The content on this page and other AGIMO archive pages is provided to assist research and may contain references to activities or policies that have no current application. See the full archive disclaimer.

 

TABLE OF CONTENTS

 Introduction

Recent Developments, Reports and Consultations

 The Current Australian Market

The Way Forward

Comments on this Discussion Paper

 

---

 

INTRODUCTION

The ability to prove (authenticate) the identity of parties to electronic communications or transactions is a necessary precondition to the expansion of widespread use of online communications services, for government, industry and individuals, domestically and internationally, particularly in open networks such as the Internet. Authentication not only provides corresponding parties with certainty in each others' identities, but can also give assurance of the integrity of electronic data used, and provide a means of ensuring non-repudiation of electronic transactions, undertakings or documents.

Throughout the world, the development of authentication products and systems is at an early stage of development. Many businesses are developing public key authentication products, and/or are positioning themselves to become certification authorities (CAs), to take advantage of the growing market for security and authentication in online communications.

As these products and services develop, a range of technical and other standards and legal issues will need to be resolved by industry and governments, both in the international arena and domestically. Key issues for users of authentication services (including governments, industry and individuals) will be reliability of certification products and services, trustworthiness of CAs, interoperability (to ensure certificates have wide recognition), liability, dispute resolution and fraud.

The market is presently characterised by a variety of different products and services offering differing levels of reliability or trust, depending on particular market requirements. While this may have advantages in terms of competition, there is a risk that the widespread adoption of electronic commerce technologies could be hampered by confusion generated by the range of different authentication services, uncertainty over which products should be used in which situations, and a lack of trust in the security, reliability and enforceability of particular certification systems.

The Government's approach to electronic commerce generally recognises that the market will be the driving force behind the development of new technologies and that the potential for cost efficiencies or enhanced revenues will encourage the widespread adoption of these technologies throughout all industry sectors. However, as the market is currently in a very immature developmental stage, there may be a role for government, at least initially, in the promotion of consumer and business confidence in electronic commerce technologies to enhance the development of this market. This discussion paper identifies a possible approach for government to the promotion of consumer and business confidence and the issues that need to be considered. Public comment on this approach is invited.

---

RECENT DEVELOPMENTS, REPORTS AND CONSULTATIONS

Standards Australia Report MP75 - Strategies for the Implementation of a Public Key Authentication Framework (PKAF) in Australia

This report, published in late 1996 was the first step in the process of examining the nature of an online authentication market in Australia. The Standards Australia task group, comprising industry and government representatives, recommended the establishment of a hierarchical national framework, overseen by a peak body that would determine policy, accredit subordinate organisations and operate a root registration authority.

The authentication technology used would be based on public key cryptography, with public/private key pairs issued by the accredited subordinate organisations (known as certification authorities or CAs). The network of accredited CAs together with a peak body would form the Public Key Authentication Framework. The establishment of this framework also required the development of a number of agreed, formal standards.

The National Public Key Infrastructure (NPKI) Working Group

On 14 October 1997, the National Office for the Information Economy (NOIE), convened the National Public Key Infrastructure (NPKI) Working Group, comprising industry and government representatives to develop a detailed specification for a peak body to oversee the development of a national user authentication framework. The Working Group completed its report in April 1998. The Working Group was chaired by Mr David Jonas of ETC Electronic Trading Concepts.

The Working Group recommended the establishment of a government funded peak body to establish a formal national public key infrastructure, based essentially on the model described in the Standards Australia report. Resourcing, membership and corporate structure would still need to be determined (but expected to require approximately $1.3m pa.). The report also recommended that the establishment of a national root authority should be examined at the earliest opportunity. The full report including membership, terms of reference and recommendations, can be found at <http://www.noie.gov.au/reports/npki>.

Industry Consultations

ETC Electronic Trading Concepts undertook wide-ranging consultations with industry and users as part of its role in supporting the NPKI Working Group. These consultations indicate that there are a wide range of differing views on key aspects of establishing a public key authentication framework, particularly on the role for government. There was not unanimous support for the Working Party's recommendations.

 The Government Public Key Authority

The Commonwealth Government has established its own peak body under the GATEKEEPER initiative, known as the Government Public Key Authority (GPKA), for authentication requirements within government and with government clients.

The GPKA, comprising industry and government representatives, is responsible for oversighting the use of Public Key Technology in government, the application of standards and the evaluation of authentication technologies and service providers.

The GATEKEEPER initiative is an authentication framework based broadly on the model described in the Standards Australia Report MP75 - Strategies for the Implementation of a Public Key Authentication Framework (PKAF) in Australia. Further information about GATEKEEPER and the GPKA can be found at <http://www.dcita.gov.au/nsapi-text/?MIval=dca_dispdoc&ID=4172> and <http://www.gpka.gov.au/>.

