Position Paper on PKI Governance in Australia
Developed for the Australian IT Security Forum for input into the National Authentication Framework deliberations in 2003.
This paper articulated several critical new positions on PKI governance, many of which were later picked up in the Gatekeeper reforms in 2005-06.
"The main implications of practical PKI experience include the following:
- Certificate usage can be better automated by application software. Since the context of most PKI-enabled applications is rich, software can probably select and invoke the appropriate certificate automatically, without user intervention. This can make the user's experience of PKI and key management more seamless
- Certificate registration can be streamlined. Because most PKI applications occur within existing business contexts and are governed by existing rules, users should not need to be re-identified from scratch in order to be registered for digital certificates
- PKI evaluation and accreditation can be streamlined. If PKI accreditation was to explicitly factor in the intended application as part of the target of evaluation, then existing contractual arrangements, liability provisions and regulations are applicable could be taken into account, to streamline the legal review and reduce the overall accreditation overhead."