Skip to content.
|Networking government in New Zealand.
 
You are here: Home » Services » SEEMail » S.E.E. PKI: Paper 7 - International Perspective » 4 Australian Developments

4 Australian Developments

4.1 Gatekeeper 2

4.1.1 Gatekeeper is Australia's strategy for government PKI. It has been subject to continuing refinement by the National Office for the Information Economy (NOIE) since the original report Gatekeeper - a strategy for public key technology use in the Government was released in 1998.

4.1.2 The Commonwealth awarded a contract in early 2000 for the development of "Gatekeeper 2". This was originally intended to be a comprehensive review of the Gatekeeper system, bringing it in line with international developments. For various reasons, the scope of Gatekeeper 2 narrowed over the following 12 months, and the review came to concentrate on specific changes driven by inconsistencies discovered between the original Gatekeeper strategy paper and the realities of running the first Commonwealth PKI projects.

4.1.3 Gatekeeper 2 has seen relatively minor, essentially technical changes to the scheme rules. To summarise:-

  • reliance limits have been dispensed with, in light of the fact that the ATO's on-line GST returns can cover multi-million dollar declarations

  • the previous term "proof of identity" (referring to the documentation that has to be submitted to a Registration Authority in support of a certificate application) has been renamed "evidence of identity" (EOI) for legal reasons

  • the acceptable forms of EOI have been more tightly defined

  • the EOI requirement for an "Authorised Officer" associated with the issuance of organisational certificates has been lifted from 100 points to 150 points.

4.1.4 These changes are essentially technical. They do not significantly affect the "tone" of the Gatekeeper system, which remains very strenuous in terms of the operational and procedural overheads in running an accredited RA or CA.

4.1.5 Gatekeeper is strictly confined to Australian government use and thus has no direct relevance to the S.E.E. PKI programme. However, it can be expected to have an indirect effect in two areas:

4.1.5.1 Gatekeeper-accredited CAs from Australia may seek to be accredited for S.E.E. PKI. Given the stringency of Gatekeeper requirements, they may with some justification expect streamlined accreditation in New Zealand.

4.1.5.2 Holders of Gatekeeper certificates in Australia may wish to use them for S.E.E applications (e.g. to participate in a trans-Tasman policy development workspace project).

4.1.6 The close relationship that exists between NZ and Australia would also make it prudent for the S.E.E. project to continue to observe Gatekeeper developments closely. There is increasing activity internationally in the area of cross-recognition (see below), and as the government PKI schemes of the two countries, both S.E.E. and Gatekeeper are likely to be involved in such activity at some stage.

4.2 The ABN-DSC

4.2.1 The Australian Business Number Digital Signature Certificate (ABN-DSC) is a major recent output from the Gatekeeper programme.

4.2.2 The ABN-DSC is basically an identity certificate issued to any legitimate member of a given Australian registered business, binding the certificate subject to that business, as identified by the ABN. Responsibility for vetting the subject of the first ABN-DSC issued to a given business rests with the CA. This first subject may be designated as an "Authorised Officer" and is allowed to vet subsequent ABN-DSC holders within the same business.

4.2.3 The background to the ABN-DSC lies in the fact that while the Australian Tax Office (ATO) can now issue a certificate to potentially any registered Australian business under the new GST system, ATO certificates may only be used in transacting with the ATO. The ABN-DSC is fundamentally a response to this restriction, intended to lead to a widely available, general purpose business identifier, acceptable for securing transactions with any government agency, and in due course, with other business entities.

4.2.4 Confusingly, NOIE continues to refer to the ABN-DSC as an "organisational" or "non-individual" certificate. What they mean by this is that the ABN-DSC carries organisational liability and may only be issued after joining an organisation as well as the individual subscriber in a contract to the CA. However, ABN-DSCs will always be issued to individual subscribers, and to that extent it is clearly a personal identity certificate.

4.2.5 ABN-DSCs, as specified by Project Gatekeeper, will be potentially available from any Gatekeeper-accredited commercial CA, at a price.

4.2.6 The "doctrine of presumed authority" in Australian law applies to ABN-DSCs; this is the legal principle that generally allows employees, on behalf of their organisation, to sign transactions, which are legally binding on the organisation. It means that purchase orders, for example, do not have to be signed by a Company Director, and the recipient of a reasonable looking purchase order is not obliged to check up on the identity of the signatory, nor their privileges. The recipient is generally allowed to presume that the signatory was able to act for the company.

4.2.7 Therefore, if any individual is the legitimate holder of an ABN-DSC, then relying parties can presume that they work for the business identified by the ABN in the certificate. They can rely upon transactions signed by that individual using that certificate to the same general extent that they can rely upon any piece of paper signed by the person in the context of the business.

