eGovernment Resource Centre - Victoria, Australia

Victorian
Government
Contact Centre
1300 366 356

Main Menu

Categories, RSS and More

Main Categories

Shorten URL

Please enter the URL that you'd like to shorten or click here to shorten current:


What's this? loading...

Rate this Site

Thanks for visiting. To help us help you find what you need please take our 1 minute Visitor Survey.

Members Forum

The Forum is the place for members to post their opinions and exchange ideas.

Authentication, digital signatures and PKI issues - Part 1 - Archive

Argentina Digital Signature Law - This site provided by the Argentinean Government provides information about the Law of Digital Signature, which has been promulgated in December of 2001. It also explains how to obtain a digital certificate. The site is in Spanish and English.

Top

Canada

Electronic Authentication. Industry Canada, 22 April 2004. "Authentication is a process that attests to the attributes of participants in an electronic communication or to the integrity of the communication. All Canadians - individuals, businesses, and governments - share an interest in ensuring that electronic communications are secure..."

  • Lucienne Robillard Launches Electronic Authentication Principles. OTTAWA, Canada News Wire, May 13, 2004 -- "The Honourable Lucienne Robillard, Minister of Industry and Minister responsible for the Economic Development Agency of Canada for the Regions of Quebec, today announced the Government of Canada's latest action to build trust in a digital environment in the 21st century economy with the launch of Principles for Electronic Authentication..."
Top

Center for Democracy and Technology - Authentication Privacy Principles Working Group, July 14, 2003. "Interest in authentication systems has increased dramatically over the last two years. But widespread adoption of the technologies will only occur if individuals trust that strong privacy and security protections have been built into authentication systems..."

Top

The Digital Object Identifier System - is an identification system for intellectual property in the digital environment. Developed by the International DOI Foundation on behalf of the publishing industry, its goals are to provide a framework for managing intellectual content, link customers with publishers, facilitate electronic commerce, and enable automated copyright management.

Top

Digital Watermarking

States try digital watermarking, By Brian Robinson. Government e-Business, May 30, 2003. "Vermont and New Jersey are the first states to consider using digital watermarking to secure driver's licenses -- something that's become a matter of urgency in the wake of a nationwide explosion of identity theft..."

Top

Electronic Government: Towards New Forms of Authentication, Citizenship and Governance, by Miriam Lips (OII), John Taylor (Caledonian Business School & OII) & Joe Organ (OII) - Oxford Internet Institute (OII) - in pdf format. (This document requires the use of Adobe Acrobat Reader) (113kb) "This paper is grounded in empirical work derived from an ESRC-sponsored research project conducted by the authors and based at the Oxford Internet Institute (OII), entitled 'Personal Identification and Identity Management in New Modes of e-Government' (reference: RES-341-25-0028)..."

Top

Email Authentication

Authentication Is No Longer Optional, By Kirill Popov and Loren McDonald Clickz, July 7, 2004. "E-mail authentication services have arrived, and they're taking hold fast. Both the Federal Trade Commission (FTC) and the Anti-Spam Technical Alliance (ASTA) of companies such as Microsoft, Yahoo!, EarthLink, and AOL have made their positions clear: The next major step in the coordinated war on spam must address the fraud-prone nature of current e-mail technology..."

E-mail sender authentication: It works but doesn’t stop spam, By William Jackson. Government Computer News, 31 August 2004. "A growing number of companies are using e-mail authentication protocols to help verify the Internet domain in an e-mail sender’s address, but that is not keeping spam out of mailboxes..."

E-mail authentication: Cost, standards remain problems, by Grant Gross. IDG News Service, 11 November 2004. "E-mail authentication can help fight the growing spam e-mail problem, but vendors need to come up with a single, open standard to avoid confusion and crippling costs for small ISPs (Internet service providers), participants in a U.S. government summit said Wednesday..."

