Lockstep

Mobile: +61 (0) 414 488 851
Email: swilson@lockstep.com.au

Position Statement on PKI of the Australian Security Industry

Prepared for the Australian IT Security Forum, November 2003. "Our vision has been developed through extensive dialogue with users and with government. The position is deeply informed by practical experience of some of the world's largest and most effective PKI rollouts. We present here the major implications of this experience for systems integration, PKI regulation and cross border interoperability."

The overwhelming experience of PKI in practice is that it delivers most value when used for automating paperless routine transactions between parties who have an existing business relationship. In the best PKI applications, parties tend to deal with one another in a well defined formal context. They tend to operate under existing terms and conditions, with contracted or legislated liability arrangements. There is usually a recognised authority over the domain of the transactions, which can take responsibility for registered digital certificate holders. Current examples include e-health, customs, taxation reporting and business banking. It is likely that PKI will be taken up similarly in the near future for higher education, electronic conveyancing and drivers licensing. We can describe this model as "Scheme-based PKI".

Scheme-based PKI means that we should expect the deployment of multiple digital certificates in various forms, tightly coupled with (or embedded in) specific types of applications. Different digital certificates would be issued and used under specific conditions; registration processes can be streamlined for different user communities; subscriber agreements can be folded into existing user agreements.