Government authentication policy

There are several policy approaches to authentication, in principle, which tend to vary from one jurisdiction to another according to political philosophy.

A common governmmental approach to establishing groundrules for trust and identity in support of e-commerce is to lay out a risk-based framework that maps generaic authentication solutions against the intrionsic security requirements of different types or classes. Several governments around the world have established generally technology neutral policy frameworks to assist in the selection and implementation of identity management and authenticaton solutions. Preeminent examples include the US, New Zealand and Australia; see Authentication Frameworks.

Many governments have invested further effort in establishing particular PKI based frameworks for authentication and trust (without going so far as to mandate PKI, thus leaving the way pen for other technologies); see for example Canada's Policy for Public Key Infrastructure Management and Australia's Project Gatekeeper.

Yet some jurisdictions do enact technology-specific authentication regulations (at this time, they're always PKI based); examples include Malaysia, India, and the state of Utah (historically important as the first legislature to pass a prescriptive digital signature statute). See also Regulatory approaches to trust and identity.

Industry policy & frameworks

Industry specific policy frameworks tend to be focused on a particular authentication technlogy, usually PKI.

The Australian IT Security Forum published a generalised security idustry position on PKI in 2003.

See also our wiki page on vertical PKI schemes and associations.