Top

Europe

Articles

  • EEMA unifies EU member states on e-Sig directive - EEMA (the European forum for electronic business) will bring together legal experts from more than 18 European countries at the QEII conference centre in London on September 25 to compare the differing interpretations and states of implementation of the European Electronic Signatures Directive, which should have been introduced into the law of each European country by July 19 2001.
    • The European Electronic Signature Directive was introduced by the European Commission to ensure that electronic signatures (every kind of electronic authentication attached to, or logically associated with other electronic data) should be able to have the same legal validity as a hand-written signature. This could include biometric authentication, Message Authentication Codes (MAC), public key authentication schemes and even the typed name at the end of an e-mail. The resulting 'qualified' electronic signature needs to be based on a certificate that meets specific requirements and has to be generated with a secure signature-creation device. [pdf] (124kb) (To view this document you will need to have Acrobat Reader installed on your computer)
  • Digital signatures set for Europe. Europemedia, 15 August 2002. "Digital signatures will have legal recognition throughout Europe from next month...."
  • E-signature law may take years to be accepted. Europemedia, 2 September 2002. "The recently introduced E-signature law will do little to change prevailing business practices and it may be years before it is accepted by consumers and businesses, according a report by the Warsaw Business Journal...."
  • Substantial progress identified in e-ID projects across Europe. eGovernment News – 19 June 2003 – EU & Europe-wide – e-Identification. "The largest-ever expert meeting on the subject of electronic identity in Europe took place in Oslo (Norway) in late May, when 61 government and private sector specialists from 18 countries gathered for the third international conference of the Porvoo e-ID Group..."
  • The European Electronic Signature Standardisation Initiative (EESSI) open meeting: "European Signatures vs Global Signatures". June 30, 2003. "The current status of the IDA bridge CA project was presented at the EESSI international open meeting "European Signatures vs Global Signatures".  The meeting, held in Rome on 7 April 2003, was co-organised by the ICT Standards Board and InfoCamere, the informatics company of the Italian chambers of commerce confederation..."
  • Europe- Electronic Identity
    • Porvoo 3: Way forward for e-ID in Europe -- Electronic-Identity.org, 16June 2003. "The third international conference of the Porvoo e-ID Group was arranged in Oslo, Norway, in late May. The meeting resulted in the highest number ever of Government and private sector specialists assembled on the subject of electronic identity in Europe - 61 individuals from 18 countries. Way forward for electronic identity (e-ID *) in Europe. The third international conference of the Porvoo e-ID group - Substantial progress in e-ID projects across Europe..."
    • Publication of a blueprint for electronic identification projects in Europe. eGovernment News – 10 June 2003 – EU & Europe-wide – e-Identification. "The European Commission-supported consortium “eEurope Smart Card” (eESC) has released the final version of its Electronic Identity White Paper, providing insight and recommendations for the development of interoperable electronic identity cards in the EU Member States..."
    • Electronic Identity White Paper, final version - in pdf formt. (To view this document you will need to have Acrobat Reader installed on your computer) (1.745mb)
  • Trust List Usage Recommendations for a Bridge/Gateway CA Pilot for Public Administrations. Auteur: Bart Callens – Product Manager Certipost, Modification date 12 September 2003. Version: 1.0 - in pdf format. (This document requires the use of Adobe Acrobat Reader) (1576kb) "Purpose of this study is to define recommendations on the usage of Trust Lists within the Bridge/Gateway CA Pilot project. Therefore, suggestions for an acceptable Trust Model, based on interview results from a previous study [1] are proposed. Existing standards and application support are also investigated. The conclusion of this study is that one preferably makes use of the emerging TSL (ETSI TS STF 220-1) standard for use within the Bridge/gateway CA Pilot, as this standard incorporates the requirements following to the European Directive on digital Signatures and is as such most likely to be accepted and pushed within the different member states..."
  • Use of e-signatures for e-government applications needs to be more consistent across Europe, finds new research. eGovernment News – 29 October 2003 – EU & Europe-wide – eIdentification/Legal aspects. "The European Commission has released on 20/10/2003 a detailed report on “Legal and market aspects of electronic signatures”, which brings some new insight regarding the use of electronic signatures in the EU, among other things for e-government services..."
  • EU builds online 'backbone'. Kablenet, 29 April 2004. "Europe has a new scheme aimed at identifying and authenticating e-services users. The European Commission has awarded a contract to a group of businesses and academic bodies for developing an e-government "backbone" across the continent..."
  • EU plans single open architecture for European identity authentication & IDs. Public Technology, 30 April 2004. "A consortium of leading European businesses and academic institutions has signed a contract with the European Commission to conduct research into the development of a simple, coherent and interoperable electronic identification and authentication architecture to underpin e-government applications in the EU and beyond..."

