David Vaile, Executive Director of the Baker & McKenzie
Cyberspace Law and Policy Centre
Welcome to this symposium on E-authentication, the third event
in a series which investigates aspects of cyberspace in the light of various
public interests.
One of the aims of these symposia is largely to dispense
with the conference style format consisting mostly of prepared lengthy speeches
where real discussion tends to happen on the sidelines. What we want to facilitate
instead is open-ended, wide ranging discussion of issues that are of interest
to experts and stakeholders in the field, and to disseminate the results of
these discussions to a broad audience. Accordingly, we’ll record most of what
is said with a view to making it available in slightly edited format on the
web.
Later on we also hope to publish a series of books which
the symposium proceedings will appear together with related papers, articles
and materials. We’ll also be taking some snapshots to record the event so
please tell us or the photographer if you don’t want to appear in any of these
photographs. Before I introduce the themes of the present symposium I’d like
to introduce you to the Baker
and McKenzie Cyberspace Law and Policy Centre where I am the new executive
director. My name’s David Vaile, if I haven’t met you yet.
The Centre has been up and running since late 2000, attached
to the Law Faculty of the University of New South Wales.
We are generously supported by our hosts tonight, Baker and
McKenzie. As well as providing the bulk of our funding Bakers also supports the
centre in other ways, such as allowing us to use its facilities for events like
this. I should emphasise that otherwise we are quite independent of Bakers, we
are not a mouthpiece for the views of the firm or its clients and we are free
to pursue our own academic and public policy interests under the watchful eye
of the law faculty at UNSW. That said, we are lucky to have at Bakers a number
of the most experience practitioners working in the area and this is often a
source of valuable ideas and feedback for the centre.
The Centre runs a variety of events in addition to this sort
of symposium. For instance it arranges conferences, events in the continuing
legal education program, and the centre itself has a relatively small secretariat
including Than, who’s the inaugural coordinator. He’s been doing a great job
to get us to where we are today.
Our activities are driven mainly though by our group of
research associates and collaborators, several of whom are here this afternoon.
I’m not sure it would make sense to name them all, but I’m sure you’ll find
them later on. In addition to these research associates, we are fortunate to
have participating in the symposium a large number of people from a broad range
of disciplines, government industry, academia, the legal profession, and public
interest advocacy. Fortunately we have
a mix of IT the people and lawyers; this should lighten up the proceedings!
So, we should continue the cross-cultural dialogue initiated
in our past symposia.
As we were planning this event, we discovered NOIE, the
National Office of the Information Economy, was intending to run a consultation
in Sydney as part of a national program seeking feedback on their recent
authentication discussion paper. We're
proud that NOIE chose to conduct their consultation session in Sydney jointly
with us as co-hosts of this event. No
doubt Catherine [Higgins]and Tom [Dale] will make sure that you all have a
chance to comment on some of the specific topics that they seek to address,
although I'm sure that the debate will inevitably cover much broader ground.
The first part of the symposium
will begin with a presentation from Catherine Higgins from NOIE. She'll focus
on the outline of their authentication discussion paper, of which many of
you may already be aware. The main
technologies covered in their paper include biometrics and the gatekeepers
scheme. I understand NOIE emphasizes their interest in seeking reactions to
a much broader range of the authentication options.
The second part of the symposium
will be started by a presentation from Roger Clark of the ANU. Roger will consider some fundamental technical,
and social limitations of some of the newer and more complex authentication
tools, and ask questions about what this means and where they might fit in
broader mosaic of online relationships.
The third part of the symposium
will consist of free-ranging discussions after dinner.
This symposium is aimed at discussing the implications of
e-authentication and the new environment in which it finds itself in the
interests of all the parties concerned, most notably the transaction
participants, service providers, and those who support the integrity of the
system.
So what do we mean by ‘e-authentication’? It's a fairly new term, covering a range of
tools including passwords, PKI, and biometrics. These systems attempt to identify, verify,
or otherwise raise trust in the participants in an online environment by the
use of technological, and to some extent organizational, mechanisms.
I note in passing that there are some complex legal, social,
and technological issues in this area, and we have a very diverse audience
here today, so I'd encourage anyone speaking to recognize that not everyone
may share the background knowledge and jargon that you may take for granted.
Please provide a little bit more context and explanation than you would if
you were just amongst your peers where you could perhaps take for granted
your audience’s level of knowledge.
Hopefully this symposium will cast a penetrating light on
the issues surrounding the authentication in general, specific implementations
of it, how well they match the needs of various users and stakeholders, and
what type of regulation may be needed. However,
I don't want to steal anyone's thunder, so I'll hand over to the joint chairs
of this session.
