12 May 1998
Thanks to Geoffrey Keating
A strategy for public key technology use in the Government
|Media Release - GATEKEEPER public key technology strategy|
|Questions & Answers|
|GPKA Executive Summary|
|GATEKEEPER - A strategy for public key technology use in the Government (in PDF 655K),(HTML version will be available shortly)|
Last Updated:12 May 1998
On 6 May 1998, the Minister for Finance and Administration officially launched GATEKEEPER, A strategy for public key technology use in the Government.
GATEKEEPER was developed by the Office of Government Information Technology in response to the identified needs of agencies to introduce public key technology to support authentication and identification in Government online transactions. The strategy ensures that this is done under a whole of government framework that ensures interoperability, integrity, authenticity and trust for both agencies and their customers. This is an important step in enabling the government to embrace electronic commerce.
The Minister also announced the establishment of the GPKA.
Purpose of the GPKA
The GPKA will work through the Chief Government Information Officer on the operation of the Government Public Key Infrastructure (GPKI), promote the Commonwealth Government position on the use of public key technology and manage the evaluation and accreditation of service providers to government.
Membership of the GPKA
Members of the GPKA have been drawn from the Commonwealth Government and industry associations. Details of the GPKA membership are available from the GPKA web site.
The GPKA will be supported by a contracted secretariat, provided by Standards Australia, who will provide the first point of contact for the GPKA for agencies, industry and other organisations. They will also manage the accreditation process and provide an information service on the Internet at www.gpka.gov.au.
The GPKA members are:
A/g First Assistant Commissioner
Australian Taxation Office
Health Insurance Commission
THE HON JOHN FAHEY, MP
GATEKEEPER PUBLIC KEY TECHNOLOGY STRATEGY
I am pleased to release the GATEKEEPER Report, the strategy for the use of public key technology for electronic transactions across Commonwealth agencies.
I am also announcing the establishment of the Government Public Key Authority which will oversight the introduction of this strategy.
The Government recognises that the future of business is in online services and electronic commerce. As a key user we are playing an important role in developing and supporting the necessary infrastructure for this form of commerce.
A clear, secure public key encryption system is essential to encourage confidence and to ensure trust between all users at each level in online transactions. These transactions will not replace but complement, the existing ways in which citizens and business work with Government.
GATEKEEPER will encourage the use of online communications through an authentication framework that will ensure consistency in the use of public key technology including digital signatures across Government and the reliability and interoperability of products and systems.
GATEKEEPER has been developed by the Office of Government Information Technology (OGIT) in consultation with Commonwealth agencies, other governments, interest groups and industry. It places the Commonwealth at the leading edge of electronic authentication activities around the world.
The Government Public Key Authority, which has been established to oversight the implementation of GATEKEEPER, is a management committee comprising senior representatives from Commonwealth agencies and information technology industry associations. Secretariat support will be provided by Standards Australia and interested parties will be able to consult directly with the Authority.
The Government is aware of the privacy concerns of some individuals due to the growing utilisation of electronic communications by all sectors of the community.
For this reason OGIT has consulted with privacy groups and built into the Gatekeeper strategy a number of factors which will maintain the ability for individuals to choose whether or not to utilise online transactions and, to protect the privacy of their personal information should they choose to do so.
Privacy considerations include;
The GPKA expects to maintain discourse with privacy groups as GATEKEEPER is implemented and I encourage interested groups to become involved in this process.
The major recommendations of the GATEKEEPER report are:
GATEKEEPER demonstrates the Governments commitment to pursue and promote electronic commerce in an environment of authenticity and integrity.
Canberra 6 May 1998
What is public key technology?
Public key technology, a relatively recent development in cryptography, is an encryption mechanism that provides, for example:
How does public key technology fit in with electronic commerce?
The market has identified the security and integrity of messages and the authentication of users as one of the primary barriers to the take-up of electronic commerce. Public key technology provides the mechanism to overcome these barriers.
The Commonwealth, in adopting GATEKEEPER, has moved to address these issues as they relate to doing business with Government.
How did GATEKEEPER begin?
In 1997, the Government decided to take the lead in the development of a national framework for the authentication of users of electronic online services.
The Office of Government Information Technology (OGIT) was charged with ensuring that there was an agreed strategy in place so that Commonwealth agencies could make optimal use of public key technologies (PKT) for electronic transactions. GATEKEEPER is that strategy.
GATEKEEPER provides a clear framework for those agencies that choose to use public key technology, and ensures there is consistency across the Commonwealth.
Why has the Government Public Key Authority been established?
GATEKEEPER recommended the establishment of the Government Public Key Authority as an important component of the overall strategy. It is a management committee made up of senior representatives from Commonwealth agencies and information technology industry associations.
