate to present. (Note that in a more advanced system it would be possible for the application to resolve such questions of identity automatically using a Directory, provided the right level of information has been placed in the Directory).

3.4.7 Advantages

  • This approach can also be used for organisation-related digital signature purposes and for accessing secure email.

  • Applications do not require the presence of a Directory in order to carry out authentication. Off-the-shelf systems are thus more likely to work without modification.

  • The management of affiliation and revocation is based on standards.

  • EOI requirements can be light as the agency can use internal processes to gain confidence in the identity of an individual, and the certificate is backed by the identification of the agency itself (which is already authenticated).

3.4.8 Disadvantages

  • Where an individual has roles in multiple organisations, this approach may require them to manage multiple keys. A choice will generally need to be made as to which affiliation (i.e. certificate) to use when accessing a system.

  • Certificates will need to be reissued whenever an organisation's details change (e.g. name changes and restructuring).

3.5 The passport approach

3.5.1 This is depicted in the following diagram.

The passport approach

3.5.2 As shown in the diagram, with the passport approach, an individual has only one certificate that contains no information about their organisational affiliation or roles.

3.5.3 The proposed certificate distinguished (DN) name for a passport certificate is:

O=Individual, CN=common name, E=email address, L=location, S=state, C=country

for example

O=Individual, CN= Les Battersby, E=les.battersby@minwater.govt.nz, L=-, S=-, C=NZ

3.5.4 All information relating to organisation and roles is held in a Directory. When the individual wishes to access an application that needs to carry out authentication and authorisation, the application must access the Directory in order to find this information (and any other required information such as email address).

3.5.5 In the passport approach it is hard to determine what to do with the email address. In the example above the user is still linked to the organisation through the email address, and this is acceptable as long as it isn't relied on for organisation affiliation information. Alternatively, the email address could be the user's personal email address, or could be omitted.

3.5.6 When an individual leaves an organisation, the organisation removes the corresponding information from the Directory, but does not revoke the individual's certificate.

3.5.7 If an individual has multiple organisational affiliations or roles, the application either grants access based on the sum of the individual's affiliations or prompts the user for the affiliation to use.

3.5.8 Advantages

  • This approach may encourage consistent application design.

  • Certificates are independent of agency and do not need to be reissued if organisation names change or during restructuring.

  • There is only one set of keys to manage per user.

3.5.9 Disadvantages

  • This approach requires customised development of application authorisation and authorisation administration functions to cater for the more common need to authorise on the basis of affiliation, and the need to access the directory for this information.

  • A passport-style digital certificate cannot be used to provide organisation-related digital signatures or for accessing secure email.

  • Tight coupling with a Directory means that performance, security, and availability are dependent on these aspects of the Directory.

3.6 The associate card approach

3.6.1 As well as passport and business card approaches, there is a need for organisations to authenticate people with whom they interact but who are not employees and do not have an appropriate S.E.E. Key.

3.6.2 The passport approach would fulfil this need, however the strong identity requirements of the passport approach are unnecessary where relationships have already been established.

3.6.3 The associate card approach permits agencies to issue certificates to people external to their agency without strong identity checks.

3.6.4 The proposed certificate distinguished (DN) name for an associate certificate is:

O=Associate registered by agency, CN=common name, E=email address, L=location, S=state, C=country

for example

O=Associate registered by The Treasury, CN= Les Battersby, E=les.battersby@minwater.govt.nz, L=-, S=-, C=NZ

3.7 Which approach to use?

3.7.1 The business card, associate card and passport approaches to certificate issuance have benefits and drawbacks, as discussed above.

3.7.2 It is expected that the majority of individuals engaging in cross-agency e-government activities will be filling only one major role in one organisation, and will therefore require only one certificate each. For these cases the business card approach is simpler to implement, easier to use, and can be used for other purposes.

3.7.3 For individuals who fill more than one role requiring certificates, the business card approach may become progressively more inconvenient the more roles the individual has, particularly if these are in multiple agencies. In such cases the passport approach may offer benefits in flexibility and ease of certificate management. However, this approach can require the presence of a suitable directory (or potentially multiple directories), tight coupling of applications to the directory, and more onerous identification procedures for Registration Agents and individuals. It is likely that the number of individuals in this category will be relatively low.

3.7.4 For agency specific applications with a need to authenticate individuals in non-S.E.E. agencies, the associate card approach is preferred.


[ Previous | Next ]