The Attorney-General's Expert Group on Electronic Commerce (ECEG)

The Electronic Commerce Expert Group (ECEG) convened by the Attorney-General presented its report to the Attorney-General on 31 March 1998. The Expert Group found that Australia's legal system provides the certainty necessary for online commerce, however some modifications will be necessary to take account of technological changes.

The report recommended that amendments to legislation support the following two principles: functional equivalence - which means that, as far as possible, paper based commerce and electronic commerce should be treated equally by the law; and technology neutrality - which means that the law should not discriminate between forms of technology. The report also recommends that the Commonwealth enact only minimal electronic commerce legislation necessary to give legal effect to electronic signatures and to remove uncertainty and existing legal obstacles to the use of electronic commerce.

Importantly, the report argues against a detailed legislative regime which specifies an operating framework or the use of particular technologies, rejecting the use of legal devices which have been used in other countries to support a NPKI, such as liability limitations for CAs and legal advantage for electronic signatures issued under a NPKI. Without legislated liability limitations for CAs and legal advantage for electronic signatures issued under a NPKI, the attractiveness for CAs of a formal national NPKI framework is questionable.

The Attorney-General recently announced that the Government has decided to develop a uniform model law, based upon the Model Law on Electronic Commerce developed by the United Nations Commission on International Trade Law (UNCITRAL), to remove legal impediments to electronic commerce, for enactment in all Australian jurisdictions. The legislation will be based on the recommendations of the ECEG and will be developed in consultation with the States and Territories through the Standing Committee of Attorneys-General. The ECEG report can be accessed at <http://law.gov.au/aghome/advisory/eceg/Welcome.html> and the Attorney-General's announcement is at <http://law.gov.au/aghome/agnews/1998newsag/450_98.htm>.

 The Victorian Government's Electronic Commerce Framework Bill and Electronic Signature Recognition Body

In July 1998, the Victorian Government published a discussion paper explaining its proposed Electronic Commerce Framework Bill. The Victorian approach is similar to that recommended by the Attorney-General's ECEG ie. minimalist legislation based on the principles of 'functional equivalence' and 'technological neutrality'. The Victorians are also proposing to establish an "Electronic Signature Recognition Body" (ESRB) as an adjunct to their proposed Electronic Commerce Framework Act. The ESRB would recognise relevant standards and codes of practice and accord a 'trust mark' to best practice organisations.

The ESRB would recommend such standards and codes to the Minister, for approval and publication by the Victorian Government. These arrangements are expected to promote awareness and raise the levels of public and business confidence in electronic commerce. Further information on the Victorian initiative can be found at the Victorian Government website at <http://www.mmv.vic.gov.au/>.

---

THE CURRENT AUSTRALIAN MARKET

The Australian authentication market reflects the international market which is at a very early stage in its development and is characterised by a moderate number of domestic and foreign commercial players of varying size and market share, developing and marketing a range of products and services. This market is also characterised by a dichotomy of approaches to the need for interoperability between market segments.

Open Systems -v- Closed Systems

An 'open' system is one where consumers obtain a single certificate which attests to their identity from a third party certification authority, and use the same certificate in transactions with potentially numerous other parties. In such an environment, a user of online services might go through a single authentication process (akin to the one hundred point check required to open a bank account) with a trusted third party, receive certification of his/her public key, and then be able to enter into electronic transactions/data exchanges with merchants, governments, banks, etc., thus using the same certificate and keypair for multiple purposes.

A 'closed' system is one where a contract or a series of contracts identifies and defines the rights and responsibilities of all parties to a particular transaction or where the certificates are used only within a known, bounded context. Examples of usage of certificates in a closed PKI include a government PKI (ie. where a certificate is used only in transactions between the government and citizens of a country) and SET (where the certificate is used only within the payments system).

Until very recent times, most commercial development focussed on the 'open systems' model as it was perceived to have the very desirable properties of general interoperability between systems, minimal user inconvenience and a highly competitive products and services market. However, the difficulties associated with developing formal international standards and resolving liability issues in a rapidly developing market has seen greater industry development and use of 'closed systems' as more commercially viable business arrangements.

Future Market Directions

The authentication market (both domestic and international) is complex, with a variety of user needs requiring a range of different solutions. A likely future direction of the market's development is towards an environment comprising a number of open, closed and semi-closed systems, relying on a variety of technical standards and distinguished on the basis of the purpose of the transaction. For example, an authentication system for financial (or related) transactions might be administered by, or for the financial services industry (eg. SET). A major proportion of online transactions will be of a financial nature. As financial institutions already have the necessary identification and transactions infrastructure in place through account keeping processes, an authentication system for the financial services industry is likely to be a significant part of the Australian market.

