PKI Position Statement of the Australian Security Industry
EXTRACT
The Australian IT Security Forum has reached a position on the best use of Public Key Infrastructure. Our vision has been developed through extensive dialogue with users and with government. The position is deeply informed by practical experience of some of the world’s largest and most effective PKI rollouts. We present here the major implications of this experience for systems integration, PKI regulation and cross border interoperability.
The overwhelming experience of PKI in practice is that it delivers most value when used for automating paperless routine transactions between parties who have an existing business relationship. In the best PKI applications, parties tend to deal with one another in a well defined formal context. They tend to operate under existing terms and conditions, with contracted or legislated liability arrangements. There is usually a recognised authority over the domain of the transactions, which can take responsibility for registered digital certificate holders. Current examples include e-health, customs, taxation reporting and business banking. It is likely that PKI will be taken up similarly in the near future for higher education, electronic conveyancing and drivers licensing. We can describe this model as Scheme-based PKI.
Scheme-based PKI means that we should expect the deployment of multiple digital certificates in various forms, tightly coupled with (or embedded in) specific types of applications. Different digital certificates would be issued and used under specific conditions; registration processes can be streamlined for different user communities; subscriber agreements can be folded into existing user agreements.
The idea of multiple certificates was once alarming, but when embedded invisibly in convenient forms such as smartcards, they need not be any harder to use than conventional plastic cards. There is increasing awareness from the perspectives of privacy, usability and commerciality, that a single identity would not be useful in any case. The reality of physically different cards for banking, drivers licence, health insurance, professional memberships and building access is here to stay – irrespective of whether the cards are based on magnetic stripes or PKI.