GUIDE - Creating a European Identity Management Architecture for eGovernment - Overview - "GUIDE is conducting research and technological development with the aim of creating an architecture for secure and interoperable e-government electronic identity services and transactions for Europe . The project's approach is multi-disciplinary and includes technology, procedural and policy development across Europe . GUIDE consists of 23 organisations from 13 countries. GUIDE's vision is to enable Europe to become the global leader of e-government services through the creation of an open architecture for identity authentication..."

Top

Internet Law and Policy Forum

  • An Analysis of International Electronic and Digital Signature Implementation Initiatives A Study Prepared for the Internet Law and Policy Forum (ILPF) September, 2000 - "Many jurisdictions have been setting up implementation schemes designed to provide technical guidance to allow the general legal framework for electronic authentication to work in practice. Such schemes may include (1) national and international standards for electronic authentication products and services; (2) regulatory schemes for the supervision, accreditation, and certification of particular authentication products and services; and (3) guidelines, best practices, and similar documentation for the operation of electronic authentication systems. Such schemes may be set forth in national legislation, international or regional regulatory principles, guidelines drafted by commercial or policy organizations, or other initiatives.... "
  • The Role Of Certification Authorities In Consumer Transactions: A Report Of The Ilpf Working Group On Certification Authority Practices Draft, Dated April 14, 1997 - This Report represents a preliminary analysis of certain questions relating to legal issues involved in the emerging service business of certification authorities, particularly those arising in consumer transactions. The scope of this Report has been limited intentionally to focus on the selected legal environment in the United States, although additional information has been provided on German law, the directives of the European Commission and laws in other jurisdictions. In addition, this Report only addresses consumer transactions taking place in an "open system," where a CA provides services to any consumer desiring services without regard to the contractual obligations between the consumer or the merchant and any payment system.

Top

Liberty Alliance Project - http://www.projectliberty.org/

  • Key agencies join digital ID alliance, By Rutrell Yasin. Federal Computer Week, March 5, 2003. "Two leading federal agencies have joined an alliance of organizations working to address digital identity challenges..."
  • Sun's Liberty bid gets fed support, by Jim Hu, ZDNet Australia, March 6, 2003. "The US General Services Administration and the Department of Defense on Wednesday announced that they will join the Liberty Alliance Project, which aims to standardise Web authentication..."
  • Liberty Alliance Gains More Support - Government agencies are the latest to back Web identity standard, by Scarlet Pruitt, IDG News Service, PC World, March 7, 2003. "The U.S. General Services Administration and the U.S. Department of Defense have become some of the latest members to join the Liberty Alliance Project for implementing open standards for identity management on the Web..."
Top

National Electronic Authentication Council

The National Electronic Authentication Council (NEAC) has been established by the Government to enhance business and consumer confidence in e-commerce through overseeing the development of a national framework for electronic authentication of online communications. In particular, NEAC will provide a national focal point on authentication matters, encourage interoperability between different systems and the development of relevant technical standards and provide information and advice to industry, government and consumers.

