One of the biggest challenges facing governments attempting to foster confidence in the online environment is ensuring that online communications are secure. One of the foundations of online security is the development and implementation of an adequate public key infrastructure (PKI).
PKIs support the applications that encrypt data and that use digital signatures (that is, the means of associating electronic documents with specific individuals or entities) encoded in digital certificates. PKIs are based on principles associated with public key cryptography (PKC). More specifically, a twin pair of keys is created: one key is private, the other public. Although neither key can be derived from the other, a message encrypted by one key can only be decrypted by the other. Thus, one key can be kept private and under the custody of the person to whom it belongs and the other key is made public. Often, but not always, the keys are interchangeable.
A certification authority (CA) is a third party trusted to associate a public and private key pair with a particular individual or entity. It identifies the individual or entity which is to receive a key pair, issues keys, revokes keys when necessary, and provides notice of those key pairs which have been revoked.
A certificate policy (CP) is a named set of rules that indicates the applicability of a certificate to a particular community and/or class of application with common security requirements.
Governments are now focused on citizen-centred service delivery. Projects and service delivery must be managed horizontally across departmental and even government boundaries. Accordingly, PKIs must be interoperable; participating organizations must be able to rely on public key certificates issued by other CAs. This raises a number of legal issues. Appendix C to the Policy onPublic Key Infrastructure Management in the Government of Canada (PKI Policy) serves as a useful checklist of some of the issues that must be addressed in cross-certification arrangements. These issues include:
- A clear description of the nature of the relationship between the organizations;A description of the services to be provided;Obligations of non-disclosure of confidential information;The protection and securing of designated information in accordance with applicable laws and policies;The specification that any information required to fulfill the terms of the contract be considered by the parties to be under the control of the department and be made available to it upon request;The obligation of the parties to retain records and provisions for access thereto;The allocation of liability between the parties for losses to external subscribers or relying parties;Indemnification of the government for loss or liability including those arising from third party claims;Procedures for the appropriate resolution of disputes;The right to audit and inspect systems and contract compliance;The obligation to provide notification of changes to CPs;Stipulations for standards of operation, including technical interoperability;The jurisdiction(s) whose laws govern;The obligations of the parties to bind external subscribers and relying parties by contract and by provisions for notification of changes;Personnel screening requirements in compliance with the CPs;Standard contract provisions, such as severability, merger, notice and entire contract clauses;Excusable delay/force majeure clauses, if any; andThe term of the agreement, and provision for its earlier termination.
The cross-certification process is time consuming and expensive. One way of dealing with this complexity would involve the creation of a bridge CA for all orders of Canadian government and other participating organizations. Such a bridge would be a non-hierarchical hub designed to permit different agencies’ PKIs to interoperate seamlessly. Another possible approach is the creation of a national CA. The adoption of a national solution would involve the resolution of additional complex interjurisdictional legal and policy issues.
A more detailed discussion of PKI and cross-certification issues is provided by Rhonda Lazarus in ” Government of Canada’s Legal and Policy Framework for Government On-line“, Proceedings of 6 th Annual Conference of the Canadian IT Law Association held in Ottawa on October 3 and 4, 2002.
Christian (Chris) S. Tacit, is the Practice Group Leader of the Technology Law Practice Group at Nelligan O’Brien Payne LLP. He may be reached at christian.tacit@nelligan.ca.