[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [egov] Brief report: G2G PKI in the Nordic Region
Colin, Thank you for this interesting information! SEEMail seems to be pretty close to what the governments are working here with in the Nordic/Arctic region. SECUREMAIL is something that differs from what is in the works here. We have to almost 100% based all C2G activities on the web, using browsers. I believe that encryption using HTTPS and the web's interactive operation were the prime motives for going this route. Mobility is also much harder to achieve using S/MIME due to the configuration requirements. What is still [completely] missing in our plot is something like the following: http://w1.181.telia.com/~u18116613/onlinesigstdprop.ppt And of course the problem that we *all* share: how to carry our citizen certificates. Do you have any input on the latter I would very much appreciate it! Here I would like to mention that all Nordic country except Sweden (my country) have selected server-based PKI to get away from smart cards and soft certificates. You authenticate to the PKI servers using SecurID and similar One-Time-Token. I believe Sweden selected a less useful approach, soft certificates and Java applets. Our neighbors' systems runs on ANY computer and can also be used at Internet cafés. Our system OTOH is basically only useful from your own trusted computers. Personally, I believe that e-governments should go together and make sure that the mobile phone becomes the authentication device because that potentially beats all alternatives by a mile. Best Regards Anders Rundgren Consultant, e-infrastructure ----- Original Message ----- From: <Colin.Wallis@ssc.govt.nz> To: <anders.rundgren@telia.com>; <egov@lists.oasis-open.org> Sent: Tuesday, July 20, 2004 05:16 Subject: RE: [egov] Brief report: G2G PKI in the Nordic Region Anders Your email struck a chord with the experience with PKI we had down here in New Zealand, so we have offered some insights below from our specialist in the area, Mike Pearson. Kind Regards Colin ............................................................................ ............................................ SEEMAIL The New Zealand government has used domain-based security successfully for the last five years, to authenticate and encrypt email between agencies. The initiative is known as SEEMail (Secure Electronic Environment Mail). SEEMail products are commercial "Off-The-Shelf" offerings, using industry standard encryption and authentication mechanisms. The SEEMail standard specifies how such gateways must be configured to achieve interoperability and security. Testing is largely automated. The government controls: - accreditation of vendors/products - certification of site installations - centralised infrastructure (LDAP, automated testing system) - currently runs a PKI, due to the state of the commercial PKI market in NZ More information about the initiative can be found here: http://www.e-government.govt.nz/see/mail/index.asp We have learned a lot of critical lessons about how this type of system works. This resulted in SEEMail v2, which provides: - greater automation of routine certificate management tasks - improved fail-safe certificate processing for invalid certificates and faulty implementations - improved assurance of site configurations, on a regular basis SECUREMAIL SecureMail is an e-government unit project reviewing how to extend the SEEMail initiative, for use in exchanging secure email between people and government agencies. The project has published a number of discussion documents, and is intended to be complete in August, with a standard for voluntary adoption by Service Providers. http://www.e-government.govt.nz/securemail/index.asp PKI The Secure Electronic Environment (S.E.E.) project, did a significant amount of research into PKI, several years ago. This produced a flexible certificate policy incorporating several unique features e.g. PASSPORT, BUSINESS CARD and ASSOCIATE certificate types used for IDENTITY and ACCESS. The certificate policy can be found here: http://www.e-government.govt.nz/docs/see-pki-cert-policy-v2/chapter1.html The current advice to Government agencies, based upon overseas and New Zealand experiences, is that a PKI implementation project must be approached with caution. Implementers should ensure their risk analysis truly shows PKI is the most appropriate security mechanism and wherever possible consider alternative methods. http://www.e-government.govt.nz/docs/see-pki-paper-14/index.html PKI and EMAIL Based upon the above experiences with SEEMail, SecureMail and PKI, the e-government unit is currently reviewing its thinking in this area. Initial thoughts are that the current approach has the disadvantages in a wider environment of being NOT SCALABLE, is a SINGLE POINT OF FAILURE and imposes unnecessary COSTS and SYSTEM MANAGEMENT OVERHEADS. The e-government unit is currently developing a modification of the concept. Conceptually, it is being proposed that the DNS will be used for public key management. The benefits of this approach are: no Certificate Authority is needed, the DNS is the authoritative source; the DNS is a distributed fault tolerant directory; adding an extra field to the DNS reduces cost and system management overhead. To understand this concept, you must accept that a domain name e.g. "ssc.govt.nz" is a label, a string of characters only. The association of an IP address, or a Public Key does not assert how much you can trust the holder of the label - that is a business decision, typically determined by other out-of-band information. This concept is still being discussed, so no online information is currently available. Regards, Mike Pearson, Senior Advisor E-government Unit, mailto:mike.pearson@ssc.govt.nz STATE SERVICES COMMISSION Phone : +64 (4) 495-6769 Te Komihana O Nga Tari Kawanatanga Fax : +64 (4) 495-6669 Level 4, 100 Molesworth St Mobile: +64 (21) 631-731 PO Box 329, Wellington 6015, NEW ZEALAND ************************************************************************* If you have received this email in error, please let us know as soon as possible and then delete it. ************************************************************************* www.e-government.govt.nz www.ssc.govt.nz www.govt.nz - connecting you to New Zealand central & local government services -----Original Message----- From: Anders Rundgren [mailto:anders.rundgren@telia.com] Sent: Sunday, 18 July 2004 8:15 a.m. To: egov@lists.oasis-open.org Subject: [egov] Brief report: G2G PKI in the Nordic Region Maybe the following information regarding the current developments in the Nordic region could be of some interest? Each of the Nordic countries' governments have more or less on their own, come to the conclusion that inter-authority (G2G) as well as future government-to-business (G2B) messaging should for numerous reasons be based on domain-based security which is similar to firewall deployment. By doing that governments maintain message integrity, confidentiality and strong authentication (sometimes referred to as non- repudiation), without taking on a full-scale PKI project between the different authorities (internally, each authority is usually free to deploy client security solutions in their own pace, fitting their budgets and needs). Effectively each outgoing message is secured by a _single_ certificate, identifying only the authority with the aid of a registered organization- unique number and a common name. Such certificates are issued by specifically designated TTPs. The most recent development is to extend this concept to also support country-to-country messaging! Due to the very few CAs involved (one ot two in each country), and the simple, uniform and flat PKI structure, there is no need for any cross-certification or brídge CAs, in spite of the fact that such a network will eventually support millions of public sector employees, spread over several thousands of different authorities and communes, distributed over at least four countries. The following paper which was submitted to PKI Workshop 2003 http://w1.181.telia.com/~u18116613/pki4org.pdf describes the principles and motives behind this scheme. These PKI developments are also closely aligned with current LDAP usage, here citing Verisign's Phillip Hallam-Baker: "Paradoxically it is the value of the directory as the central hub of the enterprise information infrastructure that constrains its use" On the next IETF meeting it has been said that there will be a Gateway Signing BOF. Although I don't plan to attend, I have a feeling that this could be interesting as the scope of these concepts also apply to spam filtering because if an entire domain is recognized by a signature, ISPs will be much more cautious regarding spamming customers. Best Regards Anders Rundgren Consultant, e-infrastructure To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/egov/members/leave_workgroup.ph p.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]