One of them was meant to be Chris Connolly, who many of you
may know. He’s a co-director of this Centre, but he has been called away to
help his wife in the birth of a new, currently unidentified, entity.
Luckily Professor Graham Greenleaf, another co-director,
on my right, has agreed to step in on short notice, and share the chair with
Tom Dale from NOIE. Welcome Graham
and Tom. And over to you Catherine.
[ back
to top ]
Catherine Higgins, NOIE
Thanks David. I'd like to talk today about the discussion
paper and some of the background
to where it comes from.
As pointed out I think some people have a depth of
knowledge in this subject and some people don't, and we've been discovering
that over the last two years at NOIE.
We really have been intending to educate a lot of audiences about the
authentication technology over the last couple of years and we've had an
industry and government council whose term had ended but they were called the
national electronic authentication council and Stephen Wilson was a member of
the council. So some of the thinking
that comes from this paper actually comes from the last two years and where
authentication technologies had evolved from.
I just like to go through the paper very quickly because
some people will have read it and talk about some of the questions that were
trying to answer. And also I'll talk
about the consultation process the little bit and the submissions we received
so far in response to our paper and the others we hope to receive in the next
two months. So those of you who have
read the paper will see that we have provided an introduction to the whole
subject and we've tried to set the context of authentication in terms of electronic
transactions, identity management.
We find it hard sometimes to talk about authentication as a
means to itself which I think is the wrong thing to do in Tom's terms of
Internet or e-commerce agenda. So
really authentication has enabling and protective security aspects to it and I
think this is important and probably hasn't been raised that much in the debate
in Australia to date.
In terms of enabling it enables e-transaction because it
identifies individuals online, and it also is an access control technology in
that it can be used to control access to remote computers, servers, and so one,
so it's a protective security concept in that sense, and I think in Australia
we need to talk more about that it in the industry because we have a lot of
unprotected systems. So that's the
other angle of authentication technology, the protective security elements.
Also I think we're going to talk quite a bit about
biometrics tonight, and it's getting a loss of play in Australia right now
because of the law-enforcement aspects of the use of biometrics or the
potential uses of biometric technologies, and that's an area which I think is
very interesting, and there's a lot of consumer issues and societal issues
surrounding the use of biometrics so hopefully we have quite a rigorous debate
about that tonight.
The paper is divided into three sections, and so as I said
the first is an introduction to why we have authentication technologies at all
and what they help us to achieve more broadly in the information economy. If you go through the Commonwealth government's
role to date in authentication and some of you will know that NOIE's been quite
involved in authentication in terms of digital signature certificates, and
particularly because we accredit IT members under our gatekeeper program so
that accredits those industries.
Members do go out and issue digital certificates.
So we look at trends in section 2 of the paper and really I
think, as was said the biggest trend and noticeable thing over the last two
years was that passwords, pins, and those more basic forms of authentication
technology are commonly known and used.
The more high-end areas such as biometrics and PKI, we have concluded
that those areas do need considerable regulatory and accreditation attention
and we would like to talk about those specific areas in depth tonight. And cross recognition, the whole concept of
recognizing other trusts schemes is another area which we have covered in this
paper. NOIE runs the gatekeeper schemes, we want to look at recognizing another
country's schemes, we have covered that in this paper as well.
I think that area has been a policy discussion for a number
of years, but I think it's still got a fair way to play in terms of making
international e commerce a reality and having the exchange of digital signature
certificates across economies. So that's currently being discussed in APEC, and
now the international forum, and we cover the foundations of our views about
cross recognition in this paper.
The whole area of standards and accreditation and so one is
covered in this paper as well on page 17.
And really we talk about PKI and the standards there simply because
there are standards in that area, and it's also a complex area of technology
which requires standards.
So we talk there about the original standards, the
Australian standards, and I see Alistair hasn't come along yet, but he's coming
from standards Australia, and those standards were named 4539. They were the precursors to the gatekeeper
schemes. So we have got some questions
in hear about whether standards will drive the take up of PKI digital
certificates in a private economy in Australia, we like to ask a series of
questions and try and have some debate and discussion around that tonight. But it also is if you that standards don't
drive the take up of technology either, so we would like to discuss that more
tonight.
One other big issues that NOIE is considering in this
discussion paper is our role in this process, NOIE's been very involved in
authentication, education, but also in a stronger role as the accreditor of the
gatekeeper schemes accreditor. We are
really seeking some comments from industry parties as to whether someone else
may be better placed to take on that role as the accreditor in future years and
we have a series of questions around that and it involves a range of
stakeholders including those vendors who are already accredited under the
gatekeeper, and we have to look at the business model surrounding, potentially
outsourcing gatekeeper from NOIE, and therefore what NOIE's role will be the
future.
