3 New Zealand Government Experiences

3.1 Current Use of Digital Certificates

28. Digital certificates are typically used by the New Zealand government for business applications requiring strong authentication, confidentiality and integrity, such as:

• SEEMail - uses digital certificates for sending secure messages across the Internet. This system currently has over 30 agencies using it, with many others expected to join by the end of 2003.

• The Treasury - uses digital certificates for browser authentication of Crown Financial Information System (CFISnet) users. There are approximately 290 users, of which 25% are internal Treasury users, 50% are from other government agencies, and 25% from SOEs and crown entities. The Treasury also uses digital certificates to authenticate users to its external workspace, to encrypt laptops, and for remote access authentication.

• LINZ - uses digital certificates to identify individual users of the Landonline system. It currently has 4,000 users with a final intended audience of 8,000 users.

• Health Sector - uses digital certificates for Health Providers to access to various health systems. The estimated audience is approximately 10,000 users.

• Education Sector - uses digital certificates to identify particular staff at each tertiary provider. There are over 350 tertiary providers involved with the system.

• The Ministry of Social Development has used elements of PKI in its business, since 1999, to encrypt login sessions and to authenticate users to applications. For MSD and CYF being their "own" CA has proven a very cost effective way for automated user management, in a number of critical infrastructure components. This has allowed them to manage approximately 9,000 users with an incremental cost of around NZ$12/user.

3.2 Exiting of a Certificate Supplier

29. In 2002, the major supplier of digital certificates to government was BaycorpID. BaycorpID indicated its intention to leave the marketplace in December 2002, as they were unable to make the business economic. During the lead up to its deadline for closure of services, the quality of certificates and the level of service dropped significantly.

30. Agencies using digital certificates found they were at increased risk because:

• Supplier issues - They were unable to find an alternative supplier for new certificates, so new users would not be able to access their systems.

• Application issues - Some applications were so tightly bound to the existing CA, that transition to a new CA was difficult.

31. For users such as the Treasury, and the Health sector, PKI was already a critical piece of internal infrastructure, used for purposes such as securing laptops, securing VPN access, and accessing web-based applications.

32. The Treasury has chosen to use internal expertise and self-issue certificates. This reduces its reliance on external certificate suppliers, but carries additional operational costs.

33. The Health sector has chosen to find another commercial supplier of certificates. Although this solves the pressing issue of certificate supply, it does not address the long-term issue of CA viability.