Strategies for the Implementation of a Public Key Authentication Framework (PKAF) in Australia

Table of contents and executive summary from Standards Australia publication SAA MP75-1996

Provided on the web by the ACS, with permission from Standards Ausralia, for the talk Encryption & Electronic Commerce in Australia, by Tom Worthington, President of the Australian Computer Society, 4pm, Friday 22 November 1996, Room TP4, The Computer Laboratory, University of Cambridge, UK.

Strategies for the Implementation of a Public Key Authentication Framework (PKAF) in Australia

SAA MP75-1996

ABSTRACT

As electronic commerce becomes commonplace, there is a growing need for users to ensure that electronic transactions can be validated. Compatible national and international systems of `digital signatures` are necessary for the introduction of secure electronic commerce.

Standards Australia formed the Public Key Authentication Framework (PKAF) Task Group to examine all options for operating a national system for the creation and management of digital signatures as well as being compatible with systems in other countries.

This strategy report describes issues and recommendations relevant to Australia's businesses and government operations, and also addresses compatibility issues between organizations and private citizens (both locally and internationally).

Policy and legal issues are also canvassed.

TABLE OF CONTENTS

1	INTRODUCTION	 12
	1.1	Background	 12
	1.2	Purpose of a Public Key Authentication Framework	 12
	1.3	Scope of the Public Key Authentication Framework (PKAF)	 13
	1.4	Standards	 13
2	TERMINOLOGY	 15
	2.1	Certificate	 15
	2.2	Certification Authority (CA)	 15
	2.3	Certification Block	 15
	2.4	Digital Signature	 16
	2.5	Digitized Signature	 16
	2.6	Distinguished Name	 16
	2.7	Intermediate Certification Authority (ICA)	 16
	2.8	Organizational Registration Authority (ORA)	 16
	2.9	Policy and Root Registration Authority (PARRA)	 16
	2.10	Public Key Authentication Framework (PKAF)	 17
	2.11	PKAF Infrastructure	 17
	2.12	Revocation of Certificate	 17
	2.13	Trusted	 17
	2.14	Trustedness	 17
	2.15	Valid Certificate	 18
3	PKAF REQUIREMENTS	 19
	3.1	Summary of Key PKAF Requirements	 19
		3.1.1	User Authentication	 19
		3.1.2	Certification Policies	 19
		3.1.3	Certification Practice Statements	 19
		3.1.4	Trusted Certification Authority	 19
		3.1.5	Multiple Certificates	 20
		3.1.6	Certificate Revocation Lists	 20
		3.1.7	Services of CA	 21
	3.2	General Infrastructure Requirements	 21
		3.2.1	Trust	 21
		3.2.2	Interoperability	 22
		3.2.3	Naming Convention	 22
		3.2.4	Scalability	 22
		3.2.5	Flexibility	 23
		3.2.6	Archiving	 23
	3.3	Key Generation and Management	 23
		3.3.1	Certified Key Generation	 24
		3.3.2	Secure Key Generation and Key Management	 25
		3.3.3	Key Backup	 25
		3.3.4	Initiating Revocation	 25
		3.3.5	Notice of Revocation	 25
		3.3.6	Presumptions in Adjudications	 25
	3.4	Certification Authority (CA) Requirements (applicable

		to PARRA, ICA, ORA)	 26
		3.4.1	Level of Trust	 26
		3.4.2	Availability	 26
		3.4.3	Services and Functions	 26
				3.4.3.1	User Authentication	 27
				3.4.3.2	Certificate Generation	 27
				3.4.3.3	Certificate Distribution	 27
				3.4.3.4	Certificate Storage and Retrieval	 28
				3.4.3.5	Certificate Revocation Request	 28
				3.4.3.6	CRL Generation and Maintenance	 28
				3.4.3.7	CRL Distribution	 29
				3.4.3.8	CRL Storage and Retrieval	 29
		3.4.4	Auditing	 29
		3.4.5	Archiving	 29
	3.5	Organizational Registration Authority (ORA) Requirements	 30
		3.5.1	Level of Trust	 30
		3.5.2	Availability	 30
		3.5.3	Services and Functions	 30
				3.5.3.1	User Verification and Authentication	 30
				3.5.3.2	Certification Request	 31
				3.5.3.3	Certificate Receipt	 31
				3.5.3.4	Delivery of New Certificate	 31
				3.5.3.5	Certificate Revocation Request	 31
				3.5.3.6	Auditing	 32
				3.5.3.7	Archiving	 32
	3.6	Information Services	 32
		3.6.1	Information	 32
		3.6.2	Revoked Certificates	 32
		3.6.3	Current Certificates	 32
	3.7	Certificates	 33
		3.7.1	Personal Certificates	 33
		3.7.2	Multiple Certificates	 33
		3.7.3	Role-based Certificates	 33
		3.7.4	Anonymous Certificates	 33
		3.7.5	CA Certificates	 34
		3.7.6	Certificate Format	 34
	3.8	Certificate Revocation List	 34
	3.9	Users	 35
		3.9.1	Applications as Users	 35
		3.9.2	Unlisted Entities	 35
4	POLICIES	 36
	4.1	Public Key Authentication Framework (PKAF)	 36
	4.2	Presumptions in Adjudications	 36
	4.3	Availability of the Certificate	 36
	4.4	Certificate	 37
	4.5	Valid Certificate	 37
	4.6	Certificate Effective and Expiration Dates	 38
	4.7	Certificate Revocation	 38
	4.8	Initiating Revocation	 38
	4.9	Notice of Revocation	 38
	4.10	Revocation of Certificate	 39
	4.11	Certification Authority's Representations in Certificate	 39
	4.12	Certification Authority's Responsibilities	 39
	4.13	Employees and Contractors	 40
	4.14	Generating the Key Pair	 40
	4.15	Security	 40
	4.16	User Representations	 40
	4.17	Records	 41
	4.18	Safeguarding Private Keys	41
	4.19	User Responsibilities	 41
	4.20	Integrity and Retention	 42
	4.21	Liability	 42
	4.22	Liability Policy	 44