So there is appendix C of this paper which I think has been
circulated before tonight, sets out a framework for the governance, a new
governance framework if you like, for PKI.
People like Stephen Wilson will have seen this before because we
discussed this at the end of last year so it has a governance structure which
has an industry government board and then it has a role for standards Australia
and it has to define which of those with exactly be in that third party
accrediting role. But we have put some
framework around that there.
We are really trying to get comments back from industry
users on whether they can see that national framework being necessary for the
rollout of PKI and therefore whether standards Australia and NOIE should really
investigate the feasibility of starting up that framework, how much time and
money we should invest in that. And
that's a big issue, and it's about demand drivers as well in the economy.
So just a little bit about the process so far, we have had
one workshop so far which was in Canberra and unsurprisingly that was dominated
by government agencies who have been quite strong users of authentication
technology particularly PKI, and also the IT security vendors, so it was quite
a good session, but it became apparent to us that people still don't really
understand authentication technology fully, and the way they are try to
implement them in government agencies, and that they are still seeking answers
to some questions.
There are some good PKI rollouts that happened from
Canberra, which has been government and business applications and tax, and the
health insurance commission of those two examples. They are seeking more sort of work and guidance in how reached
critical mass with those rollouts. So
we're hoping we have had four returns to our papers so far in terms of
submissions, and we're hoping to get a number of concerted submissions, from
industry consumers and governments over the next few months.
It's interesting, the ones we have received I just took a
note of them just let you know, that the variety of people who have responded
to our paper. Two of them are IT
security vendors, Gangooli and associates who have done a market stakeholder
analysis, and PKI Plus who are an e-security vendor firm.
The Australian consumers association made a submission which
was based along the lines of the submissions that Charles Britain made to the
private commission on PKI guidelines, so he was coming from the same angle as
when he saw our paper. The fourth one
that is forthcoming I think, is from Glen Turner Arnetts, so from the education
sector, his users of PKI technology.
So I'm quite looking forward to reading that one because it
comes from a user's perspective. We
have had a lot of e-mail traffic from IT-12 which is the standards Australia
committee which originally dealt with the first PKI standards 4539, and it is
good timing now that Alistair has just walked in the door.
And the sixth submission that we have had is from the New
Zealand government which is really interesting because they are still looking
at the whole framework at this point.
And their authentication strategy seems to focus on the consumer level
so they are looking at the government consumer issues and how they issued
identities to individuals within an economy which is quite good and timely at
this stage. We have also had a good
discussion with VISA and some of the credit card companies about what they are
doing and that was very useful as well because it is a real commercial perspective
to the authentication field and that's been very useful because I think that
the verified by VISA scheme is getting quite a lot of take up amongst the
retailers and the e-tailers.
So look we are hoping for more submissions and answers to
some of our questions, we are having another consultation session in Melbourne
on the sixth of August, and we are also having another consultation session
with the computer association in Adelaide on 30th July and perhaps one in
Brisbane as well. But anyway, we are
looking forward to your comments on the paper, and this next session we are
going to go into looks at some specific issues which outlined in the paper and
we stop all the about questions. So
that's all for now.
[ back
to top ]
Thanks Catherine. We have another formal presentation after
the break, and we are going to hear from Roger Clarke, about the question of
whether conventional PKI is a good idea. However before we deal with questions
like that, I think we can start with one of the broad issues on the agenda in
front of you, and deal with the question of what is the role of the government
in promoting and regulating e-authentication technology.
Would someone like to put a view on the future role of
government in authentication technology regulation generally, and just before
you do, a reminder that we would like each person before they speak, to
identify themselves, which of course I didn't do -- I am Graham Greenleaf --
and also for those of you sitting at the table could you please turn your name
card around so that it faces Tom or faces me so we know who we are getting
contributions from. Thanks. Okay, so who would like to start off the
discussion on the role government in future technology, future e-authentication
regulation?
I noticed the U.S. government is trying to make some
specifications for UV probability spectrum for cars, which they are currently
issuing. The really interesting thing for me is that the report, which came in
today, reported how airline crews in Europe are having troubles with their
uniforms and credentials being stolen.
From the transport workers' union in the U.S., there are
concerns for the safety of those crew members, and there has been a push for
better certification and authentication. My guess is that the role of the
government will probably be directly proportional to the perceived threat of
outside interference with your average Joe.
The political process will in many ways determine the
perception of threat rather than any technology as it goes forward. It's interesting to see, laypeople, in U.S.
transport workers, people looking after the aircraft, unloading the aircraft,
things like that, being very concerned about the issues, not because they
understand the technology, but because they think there has got to be at
technical way of making their operations safer.