NEAC has released two reports that provide advice and information on the key issues of the legal liability of electronic authentication transactions, and on the integration of Business E-Commerce systems and the use of authentication technologies in electronic transactions.

Top

National Identification System

Raising the platform, by Jack Schofield. The Guardian, June 2, 2005. "Right after New Labour re-announced its plans for a national eID (electronic identity) card, Hewlett-Packard launched an all purpose platform called NIS (National Identification System) and flew a dozen of us journalists to Geneva for a four-hour press conference..."

Top

Netherlands

  • eNetherlands - Public Key Infrastructure (PKI) for the Dutch Government - Selected Radings on Aspects and Trends of eGovernment in the EU - "The Dutch government's Public Key Infrastructure Task Force http://www.pkioverheid.nl is preparing the way for the full introduction of a public key infrastructure (PKI) by the end of 2002. This infrastructure is intended for almost all types of secure interchange and transactions with the government in public sector communications. These communications will include exchanges between government agencies and the public, government and the business community and between government agencies themselves.
  • Dutch Government to build PKI-based authentication gateway. eGovernment News – 28 October 2003 – Netherlands – Identification & Authentication. "The US government may have abandoned its plans for an e-authentication gateway, but not everybody in Europe has yet given up on the idea of building a central authentication infrastructure for online government services. The Dutch Government has indeed announced plans for a PKI-based middleware infrastructure designed to provide secure access to e-government services for citizens and businesses..."

Oasis (Organization for the Advancement of Structured Information Standards)

  • Action plan developed for PKI adoption, by Ryan B. Patrick, Computerworld, 25 March 2004. "An e-business standards watchdog last month unveiled a comprehensive action plan aimed at kickstarting the adoption of Public Key Infrastructure (PKI) technology. The OASIS (Organization for the Advancement of Structured Information Standards) PKI Action Plan builds on the results of a series of surveys conducted by the OASIS PKI Technical Committee with IT staff who have deployed or attempted to deploy it..."
Top

Public Access Control to Electronic Information: Final report approved by steering committee on 17th December 1997. Report of consultancy undertaken for Multimedia Victoria by Professor Ron Sacks-Davis, Dr James Thom, Dr Justin Zobel, from RMIT Multimedia Database Systems.

The Electronic Service Delivery (ESD) project of the Victorian Government breaks new ground in public access to electronic information. The vision of the project sees citizens remotely accessing a wide range of information held by government and non-government agencies, including personal information about those individuals. Access to this information needs to be controlled, to allow individuals to easily access their own information while providing adequate privacy protection. While it is desirable to adapt existing manual systems for access control, they frequently rely on ad-hoc procedures (such as assessing trustworthiness from face-to-face interaction) that do not easily translate to an electronic environment. In this report, procedures and guidelines for controlling public access to electronic information are presented.

The report identifies categories of information that contain sensitive information, including:

  • Information for which no user authentication is required, such as accessing a public registers, and
  • Information for which access control is required, containing sensitive information pertaining to an individual or company.

Although public registers must be made available to the general public, this report identifies privacy concerns that arise if unrestricted online searching of public registers is permitted. The report identifies techniques for limiting search capabilities to restrict access, and recommends this as an area for further study so that privacy concerns can be minimised and both current practices and public confidence with respect to access to public registers can be maintained.

To develop access control procedures for transactions involving information relating to an individual or company, the report recommends that a distinction be made between establishing the information that is to be accessed, called data identification, and establishing who is undertaking the transaction, called user authentication. The report identifies and classifies techniques that can be used for data identification and for user authentication. These techniques can be used by agencies for the purposes of providing access control for electronic transactions. By distinguishing data identification from user authentication, the issues of access control are clarified and it is easier to develop access control mechanisms that provide secure access to the right information.

