Slides for a talk on "PKI: the View from Down Under" given by Ed Bristow at the IWMW 2001 event held at Queen's University Belfast on 25-27 June 2001. See http://www.ukoln.ac.uk/web-focus/events/workshops/webmaster-2001/sessions.html#speaker-4

1. PKI: The View from Down
Under
Presentation to 2001 Institutional Web
Management Workshop
Queen’s University Belfast
Monday 25 June 2001
Ed Bristow, PKI Technical Manager,
Australian Taxation Office

2. Agenda
• Who am I? Why am I here?
• The what, why and wherefore of PKI
• The Australian Scene
• The ATO PKI
• The Future

3. Canberra
•Canberra

4. Some definitions
• PKI - Public Key Infrastructure
– The technology, policies and processes involved in generation,
signing, issue and use of asymmetric ciphers and digital
certificates
• ATO - Australian Taxation Office
• BAS - Business Activity Statement
– Monthly or quarterly business tax report completed by all
Australian businesses
• SSL - Secure Sockets Layer
– Standard for encryption of connection between web server and
browser. Now at Version 3.0.
• S/MIME - Secure Multipurpose Internet Mail Extensions
(RFC 1521)
– A standard for creating securely wrapped messages

5. More Definitions
• OCSP - Online Certificate Status Protocol.
– Standard (RFC 2560) for the checking of a certificate’s revocation
status in real time
• CRL - Certificate revocation list
– List of serial numbers of revoked certificates, published
periodically by CA. Part of X.509 (RFC 2459)
• DMZ - Demilitarised zone.
– Area between outer and inner firewalls where elements of a site’s
security architecture is deployed
• X.500 - Standard for Internet directories
• LDAP - Lightweight Directory Access Protocol
• PKCS - Proprietary (but industry-wide) standards
developed and maintained by RSA Security Inc

6. Why PKI
• E-commerce on the rise
• The Internet is a dangerous place
• The importance of standards
• Digital signatures promise remote, un-
repudiable authentication
• The dream of PKI - certificate once,
authenticate everywhere

7. Key Topics
• Confidentiality
• Authentication
• Authorisation

8. Confidentiality
• Is SSL good enough?
– Data is vulnerable on the server
– Enforce strong cipher suites
• Consider use of S/MIME
– Decryption is done deeper in DMZ
• Need to pay attention to web site design
• Some products don’t support two key pairs

9. Authentication
• What to use?
– User ID & Password
• Simple for users, but have to be administered &
can be cracked
– Shared Secret
• Just how secure is the secret?
• Doesn’t also provide integrity & non-repudiation
– Digital Certificates
• It’s not a trivial decision

10. Authorisation
• The next big challenge
• The unrealised potential of X.500 &
LDAP
• Products starting to emerge
• Active Directory & Kerberos in Windows
2000
• Solutions are policy & directory based
• What’s the degree of fit?

11. Can PKI be made to work?
• It does cost!
• But it does also deliver
• Many standards based components
• But overall solution will need to be
customised
• Native browser based PKI is just not up
to it at present

12. What are the major issues?
• Registration
• Key & Certificate distribution
• End-user application design
• Server side design

13. Registration
• Binds the identity to the public key
• Get this wrong and there’s no point in
worrying about the rest
• Can be logistically difficult (and
expensive)
– Especially with geographically dispersed
population
• Are there opportunities to leverage
another progress?

14. End-User application design
• Native browser, applet or fat client
• What platforms to support?
– Windows & Mac
– IE & Netscape
• How are private keys stored &
accessed
– Smart card (PKCS#11)
– ‘Soft Key’ (PKCS#12)

15. Server Side Design
• Performance
• Availability
• Certificate validation
– OCSP vs CRL
• Do responses need to be signed?
• Accept keys and certificates from
multiple CA’s or just one?

16. Overall
• Assess the value and importance of
transactions
• Threat and risk analysis as first step
• look for leverage opportunities

17. Australia - Land of Contrasts
• Strengths
– Innovative culture
– Early adopters
– Government sector prepared to lead
– Small enough for national solutions to be
viable
– ‘Can do’ attitude

18. Australia - Land of Contrasts
• Weaknesses
– 7 + 2 Governments
– Short electoral cycle
– Small population base
– Geographic Isolation
– ‘Branch Office’ Economy
– Slow telecoms in rural and remote areas
– ‘The Tyranny of Distance’

19. Gatekeeper
• Federal Government has
provided a lead
• Accreditation scheme for CA’s
and RA’s
• Mandated for Federal
government agencies
• Also signed-up to by states (no
mean feat!)
• Cross-recognition of Australian
Identrus CA’s

20. Gatekeeper - Drawbacks
• High barrier to entry
• Onerous accreditation requirements
– ATO completed 33 different documents
– Can be too slow for commercial
requirements
• Focus to date has been on business
– PKI for individuals still some way off
• But Gatekeeper2 is coming ...

