Skip to content.
|Networking government in New Zealand.
 
You are here: Home » Services » SEEMail » S.E.E. PKI - Scope » Critical Success Factors

Critical Success Factors

Privacy

While people are increasingly willing to use the Internet to transact business, they are concerned about controlling when, how, and to what extent personal information is collected and used. If the Government PKI is not properly implemented and managed, the technologies could also lead to the abuse of personal information necessary to the functioning of the PKI.

This means that when technologies such as PKI are implemented, extra care must be taken to avoid improperly gathering or using personal information.

Maintaining trust

Having established a certain level of trust for a PKI, an agency will have to develop implementation policies for establishing and maintaining that trust level. For example, policies are needed that focus on issues such as what information will be included in digital certificates, how individual users will obtain digital certificates, and how user private PKIs will be protected.

The higher the level of trust, the more stringent the process of user identification that will be required to create and assign digital certificates. If users are to present positive identification in person in order to get their certificates, for example, then registration authorities must be set up with trained, trusted personnel to operate them.

If smart cards are to be used to protect users' private PKIs, smart card standards and a process to distribute and manage the smart cards will be necessary.

Furthermore, the agency will have to develop a policy for determining which sources they will accept digital certificates from.

Most important, once appropriate governance and management of policies and procedures have been developed and implemented, an additional process will be needed to ensure that required assurance levels do not degrade over time. For example, agencies may be required to conduct periodic audits of their PKIs to ensure that policies and procedures are being followed.

Some agencies will not wish to run their own Certification Authorities and Government standards will be required for the outsourcing of this function.

Training

Training will be vital to a successful PKI. Public key technology is complex and difficult to grasp. As with any other technology used to provide security, the assurance provided by a PKI will be only as good as the practices and procedures of the users and administrators who maintain the system on a daily basis. For example, if administrators do not properly configure and maintain the PKI software and hardware, vulnerabilities may be exposed that an attacker could exploit. Likewise, if users do not properly safeguard their private PKIs, or do not know how to properly interact with the PKI functions in their application software, other vulnerabilities will be opened for potential exploitation.

Application Development Guidelines

Guidelines will be needed for application developers, detailing how to build a application that works using the PKI.


[ Previous | Next ]