To establish a uniform approach to access control by Government agencies, consideration needs to be given as to whether the number and use of unique user identifiers needs to be controlled and to what extent centralised coordination of user access control mechanisms is useful. Four options for data identification are presented in the report and each of these options is evaluated on the basis of their ability to identify relevant data, protect the privacy of individuals, be commercially viable, be easy to adopt by government agencies, and be easily used by the public. These options were presented to a workshop of the steering committee and two of the options were recommended as preferred approaches, namely:

  • A distributed scheme of agency-allocated unique identifiers, and
  • Schemes for which no unique identifiers are required.

Currently, individuals are assigned many unique identifiers, such as credit card numbers, account numbers, and licence numbers; the distributed solution provides for this practice to continue in an electronic delivery environment. It will be possible to store many of these identifiers on a smart card; to safeguard data privacy, it is recommended that these identifiers be encrypted using both the agency's key and the citizen's key. With these techniques, government agencies will be able to continue to use their current means of data identification, these identifiers will remain confidential between the citizen and the respective agencies, and other data privacy risks, such as data matching, will be minimised.

The schemes for which no unique identifiers are required permit agencies to continue to use other current means of data identification, but require the agencies to develop data matching algorithms. These are not always reliable and involve manual checking in some certain circumstances.

Identification schemes based on the use of a small number of unique identifiers or requiring a centralised database for their management were not recommended for adoption, due to concerns about risks to data privacy.

Guidelines for agencies to develop access control mechanisms are presented in the report. The recommended approach involves the following steps:

  • Background and familiarisation with the issues,
  • Analysis of data and transactions,
  • Determination of the category of information involved,
  • Establishment of data identification requirements,
  • Establishment of user authentication requirements, and
  • Review of data identification and user authentication to confirm whether the agency is able to determine that the user has the authority undertake the transaction.

To determine the level of access control required for a given transaction, the recommended procedure is based on first determining how the correct data will be identified and then determining how the user will be authenticated. Since data identification usually provides some knowledge about the likely user, the approach presented in the report for authenticating the user is based on using this knowledge and augmenting it only when it is necessary.

Top

Security Assertion Markup Language (SAML)

Show Us Your ID - The proliferation of distributed Web-based applications complicates the task of identifying online users. SAML might be the answer, By Tod Newcombe. Government Technology, July 2004. "For years, counties have struggled to automate one of government's most paper-intensive transactions. The recording of land documents leapt forward in the mid-1990s when imaging technology first turned paper deeds, titles and releases into digital images that could be electronically captured, indexed, stored and retrieved at will..."

Top

Spain

Spanish Ministry e-identifies its employees. eGovernment News – 18 July 2003 – Spain – eIdentification. "The Ministry of Economy is the first organisation of the Spanish central administration to have fully incorporated digital identification in its internal processes, it was announced on 8/07/2003..."

Spanish Government approves new bill on electronic signature. eGovernment News – 17 June 2003 – Spain – e-Identification. "The Spanish Council of Ministers has approved on 6/6/2003 a new bill on electronic signature, designed to promote a more widespread use of the digital signature for e-commerce and e-government. The legislation was drafted by the Ministry of Science and Technology in collaboration with the Ministries of Public Administration, Economy, Interior and Justice. It draws on the experience and advances made since the introduction of the Royal Decree on Electronic Signature of 1999..."

Spanish Parliament approves e-signature law. eGovernment News – 12 December 2003 – Spain – Legal aspects. "The Spanish Parliament approved on 11/12/2003 a new law on electronic signatures. The legislation, drafted by the Ministry of Science and Technology in collaboration with the Ministries of Public Administration, Economy, Interior and Justice, aims at promoting a more widespread use of digital signatures for e-commerce and e-government..."

