OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

egov message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Brief report: G2G PKI in the Nordic Region

Maybe the following information regarding the current developments
in the Nordic region could be of  some interest?

Each of the Nordic countries' governments have more or less on
their own, come to the conclusion that inter-authority (G2G) as well
as future government-to-business (G2B) messaging should for numerous
reasons be based on domain-based security which is similar to firewall
deployment.  By doing that governments maintain message integrity,
confidentiality and strong authentication (sometimes referred to as non-
repudiation), without taking on a full-scale PKI project between the
different authorities (internally, each authority is usually free to deploy
client security solutions in their own pace, fitting their budgets and needs).

Effectively each outgoing message is secured by a _single_ certificate,
identifying only the authority with the aid of a registered organization-
unique number and a common name.  Such certificates are issued by
specifically designated TTPs.

The most recent development is to extend this concept to also
support country-to-country messaging!

Due to the very few CAs involved (one ot two in each country),
and the simple, uniform and flat PKI structure, there is no need
for any cross-certification or brídge CAs, in spite of the fact that
such a network will eventually support millions of public sector
employees, spread over several thousands of different authorities
and communes, distributed over at least four countries.

The following paper which was submitted to PKI Workshop 2003
http://w1.181.telia.com/~u18116613/pki4org.pdf
describes the principles and motives behind this scheme.

These PKI developments are also closely aligned with current LDAP
usage, here citing Verisign's Phillip Hallam-Baker:

       "Paradoxically it is the value of  the directory as the
         central hub of the enterprise information
         infrastructure that constrains its use"

On the next IETF meeting it has been said that there will be a
Gateway Signing BOF.  Although I don't plan to attend, I have
a feeling that this could be interesting as the scope of these
concepts also apply to spam filtering because if an entire domain
is recognized by a signature, ISPs will be much more cautious
regarding spamming customers.

Best Regards
Anders Rundgren
Consultant, e-infrastructure

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]