Its main purpose is to oversight the introduction of the use of public key technology in the Commonwealth Government and to support and assist agencies to take advantage of public key technology tools and services.
The GPKAs responsibilities will include:
Who will the GPKA report to?
The GPKA will work through the Chief Government Information Officer (CGIO). The CGIO is the head of the Office of Government Information Technology (OGIT). One of the important first tasks for the Authority will be to work through their mode of operation, consistent with the Gatekeeper strategy.
Is the GPKA a policy body?
No. However, the GPKA will prepare broad advice and make recommendations to the CGIO, on things like software products and accredited services, which conform with relevant government policies including security, industry development, service delivery, record keeping, tendering and purchasing.
How will individual choice be preserved?
GATEKEEPER does not impose a requirement for people doing business with government to use public key technologies. Online transactions will not replace but will complement, the existing ways in which citizens and business work with Government. People will still be able to interact with Government in the manner in which they choose.
GATEKEEPER strongly supports the privacy of the individual. For those who choose to use online services, GATEKEEPER provides assurances that the security of personal information and the integrity of transactions are protected.
For example, people will not be required to use a single key pair (digital signature), they may have different signatures, which might be individual, role-based, agency, etc, for different transactions. Key pairs will be issued based on a proof of identity check much like applying for a bank account.
All commercial providers will be assessed against recognised physical, personnel and administrative security standards to ensure they can provide an appropriate level of operation suitable for use by Government.
Will individual privacy be protected?
The Government is committed to ensuring that the privacy of individuals who deal with Commonwealth Departments and agencies is protected. The Information Privacy Principles (IPPs) contained in the Privacy Act 1988 establish standards that cover issues such as the collection, storage, use and disclosure of personal information.
The handling of personal information by Departments and agencies using GATEKEEPER will be required to comply with the IPPs. Furthermore, legislation has also been introduced to extend the coverage of the Privacy Act to private sector contractors holding personal information under contracts to provide services to or for a Commonwealth agency.
The report also notes that the GATEKEEPER infrastructure should not rule out the ability for an individual to remain anonymous if their identity is not strictly necessary for that particular transaction and, places emphasis upon consultation, at an early stage, between agencies, the Privacy Commissioner, privacy and consumer groups in the development of service delivery options that use GATEKEEPER.
How will GATEKEEPER be affected by the final report from the Attorney Generals Electronic Commerce Working Group?
The Attorney Generals Department was an active participant on the GATEKEEPER steering committee.
The review of the law pertaining to electronic commerce, has been released for public comment as a report titled: Electronic Commerce: Building the legal framework, A report of the Electronic Commerce Expert Group to the Attorney General. The report was taken into consideration in the drafting of GATEKEEPER. The executive summary of the report, which includes the working groups recommendations, is included in GATEKEEPER.
Where does GATEKEEPER fit into the national framework?
GATEKEEPER, through the Government Public Key Authority (GPKA), will manage the evaluation and accreditation for organisations and individuals who wish to participate in the delivery of public key technologies and associated evaluation services for government use.
The GPKA will initially exist without a Policy and Root Registration Authority (PARRA), with the exception that the Government Public Key Infrastructure has been structured so that it can be readily subsumed into a PARRA structure once it is established.
What is in the GATEKEEPER strategy for industry?
Industry has been actively involved in the development of GATEKEEPER through briefings, reviews and through comment on the progressive drafts of the document. The Government welcomes the industrys contributions, and encourages industry to stay involved.
Although this is a very specialist industry, there will be niche market opportunities and benefits for small to medium enterprises involved in intelligent technologies, enabling technologies and risk management.
There will be a market for innovative software development and support services; for public key technology software suppliers; and for companies involved in the development of enabling applications that could be incorporated into Government activities. The need for the evaluation of service providers will also provide opportunities for expert organisations and specialist consultant services to be involved in the evaluation of areas such as risk and security.
The uptake of the GATEKEEPER strategy will position Australia as one of the foremost users of PKT in government. As other governments and organisations embrace public key technology, Australian industry will be well placed to offer, both domestically and internationally, products and services that have been developed for and provided to the Australian government.
Will public key technology be mandatory for use by Commonwealth agencies?
No. Commonwealth agencies will be able to choose whether or not they wish to use public key technology for online business services. However, if agencies choose to use public key technology will be able to rely on a solid framework for doing business with a network of services and products accredited by the GPKA.
When are government agencies going to begin using public key technologies?
Within the second half of 1998, several government agencies will begin using public key technologies. ATO, for example, will be reflecting PKT in their work. Centrelink is also exploring options for the use of public key technologies as a choice for its customers.