Sweden - Using Electronic ID Cards - A guide for users and Application Developers

The Swedish public sector has been working on a EID concept for some years (http://www.seis.se/), but so far the visible outcome has been restricted to the Customs' and IRS' communications with industry. The EID card shall support three basic services:

  • Strong user authentication
  • Confidentiality for messages and communication using encryption
  • Digital signatures for message authentication, data integrity and non-repudiation

The purpose of the guide is to provide information on the EID card - what it is, how it works and where it can be used. The guide is organised as follows:

1. Basic functions of the Electronic ID card, as well as the concepts of digital certificates and electronic identiy document.
2. Concept of Public key Infrastructure - PKI
3. The basics of the technology upon which the security of the EID card application rests including:

  • how to perform strong authentication
  • how confidentiality of sensitive information is supported
  • how digital signautres are created and verified

4. How additional application certificates may be added to the EID card
5. Examples of application areas for the EID card.

Top

Transport Accident Commission

Public key infrastructure for TAC - secure messaging and legal validity for electronic documents. Presentation to Multimedia Victoria, 9 June 2000. (ppt97 2.77mb)

Top

United Kingdom

  • Cards on the table, Kablenet, 10 October 2001. "The UK's smartcard policy group is finally getting down to work..."
  • E-Envoy - HMG's minimum requirements for the verification of the identity of individuals. Version 1.1, 12 February 2002. (E-government strategy framework policy and guidelines). Draft for public Consultation. This note describe's HMG's minimum requirements for the Validation and Verification of an individual's identity as part of the process of issuing a digital certificate or a PIN or Password for use with e-government services.
  • Digital certificates fail government project, By Andy McCue. Vnunet.com, 20 June 2002. "The government is looking at alternative technology for authenticating users of its online services following the failure of digital certificates to take off. ..."
  • e-Envoy gets on with ID. Kablenet, 5 July 2002. "The UK’s Office of the e-Envoy has made its own contribution to the thorny issue of identity..."
  • Bacs PKI tipped as security standard, By Sarah Arnott. vnunet, 12 September 2002. "Clearing house develops smartcard-based security system. A Public Key Infrastructure (PKI) security system developed by clearing house Bacs is likely to become the online trading standard for UK business...."
  • Whitehall signs on the digital line. Kablenet, 18 November 2002. "Two UK Government agencies are ready to use digital signatures -- the first initiative of its kind within Whitehall..."
  • e-Identity/UK: New e-authentication scheme unveiled. eGovernment News - 17 March 2003. "A new e-authentication scheme was recently unveiled by Telecommunications company British Telecom (BT) and data management software provider GB Group. The new system, called URU (pronounced “You Are You”), is a web service that takes the identification details provided by an individual and compares them to a range of reference information..."
  • PKI is 'not working'. Kablenet, 12 June 2003. "Inadequate technology for online transactions is a 'huge problem' for those in charge of e-government, admits a leading Whitehall official. The e-envoy's office has started searching for new ways to authenticate the users of e-services as existing technology is "not working", a senior UK Government official revealed on 11 June 2003..."
  • Forget the password. Kablenet, 16 April 2004. "Staff in one area of the UK Home Office are using biometric technology instead of passwords to access their computers. A Home Office organisation that regulates the security industry is to use a biometric authentication system to enable offsite workers to gain access to their laptops and PCs..."

Top

Added: 30 November 2005 Page views: 8,707 Rating: 0 Votes: 1
Review and rate
Last updated: 7 May 2010
2

Related Articles

Authentication, digital signatures and PKI issues - Part 2 - Archive
Archived resources regarding authentication issues, electronic/digital signatures and public key infrastructure which has relevance to government. This second part includes articles about authentication, digital signatures and PKI in the United States, as well as articles about e-authentication in the United States.
Added: 1 December 2005 Rating: 0.0
Display Full Article »
Authentication, digital signatures and PKI issues - Part 3 - Archive
Archived resources regarding authentication issues, electronic/digital signatures and public key infrastructure which has relevance to government. This third part includes articles about e-authentication and email authentication in the United States, user authentication issues as well as general articles and links.
Added: 1 December 2005 Rating: 0.0
Display Full Article »