5	CONSIDERED STRUCTURES FOR PKAF ELEMENTS	 45
	5.1	Architectural Options	 45
		5.1.1	Architectural Option (a)	 45
		5.1.2	Architectural Option (b)	 46
		5.1.3	Architectural Option (c)	 47
		5.1.4	Comparison of Architectural Options	 47
	5.2	Preferred Option	 48
	5.3	Objective of the Preferred Option	 49
6	COMPOSITION, ROLES AND FUNCTIONS OF THE PREFERRED STRUCTURE	 51
	6.1	Policy and Root Registration Authority (PARRA)	 54
		6.1.1	PARRA Composition	 54
		6.1.2	PARRA Role	 54
		6.1.3	PARRA Functions	 55
		6.1.4	PARRA Process	 56
	6.2	Intermediate Certification Authorities (ICA)	 56
		6.2.1	ICA Composition	 56
		6.2.2	ICA Examples	 58
		6.2.3	ICA Role	 61
		6.2.4	ICA Functions	 62
		6.2.5	ICA Process	 63
	6.3	Organizational Certification Authorities (OCA)	 64
		6.3.1	OCA Composition	 64
		6.3.2	OCA Examples	 65
		6.3.3	OCA Role	 67
		6.3.4	OCA Functions	 67
		6.3.5	OCA Process	 67
	6.4	Organizational Registration Authorities (ORA)	 67
		6.4.1	ORA Composition	 68
		6.4.2	ORA Examples	 69
		6.4.3	ORA Role	 70
		6.4.4	ORA Functions	 70
		6.4.5	ORA Process	 70
	6.5	Consolidated Proposed PKAF Structure	 71
APPENDIX A:	RECOMMENDED STANDARDS	 73
	A.1	Primary PKAF Standard	 73
	A.2	Practices and Procedures	 73
		A.2.1	Procedures for the Operation of a Policy and

				Root Registration Authority	 73
		A.2.2	Procedures for the Operation of a Certification Author	74
	A.3	Additional PKAF Standards	 74
		A.3.1	Guidelines for Key Management	 74
		A.3.2	Guidelines for Identification of People and Entities	 74
APPENDIX B:	GUIDELINES FOR STANDARDS	 75
	B.1	Procedures for the Operation of a Certification Authority	 75
		B.1.1	Functions	 75
		B.1.2	Operational Requirements	 75
		B.1.3	Technical Requirements	 76
				B.1.3.1	Certificate Management Services	 76
				B.1.3.2	Alert Management Services	 76
				B.1.3.3	Protection of Private Digital Signature Keys	 76
	B.2	Guidelines for Certification Authorities	 77
APPENDIX C:	LEGAL ISSUES 70	 78
	C.1	Introduction	 78
	C.2	Giving Legal Effect	 78
	C.3	The PKAF Framework	 79
	C.4	Overseas Reciprocal Arrangements	 80
	C.5	Legal Material	 81
	C.6	Fulfilment of Signature Requirements	 81
APPENDIX D:	RELEVANT STANDARDS	 82
APPENDIX E:	TUTORIAL ON DIGITAL SIGNATURES	 85
APPENDIX F:	THREATS AND REQUIREMENTS	 86
	F.1	Theft	 86
	F.2	Contract Negotiation and Signing	 86
APPENDIX G:	MEMBERSHIP OF THE PUBLIC KEY AUTHENTICATION
				FRAMEWORK TASK GROUP	 87

EXECUTIVE SUMMARY

Today's corporate and government communications environment is rapidly changing. Solutions to problems must cover:

This report recommends a single purpose national framework for a national infrastructure that will enable strong authentication of users involved in electronic transactions. The system will provide for the unequivocal identification of an individual or entity (authentication). It does not provide specific assistance for a user who wishes to use encryption to reduce or prevent unauthorized access to data or information. This is in line with activities, both in Australia and overseas, to separate authentication techniques from encryption techniques.

The problem faced by corporations and governments is providing an infrastructure that will provide the necessary service and enable benefits to be gained. Public/private key cryptography is widely recognized as the enabling technology for authentication within a globally dispersed environment. This technology exists today. There is also a need to provide for supporting legislation, the establishment of trusted infrastructure services and the education of users and potential users.

The recommendations for this strategy are:

  1. that a single national root authority be established in Australia, empowered to establish the framework for interoperation and cross-certification with other recognized national root authorities, in accordance with Section 6;
  2. that the root authority accredit certification authorities which comply with the established framework of common policies, procedures and technologies;
  3. that the PKAF requirements described in Section 3 be incorporated in the establishment brief of the root authority; and
  4. that the necessary technical standards to support the PKAF structure be identified or developed and adopted, using internationally agreed standards where available.
The full report SAA MP75-1996 is available from Standards Australia for A$21 (Fax: +61 2 9746 3333, e-mail: lim@saa.sa.telememo.au). Credit Card payments by Bankcard, Mastercard, Visa or American Express. The delivery charge to Europe is A$30, or order through your local national standards body.

See also