Lockstep

Mobile: +61 (0) 414 488 851
Email: swilson@lockstep.com.au

The importance of PKI today

An international update published in "China Communications" Dec 2005

Paper attached below. See also http://www.china-cic.org.cn/english/digital%20library/200512/3.pdf

ABSTRACT

Public Key Infrastructure around the world has had mixed success over the past ten years. Some jurisdictions (like Australia and the USA) have been left largely disillusioned by the hype, while others (like China and Korea) see PKI as indispensable infrastructure for e-business. The typical situation around Asia is that PKI is highly desirable but difficult and/or costly to implement. Regulators tend to be especially confused about their proper role; government PKI licensing programs in places like Singapore, Hong Kong SAR and Australia are not in high
demand.

This paper presents an update on the PKI business internationally, with a special focus on the role of governments. The paper presents a fresh new "plain speaking" description of the business benefits of PKI, in order to inform government policy reform.

Please note that this paper assumes that the reader is somewhat familiar with PKI concepts. This is not a paper for PKI beginners.

PKI in plain language

A smartcard plus special application software combine to produce digital signature codes for electronic transactions. Unlike any other electronic signature method, digital signature codes are unique to the owner and also to each transaction. Digital signatures operate as if a personalised electronic stamping machine was inside each smartcard, creating a specific ‘mark’ on each message or file created by the card holder. Digital signatures remain valid indefinitely; that is, at anytime in future, the ‘mark’ can be easily verified to prove its origins.

Digital certificates are electronic notices that bind individuals to smartcards and thence to transactions signed using their smartcards. A digital certificate can identify the card holder and can also hold any other information about the holder that the issuer is qualified to declare. If the issuer is authoritative over information such as professional credentials, then that information can be sealed within its digital certificates and thus bound to each card holder.

To process digitally signed transactions, the receiver’s software requires a copy of the sender’s certificate, plus a special “master code” – known as a root certificate – which is used to mathematically validate all certificates in a given PKI scheme. Different master codes define different PKI schemes, be they sector-specific, national or general purpose such as SSL website authentication. Application software can ship with all necessary master codes, or can have them installed later.

Digital certificates can be electronically revoked at any time. Revocation may be requested by the holder in the event that they lose their smartcard. Alternatively, revocation of a professional’s certificate may follow automatically from their membership lapsing or their qualifications being cancelled.