21. Gatekeeper - Progress
• ATO was first to achieve full accreditation
• Commercial sector (eSign & Baltimore)
now also fully accredited
• Government-sponsored standard for
certificates
– Contains Australian Business Number (ABN)
– Can be used by businesses to deal with
government at all levels
– Can be issued by any accredited or cross-
recognized CA

22. The ATO
• Main revenue collection authority for
Commonwealth Government
• Collects Income Tax, GST, Excise and
other taxes
• Approx 20,000 Staff
• Facing the ‘electronic challenge’
– Improve services
– Reduce costs
– Change the paradigm of interaction

23. ATO Electronic Initiatives
• Agent lodged Income Tax returns via
X.25 and proprietary s/w since 1991
– Now accounts for > 75% of all returns
• Self-lodged Income Tax returns via pre-
Gatekeeper PKI-enabled ‘e-tax’ system
– Now in 4th year of operation
– Expect 400,000 lodgments this year

24. PKI in the ATO
• First full Gatekeeper accreditation
• Support of tax Reform
– GST (VAT type tax) from 1/7/2001
– New reporting regime for business
• Not our core business!
• 100k certificate pairs issued

25. The ATO PKI Project
• Created and rolled-out an accredited
PKI in less than 9 months
• High pressure project
– Short time frame
– Legislative deadline
– Complex requirements
• Breaking new ground

26. Features
• Rely on business registration process to
feed the RA
– Integrated with legacy (DB2/OS390)
database
• Centrally-generated keys
• Distribution via Internet
• Two key pairs/certificates
– Authentication (Signing)
– Confidentiality (Encryption)

27. Constraints
• Very rapid roll-out required
– 145,000 in first month (achieved)
• Security requirements on certificate
download
• Use Baltimore technology (UniCERT)
• Drop dead deadline (legislative)
• Outsourced infrastructure

28. The Good
• 100,000 sets of keys and certificates distributed in
first year of operation
• 70,000 businesses registered to deal electronically
• Over 500,000 e-BAS’s lodged
• Most find process fairly straightforward
• Businesses appear happy with authentication and
confidentiality provided
• Vastly lower rejection and intervention rates on e-
BAS’s
• Quicker refunds (where payable)

29. The Bad
• Teething problems - rapid roll-out
• Design issues - eg including ATO-specific
data in certificate
• User experience (eg download) still not
satisfactory
• Lack of perceived value to business
• Process to get certificates and e-BAS
complex - plenty of opportunities for
problems
• logistical delays (eg PIC mailer printing)
• Marketing in a saturated environment

30. The Ugly
• Keys and certificates delivered in
browser unfriendly package
• Changes in external S/W (eg IE 5.5
SP1) can have near-catastrophic
effects
• Technical (il)literacy of some users
• Security can have serious effects on
useability
• Data quality (esp. e-mail addresses)

31. Learnings
• Key success factors
– ‘Drop dead’ deadline
– Strong corporate support
– Small, strongly focussed team
– Exploitation of skills and knowledge of partners
• Pay attention to useability
– Otherwise - help desk gets very busy!
• Understand the customer - market
segmentation

32. The Future - Some Questions
• Will PKI become universal, or is it just
too hard?
• Is the Internet too dangerous a place to
do business?
• Can schemes like Gatekeeper ever
really succeed?
• Can anyone make serious money out of
PKI?

33. The Future - Some Answers
• RSA appears to be unassailable - for now
– We can be confident about the technology
• Success of PKI depends on
– Robust and trustable registration processes
– Useful applications - there must be a value
proposition
– Making the technology transparent
• Australian model has significant strengths
– Universal scheme
– Standards based - vendor neutral
– Public-Private sector partnership

34. Links
www.ato.gov.au
www.taxreform.ato.gov.au
www.ato-pki.ato.gov.au
www.govonline.gov.au
www.baltimore.com
www.esign.com.au
www.identrus.com

35. Thank You