Last updated: 06 May 1998
Government Public Key Implementation Project
****(This page has been archived on 6 May 1998)****
Explanatory Letter to Commonwealth Agencies
Project Baseline Paper
Business and User Requirements Working Group
Security Working Group
Technical Working Group
Proposed Government Public Key Structure
Project GATEKEEPER Agency Forums: #1 (Microsoft PowerPoint v4)
Project GATEKEEPER Agency Forums: #2 (Microsoft PowerPoint v4)
Media Release - Senator Alston 14 October 1997
Last Updated: 05 May 1998
|Government Public Key Authority|
|Legal issues and business arrangements|
|Industry development and impact on other programs|
|As a means of enhancing service delivery and streamlining government transactions internally, a number of agencies had been pursuing initiatives to conduct business electronically with other agencies, industry and the public. The Office of Government Information Technology (OGIT) recognised an emerging trend towards the use of public key technologies as the principal means of authenticating users to ensure the security of online transactions in government business.|
|In late 1997 the Government decided to take the lead in the development of a national framework for the authentication of users of electronic online services. The Office of Government Information Technology (OGIT) was charged with ensuring that there is an agreed strategy in place so that the Commonwealth Government can make optimal use of Public Key Technologies (PKT) for electronic transactions.|
|OGIT formally established Project GATEKEEPER in October 1997. The Information Management, Access and Policy Branch (IMAP) of OGIT was given responsibility for the coordination and development of the project, and a full time project manager was appointed.|
|To ensure wide agency input and representation, a Steering Committee chaired by the Chief Government Information Officer was formed. Participants in the Steering Committee included senior officials from the Department of Defence, Health Insurance Commission, National Office of the Information Economy, Australian Taxation Office, Defence Signals Directorate, Centrelink and OGIT.|
|Three working groups were also established.|
|The Business and User Requirements Working Group, chaired by Mr Mark Mynott of the Health Insurance Commission (HIC), was established to identify what agencies required from PKT, in particular, reflecting an end user perspective. Further to this, a draft document (Version 1.7) was circulated to government agencies and also to industry (under non-disclosure) for review and comment.|
|Key requirements included, interoperability, addressing the privacy issues, confidentiality, non-repudiation, integrity, ease of use, marketability and archiving. These requirements and a number of informed responses to the draft document have been incorporated into the GATEKEEPER report.|
|A Security Working Group, chaired by Mr. Steve Orlowski from the Attorney General's Department, was established to review security issues and make recommendations about the applicable standards.|
|Specific standards have been identified for:|
|asymmetric key exchange;|
|proof of identity (POI);|
|key storage; and|
|The third group to be established was the Technical Working Group, which was chaired by Mr Peter Justice from the Department of Primary Industry & Energy (DPIE). Annex I, Technical Standards, provides details of the technical standards recommended.|
|Wider government comment was obtained through a multi level communications strategy involving the publication of strategy documents, individual presentations and briefings to government and industry.|
|The project had three identifiable aims.|
|1||To establish a rational voluntary mechanism for the implementation of PKT by government agencies;|
|2||To facilitate interoperability and allow users to choose from a panel of service providers whose products and methods of delivery have been evaluated and accredited to meet prescribed government standards for integrity and trust;|
|3||To provide an operational mechanism to manage the Commonwealth's activities and interests in the area of PKT.|
|A number of factors had to be carefully considered and managed in the delivery of this report, they include:|
|ensuring consistency with the Organisation for Economic Co-operation and Development (OECD) Guidelines on Cryptography Policy, which the Government has adopted as the basis for the development of domestic encryption policy|
|ensuring a consistent approach with the National Office of the Information Economy (NOIE) Working Group on the establishment of the Policy And Root Registration Authority (PARRA);|
|specification of suitable and effective technical standards;|
|provision of a well understood and valid level of confidence in the government use of PKT;|
|recognition of the needs of agencies with respect to service delivery; and,|
|providing for interoperability between agencies through rationalisation of the operational infrastructure.|
Concept of Operations
|The GATEKEEPER Concept of Operation can be broken down into two separate parts being the Government Public Key Authority (GPKA), and the technology that is the Government Public Key Infrastructure (GPKI).|
Government Public Key Authority
|It is proposed that a government management authority be established to set policy and standards for PKT and products to support government use of the technology.|
|The Government Public Key Authority (GPKA) will manage the evaluation and accreditation for organisations and individuals who wish to participate in the delivery of public key technologies and associated evaluation services for government use. The GPKA will initially exist without a PARRA, with the expectation that the GPKA will be subsumed into a PARRA structure, once it is fully established.|