4.2.8 In the ABN-DSC specification several steps are prescribed in order to bind together various pieces of information and delegations:

  • The CA has to check that the Authorising Officer is truly affiliated with the business concerned

  • The CA has to carry out a 150 point check on the Authorising Officer

  • The CA has to check that the business concerned really has the given ABN

  • The Authorising Officer has to check that any subsequent ABN-DSC applicant has the right to represent the business.

4.2.9 The provisions of the ABN-DSC are similar to the S.E.E. PKI proposals in at least two respects:

4.2.9.1 The overall intent is very similar to the intent recommended for S.E.E. PKI, in which individual certificate holders are legitimated to S.E.E. by virtue of their organisational affiliations.

4.2.9.2 The prescribed checking steps described in section 4.2.8 correspond to the approach adopted for RAs in the S.E.E. PKI architecture.

4.2.10 These similarities provide a measure of assurance that the proposals for S.E.E. PKI are in line with thinking in other comparable countries.

4.3 Australian National PKI Initiative

4.3.1 The National Electronic Authentication Council (NEAC) has previously endorsed the principles of a non-government, open accreditation framework for CAs, as promoted by the Certification Forum of Australasia (CFA - see next section), which would be expected to lead to a National PKI. NEAC has tasked NOIE and the CFA to jointly develop a discussion paper on the National PKI.

4.3.2 Progress on the discussion paper by NOIE has been slow, due to both a lack of resources and other extra-agency priorities. Separate elements of the CFA PKI model are however being taken up by NOIE more rapidly. In particular, NOIE has started on an open audit programme where parts of the Gatekeeper evaluation process would be outsourced to a panel of approved commercial audit firms.

4.4 Certification Forum of Australasia

4.4.1 This was originally a private sector body formed in Australia by companies active in PKI in response to the Commonwealth's reluctance to provide a PKI framework for the private sector. It now has some 38 Australian members, including major certification authorities (issuers of digital signatures), Government agencies and major likely users, and is active in promoting usable PKI initiatives. Its objectives are "to provide a forum for industry participants to advance the co-operative development of a national infrastructure for trusted certification activities in Australia, in order to promote electronic commerce" .

4.4.2 CFA has acted as a useful foil to the highly regulated approach of the Australian federal government's own PKI. It has also provided an avenue for industry to put its views forward to government. It is worth noting that members now include government agencies such as the Attorney-General's department, NOIE and the Office of Government Online (OGO).

4.4.3 In late 2000, CFA broadened its scope to include New Zealand and is now actively seeking members in this country. This will provide an opportunity for NZ organisations to get first-hand information about developments in Australia that may affect them, and also (if sufficient organisations join here) to influence local developments.

4.4.4 CFA is emerging as the Australasian counterpart to other PKI Forum initiatives in other parts of the world (see below), and has the potential effectively to form a conduit for organisations in this region to take part in a number of important international initiatives. Given this fact, and the close links and similarities that exist between emerging PKI programmes in the two countries, this paper recommends that the S.E.E. Steering Group consider joining CFA.

4.5 Project Angus

4.5.1 Angus is an alliance of the four major Australian banks, which approached the National Office for the Information Economy as one, to seek recognition of certificates issued by the banks under Identrus.

4.5.2 The federal Cabinet has signed off an agreement under which Commonwealth agencies will recognise ABN-DSCs issued by Angus banks as if they were Gatekeeper accredited, provided that the following conditions are met:

  • the bank's CA operation is Identrus-accredited

  • the bank's RA operations are Gatekeeper-accredited

  • cross recognition is performed by NOIE on the bank.

4.5.3 The cross recognition step will be performed according to the methods put forward by the APEC E-Security Task Group (see below). The cross recognition protocol has yet to be written; the first publicly available draft of a NOIE cross recognition policy is not expected until late July.

4.5.4 Confusingly, NOIE maintains that it is not cross recognising Identrus as such but only the four members of the Angus alliance. We are advised that senior Gatekeeper personnel however have confirmed that the cross recognition protocol will be (and must be) based upon detailed mapping of the Identrus scheme and its accreditation processes, in order to allow the meaning of a bank's Identrus status to be transparent.

4.5.5 Note that strictly speaking, the scope of Project Angus is limited to the cross recognition of ABN-DSCs issued by the four major banks. Nevertheless, the cross recognition procedure is expected to yield important results that will carry over to other types of certificates and to other types of schemes.

4.5.6 Project Angus is of direct relevance, because those NZ banks with Australian parents will follow its lead. This may facilitate the supply of Identrus-compliant certificates in New Zealand. The Angus cross recognition programme may possibly streamline the acceptance of those certificates by the S.E.E. PKI.


[ Previous | Next ]