Why a PKI ?

E-government

Increasingly, Government agencies are using the World Wide Web and other Internet-based applications to to improve internal business operations.

However, with the potential for improvements in service delivery and productivity come many of the security risks faced by existing systems as well as new risks. In some cases, the sensitive information and communications that may be involved in these activities will require greater security assurances than can be provided by simple security measures, such as a single password to gain access to a system.

There are several forms of remote electronic authentication and electronic signature available, including but not limited to knowledge-based authentication (Personal Identification Numbers (PINs) and passwords), biometrics and PKI-based authentication (tokens, smart cards and digital certificates).

Digital certificates and their associated Public Key Infrastructure of hardware, software, policies, and people can provide these greater assurances of authentication, encryption, integrity and non-repudiation. Some electronic government functions, such as the dissemination of public information, probably do not need such rigorous measures. However, many important communications and transactions that involve sensitive personal and financial data cannot be safely conducted through purely electronic means until the critical security features such as those provided by PKI are enabled.

PKI Challenges

Full-featured PKI implementations-those that offer all of the security assurances needed for sensitive communications and transactions-are not yet commonplace in either the government or the private sector, and a number of substantial challenges must be overcome before the technology can be widely and effectively deployed.

First, in order to develop an interoperable government wide system, agency PKIs will have to work seamlessly with each other, yet current PKI products and implementations suffer from interoperability problems. Ensuring the ability of agency PKIs to process certificates from all potential sources in a consistent manner will require that application software, certificates and related infrastructure conform to some minimum standards.

Second, because full-featured organisational PKIs are rare in the New Zealand government, it is not yet known how well this technology will truly scale and interoperate as its use grows. New Zealand government agencies have only limited experience with PKI, and much of it is based on pilot projects or relatively small-scale applications. Some examples around Government are the Treasury CFISnet, with some 200 certificates, including one user in each government agency and NZHIS with 400 certificates.

Third, adoption of the technology may be impeded by the high cost associated with building a PKI and enabling software applications to use it and maintaining it. These costs can easily add up to millions of dollars.

Fourth, an effective PKI-at any level within the government-will require well-defined policies and procedures for ensuring that an appropriate level of security is maintained on an ongoing basis. Establishing such policies will require resolution of a number of sensitive issues in areas such as governance, management of policies and standards, privacy protection, encryption key recovery, and how employees will be expected to identify themselves and secure their electronic PKIs.

Finally, as with any security technology, the success of a PKI implementation will depend on how well people interact with the system and how well the system is implemented. Thus, agencies will be faced with the challenge of training and involving both users and system administrators in the adoption of a significant new technology.

There is much that must be accomplished in order to support widespread interoperable PKI services across Government. It is unlikely there can be a "one size fits all" approach to PKI technical solutions, architecture or policy. Rather what may be required is a broad range of solutions to meet individual agency e-business needs.