The government is about to publish draft guidelines on what to look for in a digital certifcation authority but won't go as far as accrediting them, as the Australian government is doing.
Last month the Australian federal government accredited Baltimore Technologies as a trusted third-party supplier of PKI - public key infrastructure - also known as a certification authority. PKI companies provide digital certificates for authenticating senders and receivers of electronic transmissions and public and private keys for encrypting transmissions.
Baltimore is the first company to be accredited under the Australian government’s Gatekeeper initiative. It supplies PKI technology to New Zealand’s certification authorities - Baycorp ID Services and PricewaterhouseCooper’s beTRUSTed - which bundle it with other security services and sell them to New Zealand organisations wanting security in their electronic transactions.
Baltimore business development manager Mike Jeffries says governments have a role to play in establishing which third-party suppliers of these certificates and keys can be trusted. He says providing technology is 30% of the task of a PKI provider, the other 70% is about building trust.
However, the New Zealand government is not considering a formal accreditation programme, says the senior adviser to the State Service Commission's e-government unit, Brendan Kelly.
“There are reputable commercial suppliers of digital certificates. We don’t believe they require a government guarantee or that the government should acquire that risk.”
Kelly says the government is using digital certificates supplied by commercial suppliers and anticipates greater use within the next two years. He says the State Services Commission has been investing in PKI as part of the secure email See project and the e-government unit will publish a draft of guidelines for use of PKI within government in the next few weeks. The public consultation document will be at either www.govt.nz or www.ssc.govt.nz. Kelly says the guidelines will cover what is needed in a relationship with a PKI supplier and how to deploy PKI.
Baycorp ID Services managing director David Young says being selected by a New Zealand government agency provides a de facto recognition of trustworthiness in the commercial market, but he supports the government’s cautious approach because countries are setting up their own accreditation standards and it's better to wait and see what happens overall.
“It doesn’t pay to be a market leader in this. Australia is a lot bigger than New Zealand and has more influence in Asia-Pacific in e-commerce but it doesn’t make sense for us to be out there developing certificate authority standards.”
Young says the Australian government Gatekeeper standard is almost de facto in place in New Zealand anyway.
“When we designed our certification authority we were very aware that there are government-to-government transactions between the Australian and New Zealand governments so we built our certification authority based on Gatekeeper standards.