RE: [egov] Brief report: G2G PKI in the Nordic Region

[Colin.Wallis@ssc.govt.nz]

Anders

Your email struck a chord with the experience with PKI we had down here in
New Zealand, so we have offered some insights below from our specialist in
the area, Mike Pearson.

Kind Regards

Colin
............................................................................
............................................
SEEMAIL
The New Zealand government has used domain-based security successfully for
the last five years, to authenticate and encrypt email between agencies.
The initiative is known as SEEMail (Secure Electronic Environment Mail).
SEEMail products are commercial "Off-The-Shelf" offerings, using industry
standard encryption and authentication mechanisms.  The SEEMail standard
specifies how such gateways must be configured to achieve interoperability
and security.  Testing is largely automated.

The government controls:
- accreditation of vendors/products
- certification of site installations
- centralised infrastructure (LDAP, automated testing system)
- currently runs a PKI, due to the state of the commercial PKI market in NZ

More information about the initiative can be found here:
http://www.e-government.govt.nz/see/mail/index.asp

We have learned a lot of critical lessons about how this type of system
works.  This resulted in SEEMail v2, which provides:
- greater automation of routine certificate management tasks
- improved fail-safe certificate processing for invalid certificates and
faulty implementations
- improved assurance of site configurations, on a regular basis


SECUREMAIL
SecureMail is an e-government unit project reviewing how to extend the
SEEMail initiative, for use in exchanging secure email between people and
government agencies.  The project has published a number of discussion
documents, and is intended to be complete in August, with a standard for
voluntary adoption by Service Providers.
http://www.e-government.govt.nz/securemail/index.asp


PKI
The Secure Electronic Environment (S.E.E.) project, did a significant amount
of research into PKI, several years ago.  This produced a flexible
certificate policy incorporating several unique features e.g. PASSPORT,
BUSINESS CARD and ASSOCIATE certificate types used for IDENTITY and ACCESS.
The certificate policy can be found here:
http://www.e-government.govt.nz/docs/see-pki-cert-policy-v2/chapter1.html

The current advice to Government agencies, based upon overseas and New
Zealand experiences, is that a PKI implementation project must be approached
with caution. Implementers should ensure their risk analysis truly shows PKI
is the most appropriate security mechanism and wherever possible consider
alternative methods.
http://www.e-government.govt.nz/docs/see-pki-paper-14/index.html


PKI and EMAIL
Based upon the above experiences with SEEMail, SecureMail and PKI, the
e-government unit is currently reviewing its thinking in this area.  Initial
thoughts are that the current approach has the disadvantages in a wider
environment of being NOT SCALABLE, is a SINGLE POINT OF FAILURE and imposes
unnecessary COSTS and SYSTEM MANAGEMENT OVERHEADS.

The e-government unit is currently developing a modification of the concept.
Conceptually, it is being proposed that the DNS will be used for public key
management.  The benefits of this approach are: no Certificate Authority is
needed, the DNS is the authoritative source; the DNS is a distributed fault
tolerant directory; adding an extra field to the DNS reduces cost and system
management overhead.

To understand this concept, you must accept that a domain name e.g.
"ssc.govt.nz" is a label, a string of characters only.  The association of
an IP address, or a Public Key does not assert how much you can trust the
holder of the label - that is a business decision, typically determined by
other out-of-band information.  

This concept is still being discussed, so no online information is currently
available.


Regards, 
Mike Pearson, Senior Advisor     E-government Unit,
mailto:mike.pearson@ssc.govt.nz  STATE SERVICES COMMISSION
Phone : +64  (4) 495-6769        Te Komihana O Nga Tari Kawanatanga
Fax   : +64  (4) 495-6669        Level 4, 100 Molesworth St
Mobile: +64 (21) 631-731         PO Box 329, Wellington 6015, NEW ZEALAND 
*************************************************************************
If you have received this email in error, please let us know as soon as 
possible and then delete it.
*************************************************************************
www.e-government.govt.nz         www.ssc.govt.nz

www.govt.nz - connecting you to New Zealand central & local government
services

 

-----Original Message-----
From: Anders Rundgren [mailto:anders.rundgren@telia.com]
Sent: Sunday, 18 July 2004 8:15 a.m.
To: egov@lists.oasis-open.org
Subject: [egov] Brief report: G2G PKI in the Nordic Region


Maybe the following information regarding the current developments
in the Nordic region could be of  some interest?

Each of the Nordic countries' governments have more or less on
their own, come to the conclusion that inter-authority (G2G) as well
as future government-to-business (G2B) messaging should for numerous
reasons be based on domain-based security which is similar to firewall
deployment.  By doing that governments maintain message integrity,
confidentiality and strong authentication (sometimes referred to as non-
repudiation), without taking on a full-scale PKI project between the
different authorities (internally, each authority is usually free to deploy
client security solutions in their own pace, fitting their budgets and
needs).

Effectively each outgoing message is secured by a _single_ certificate,
identifying only the authority with the aid of a registered organization-
unique number and a common name.  Such certificates are issued by
specifically designated TTPs.

The most recent development is to extend this concept to also
support country-to-country messaging!

Due to the very few CAs involved (one ot two in each country),
and the simple, uniform and flat PKI structure, there is no need
for any cross-certification or brídge CAs, in spite of the fact that
such a network will eventually support millions of public sector
employees, spread over several thousands of different authorities
and communes, distributed over at least four countries.

The following paper which was submitted to PKI Workshop 2003
http://w1.181.telia.com/~u18116613/pki4org.pdf
describes the principles and motives behind this scheme.

These PKI developments are also closely aligned with current LDAP
usage, here citing Verisign's Phillip Hallam-Baker:

       "Paradoxically it is the value of  the directory as the
         central hub of the enterprise information
         infrastructure that constrains its use"

On the next IETF meeting it has been said that there will be a
Gateway Signing BOF.  Although I don't plan to attend, I have
a feeling that this could be interesting as the scope of these
concepts also apply to spam filtering because if an entire domain
is recognized by a signature, ISPs will be much more cautious
regarding spamming customers.

Best Regards
Anders Rundgren
Consultant, e-infrastructure


To unsubscribe from this mailing list (and be removed from the roster of the
OASIS TC), go to
http://www.oasis-open.org/apps/org/workgroup/egov/members/leave_workgroup.ph
p.