Skip to content.
|Networking government in New Zealand.
You are here: Home » Services » SEEMail » S.E.E. PKI: Paper 8 - CA Accreditation » 4 Accreditation options and process

4 Accreditation options and process

4.1.1 For all options, the CA agrees to provide services satisfying the requirements of our CP. The S.E.E. Key CP (paper 9) defines most of our requirements for a Certification Authority.

4.1.2 The CA will be given an outline of what will be required of them. This is attached as Appendix A. The CA will compare their CPS with our CP in affect providing a self-assessment. An example of what this might look like is attached as Appendix B.

4.1.3 As part of the accreditation process, S.E.E. Application owners (e.g. CFISnet, Shared Workspace) will be given the chance to test the CA's certificates and services before accreditation is conferred.

4.2 CA statement of compliance

4.2.1 In this option, the vendor only agrees to provide services satisfying the requirements of our CP.

4.2.2 This is the lowest compliance option, and mirrors most other service purchasing by government.

4.2.3 Agencies will have a contractual relationship with the CA based on the CA's CPS, and so have recourse to any liability specified in the CA's CPS.

4.3 Evidence of audit

4.3.1 In addition to the requirements of 4.1.1, this option requires the CA to provide evidence of third party audit of CA operations, and a commitment to ongoing audit.

4.3.2 Accreditation under well-known CA accreditation schemes may also be acceptable evidence of audit.

4.3.3 This gives us much greater confidence that the CA has a commitment to providing a quality service.

4.3.4 This is the recommended approach for S.E.E. PKI CA accreditation, and the remainder of the paper from section 5 assumes that this option is chosen.

4.4 Third party accreditation

4.4.1 This approach recognises specific third party CA accreditation schemes, like the commercial WebTrust for CAs, the banking sector's Identrus scheme and the Australian government's Project GateKeeper.

4.4.2 Recognition of other schemes would let us use CAs that have already satisfied the requirements of another market, without additional cost to CAs.

4.4.3 Our role would be to evaluate accreditation schemes when approached by accredited CAs, to determine if we find those schemes acceptable for S.E.E. Key.

4.4.4 This approach favours larger foreign CAs who have been accredited in other markets.

4.5 Audit to S.E.E. PKI CP

4.5.1 We could require a third party audit comparing the CA's operations with our Certificate Policy.

4.5.2 This is the approach of other accreditation schemes like Project GateKeeper.

4.5.3 If approached by a CA that has been accredited from a scheme other than S.E.E., we could evaluate the other accreditation scheme and audit the CA on the differences between the other scheme and our S.E.E. CP.

4.5.4 This approach would give us the greatest confidence that the CA meets our needs, but would also be the most time consuming and expensive.


[ Previous | Next ]