3 PKI in the International Banking Community

3.1 Identrus

3.1.1 Identrus is a consortium of major world banks, founded to help facilitate the consistent and interoperable deployment of PKI in the financial sector. The key functions of Identrus are:

• setting policy and endorsing standards for PKI

• accreditation of infrastructure products (including CA servers, RAs, smartcards, digital signature processing software, hardware security modules, OCSP responders and other validation sub-systems)

• formalised interoperability testing services

• accreditation of PKI audit firms

• accreditation of banks' PKI operations

• acting as the Root CA, which signs all infrastructure elements and maintains real time validation information on all of them.

3.1.2 Identrus is arguably the most important PKI development in the world today, not merely on commercial grounds, but rather because it is breaking new ground in many governance areas.

3.1.2.1 From a regulator's point of view, Identrus

• shows how very large closed and open-but-bounded PKI communities can be implemented

• provides endorsement of the "WebTrust Program for Certification Authorities " audit methodology (see below)

• demonstrates the role of commercial audit in regulating PKI.

3.1.2.2 From a technical point of view, Identrus

• positions end user components such as smartcards and digital signature toolkits firmly inside the scope of the PKI and thereby subject to accreditation, rather than letting them be someone else's problem (many other PKI schemes, for example Project Gatekeeper in Australia, have nothing to say about private key storage, only key pair generation)

• mandates smartcards or similar cryptographic tokens for all end users

• extends the scope of user validation beyond certificate revocation checking to now include dynamic measurements of the individual transactions' risk.

3.1.2.3 From a business point of view, Identrus

• shifts the focus away from purely technological issues to business considerations, including liability and warranty cover (both are fully elaborated in Identrus, which provides new revenue opportunities for banks to securitise and trade identity risk)

• introduces robust mechanisms for selecting and managing outsourced CA operations.

3.1.3 "Level 1" Membership of Identrus is limited to large financial institutions which meet certain capitalisation and other measurements of financial stability. All four major Australian banks have joined at Level 1.

3.1.4 A second level of membership is envisaged for smaller institutions, but it appears that the Level 2 programme is some way from being properly elaborated.

3.1.5 Identrus is important to S.E.E. PKI for three reasons:

3.1.5.1 It appears that most if not all New Zealand banks are planning to adopt Identrus, which will have a major effect on the adoption of Public Key Technologies in the commercial sector.

3.1.5.2 Identrus certificates issued by Australian banks are likely to have some form of Gatekeeper acceptability, although the nature of these arrangements is as yet unclear (see under "Project Angus" below). This may make them ipso facto acceptable in the context of S.E.E. PKI.

3.1.5.3 Identrus provides important lessons in PKI management and interoperability. The outcomes of Identrus cross-recognition projects may be useful to inform policy development, with respect to detailed audit protocols, planning and resourcing.