Systems for non-financial transactions could be administered by, or for relevant peak bodies in other sectors such as government, health care, insurance, transport etc. It is also likely that third parties will seek to rely on authentication provided under various systems, generating a degree of interoperability.

Government Facilitation

The variety of authentication products and services, standards and systems which are likely to be a feature of the Australian electronic commerce marketplace (at least in the short term) is likely to create some confusion and uncertainty as to the reliability and acceptance of these technologies among potential users. A lack of consumer and business confidence in the use of electronic commerce will be a significant constraint to the widespread uptake of these technologies, postponing the realisation of the many potential benefits that the use of electronic commerce will provide for individual consumers and SMEs. In this light, the development of the market will benefit substantially from government action designed to promote business and consumer confidence.

---

THE WAY FORWARD

A National Authentication Authority

The Government is considering the establishment of a National Authentication Authority (NAA) to facilitate the uptake of authentication and electronic commerce technologies by increasing consumer and business confidence in their use. The NAA would have some similarities to a peak body, as described in the Standards Australia and NPKI Working Group reports, but would not perform all of its functions or be an integral part of an authentication infrastructure.

The NAA would aim to reassure consumers and industry, through:

• according a 'quality label' to best practice organisations and systems;
• endorsing industry developed codes of practice;
• recognising relevant industry standards; and
• raising awareness of authentication technologies.

In this new and technically complex area, the NAA would provide independent reassurance that providers of authentication services meet international best practice standards, but in a way that did not constrain the market in its search for viable technologies and business models. The incentive for businesses to have themselves and/or their systems and/or their technologies approved by the NAA would be increased user acceptance and increased marketability.

Proposed Functions and Operations of the NAA

The establishment of such a body raises many issues associated with possible functions and operations and the nature of its administrative structure. This discussion paper and feedback on it from interested parties is an important component of the Government's consideration of a National Authentication Authority. Feedback is invited on the following range of issues.

1. The role and functions of the NAA - In addition to the functions described above, the NAA may also monitor the operation and development of the national authentication market; promote the interoperability of authentication products; and provide advice to consumers, industry and Government on products, services and market development.

2. The corporate structure - There are a number of options for the corporate structure of the NAA, including: a non-government incorporated body; a government business enterprise or statutory authority; or a cooperative non-profit organisation. It is possible that a body of this nature may only be needed for a limited time, or that once the industry develops further, the NAA could be an fully industry owned and operated body. The establishment of the NAA should reflect these possibilities.

3. Resource requirements - The NAA will require administrative support staff and some physical infrastructure. The NPKI Working Group Report concluded that full industry funding for a similar body was unlikely in the short term. Establishment of an NAA will therefore require the Government to contribute some seed funding. The precise level of seed funding will need to be based on a detailed specification of the NAA's roles and functions and an appropriate business model which addresses the costs of establishing and operating the NAA. In the longer term, whether there is an ongoing need for such a body will be reflected in whether a self sustaining business case can ultimately be found.

4. Representation on the NAA - The NAA will need to represent the interests of a variety of stakeholders in a balanced way. The board of the company will need to represent suppliers of authentication services, representatives of consumer users, business users of authentication services and/or their representatives, standards development bodies; industry peak bodies, independent technical expertise, and government users and policy makers.

5. The adoption of relevant standards - Technical and other standards will need to be identified against which the NAA can evaluate products, services and organisations. A variety of standards exist or are being developed in this area, both by Standards Australia and the International Standards Organisation (ISO). The information economy presents new challenges in the area of standards, in particular, the speed and way in which standards are developed. For example, standards developed by one company can very quickly become a widely accepted standard.

6. Other issues - Other issues to be considered include the identification of possible mechanisms for overseeing the work of the NAA and ensuring its integrity; evaluating the effectiveness of the operations of the NAA; and examining the nature of any relationships with other government, industry or consumer bodies. Should the NAA be established as a private company, some of these matters will be influenced by the ownership of NAA.

---

COMMENTS ON THIS DISCUSSION PAPER

Comments provided on this Discussion Paper will be an important input to the establishment of the National Authentication Authority. Submissions will need to be provided by 7 September 1998. Those wishing to comment on the issues raised in this document should write to:

General Manager, Legal and Regulatory
National Office for the Information Economy
Locked Bag 8461
CANBERRA ACT 2601

or Email: naa@noie.gov.au