|It is envisaged that the GPKA will comprise no less than four government members, and two industry observers. The Chairperson will be elected by a simple majority of the Board, with OGIT the initial Chairperson.|
|The GPKA will recognise two levels of accreditation: Entry Level Accreditation and Full Accreditation.|
|Entry Level Accreditation will require a service provider to prepare policies and operating practices for the delivery of public key services to government. The service provider will be required to give undertakings about the implementation of those policies, and also to commit to using the Information Technology Security Evaluation Criteria (ITSEC) E3 certified products. On the basis of these commitments the GPKA will approve the delivery of limited Certification Authority (CA) services to government.|
|Full Accreditation will involve satisfactory completion of the Entry Level requirements. In addition it will also require satisfactory completion of an ITSEC certification.|
|The GPKA will publish guidelines and standards for:|
|organisations or individuals providing evaluation services for Entry Level and Full Accreditation;|
|organisations or individuals providing Certification Authority (CA) or Registration Authority (RA) services; and,|
|products and services to be accredited.|
Public Key Technology
|In a PKT system, a user has two keys: a public key, and a private key. The user may publish the public key freely.|
|The keys operate as inverses giving rise to two results.|
|1||With a private key, a user can decode a message someone else has encrypted with a corresponding public key.|
|2||A user can encrypt a message with a private key, and the message can be revealed only with the corresponding public key.|
|GATEKEEPER is based on the CA technology and policy hierarchy set out in the SAA MP75 document from Standards Australia. The most notable difference is that the GPKA will operate as a policy body only. The GATEKEEPER strategy presumes that a root authority, known as the PARRA will be established as a part of the national electronic authentication infrastructure.|
|The architecture supports three frameworks: authentication, key management (confidentiality) and authorisation.|
|There are significant privacy issues associated with encryption policy and the establishment of a government public key management framework. Privacy protection is of major issue dealt with in the OECD Guidelines.|
|Privacy implications have been addressed in the development of this strategy and an attempt has been made to minimise any adverse privacy impact which might be a result of the recommended framework. Further consideration and debate will be appropriate as the strategy evolves.|
|The Attorney General's Expert Group on Electronic Commerce has finalised a report on the issues pertaining to electronic commerce, including recognition and the legal effect of electronic signatures.|
|The approach taken to managing risk within GATEKEEPER is to identify the most likely and significant risks to the strategy. The following risk identification profile is not exhaustive. It is a reflection of the most significant possible threat events.|
|Risks to the strategy include:|
|commercial failure of an Accredited commercial CA;|
|compromise of the Private key of the CA;|
|compromise of a trusted component of a CA.|
|personal generation of a weak key;|
|third party reliance upon Commonwealth keys;|
|consistency with PARRA strategy; and|
|failure of a CA to reach Full Accreditation status under the GPKA.|
|The risk management control model for GATEKEEPER identifies three risk treatment strategies.|
|risk reduction; and|
|The controls identified include:|
|specific contractual terms in a whole of government head agreement through OGIT;|
|recommended controls through individual agency contracts;|
|licensing arrangements that impose conditions on approved service providers;|
|achievement of Government Endorsed Supplier status;|
|evaluation and certification of technical products through an Australian Industrial Security Evaluation Facility (AISEF) and Defence Signals Directorate (DSD);|
|preparation of contingency plans and disaster recovery plans; and|
|close liaison across government and industry to ensure consistency in approach.|
|The GATEKEEPER strategy supports and enhances existing Government initiatives in the area of industry development. An overview of relevant Government programs is included in the full report.|
|The major recommendations of this report are to:|
|Formally establish the GPKA by May 1998 including the announcement of board members;|
|Formally establish an outsourced GPKA Secretariat by May 1998;|
|Publish a new Australian Communications-Electronic Security Instruction on the use of Public Key Technologies by government;|
|Publish a two stage GPKA accreditation process with at least two entry level accreditations in place by 30 June 1998;|
|Provide a common message on the role and intent of the GPKA to ensure consistency of communicated purpose and safeguards;|
|Assist in ensuring that the use of PKT by agencies is sensitive to privacy concerns and commitments;|
|Commit to a clear distinction in the use and application of PKT into two categories, authentication and key exchange; and|
|Ensure that the GPKI can be subordinated to a Root Certification Authority established under National Public Key Infrastructure (NPKI), for the purpose of cross certification.|
Government Public Key Authority
|Office of Government Information Technology|
|First Assistant Secretary|
|Attorney Generals Department|
|Australian Electrical and Electronic Manufacturers Association Limited|
|A/g First Assistant Commissioner|
|Australian Taxation Office|
|Industry Issues/Government Purchasing Manager|
|Australian Information Industry Association|
|Health Insurance Commission|
|Defence Signals Directorate|
|National Office of the Information Economy|