So you think that at
the moment, a lot of the evolving perceptions that are around authentication
are made in terms of access and security, and that in itself might be a
political driver.
I think where
governments are involved in these things, people, in a situation where there's
no threat and where there's no real need for things to happen, governments
probably don't need to be involved.
As the risk gets
greater and we consider that our lives can be more affected physically and
virtually, then we may as a community want greater involvement. I think that governments will be involved as
much as the community wants them to be involved from the political process.
If I can just take
that last comment you made, put up one hypothesis, I would say that every form
of authentication is a potential threat to privacy by potential abuse, and
consequently, it's inevitable that governments will be more and more involved
in privacy regulation in the e-authentication era, and that we can expect a
much greater the level of legislation in relation to authentication than we
currently have in the Federal Privacy Act.
So I would throw that in that this is at least one area where government
regulation is unavoidable.
I observe that there are issues of trust. Governments have regulated in this area. You
can't get private inquiry agents in New South Wales, without being licensed by
the New South Wales government, because it's perceived as being an area which
the operatives must be trustworthy.
Therefore trustworthiness surely is an issue. Then maybe some people who perhaps until
quite recently have said "well, a reputable organization with a good brand
name is inherently trustworthy", I think that is now greeted with a
certain amount of mirth in many circles and I don't think it's politically
sustainable anymore. So I think the
need for trust may be in itself be a cause for a need to regulate licences.
Thanks Nigel.
Would anyone like to respond?
I would like to
contribute to the general discussion. We’ve heard the term identity and
authentication used here this afternoon, and we shouldn’t forget that
particularly in the commercial environment, it’s the authority associated with
a particular commercial relationship that is also of issue.
The identity and
the authority only really have relevance in a point-to-point customer to vendor
environment, and there’s a lot of good working models in the business community
today, where there hasn’t necessarily been any regulatory input by government,
In some cases there has been input by other bodies, including community, or
industry regulators.
It’s sometimes
slightly different of course with statutory or government bodies where there’s
inherently trust because they are part of the political, the governance process
of the culture. I do take forward, though, the comment that the large,
monolithic and sometimes self-regulatory environments like accountants and
auditors, do sometimes get it wrong. You must plan for failure in whatever
mechanism we have going for or have a multiplicity of mechanisms that suit
different commercial sectors.
I’ll raise another
of the topics that Catherine has flagged, and that’s the suggestion that NOIE
might move towards promoting some non-government authentication body to take
over a more generalised portion of the work the gatekeeper has been doing at
present, and ask for comments about that suggestion, and also the related
question of if there was sense in such a non-government body in the field,
would it only make sense for it to be dealing only with PKI or would it make
sense for it to be dealing with a wider range of authentication methods and
technologies. But before I do I think I’ll ask Tom or Catherine perhaps just to
clarify what NOIE’s view is on that second question, about what scope of
operations did you have in mind for that sort of body?
We did have some discussion about this last week in
Canberra, and our thinking has been narrower in that we have been looking at
the PKI area in particular and because the gatekeeper standards which are
listed in here are quite comprehensive in themselves.
But we did have a discussion last week in Canberra, and a
lot of people were a little bit concerned with this suggestion that the
management or governance council above this sort of structure would have to be
very representative of industry users’ views, and existing commercial standards
that are already operating, we didn’t want to overregulate in that sense.
But we really were looking at a narrower context of PKI
because we see that Jas Anson and Standards Australia have that kind of expertise,
so if we had a broader concept of authentication which included areas like
biometrics and existing authentication technologies in business it would have
to be a broader management council at the top of the structure, and it could
even be quite unwieldy, so it would be a matter of how you would get that input
from business and also whether it is required at that broader level or only for
certain technologies.
We have outlined the governance structures in this paper for
the PKI management council model, and it’s that diagram at C and some of the
earlier stuff on page 19 of the paper.
Can I just make an additional comment. I think it is
important to distinguish between the role the federal government has played
today in not so much the gatekeeper PKI framework but in its commitment to
utilisation of PKI for particular purposes.
Essentially the policies rollout of the federal government
has been confined pretty much to government businesses transaction component,
with a couple of exceptions. In general the Federal government has not been
focussing on PKI or any other particular forms of authentication, in terms of
government to individual transactions, and I think a lot of the policy issues
raised will likely be raised later on.
There's a distinction between the government trying to
establish a trust framework for some sort of transactions in business and
transacting electronically with governments. The gatekeeper structure has
evolved as a system of standing in governments for PKI, which is a different
issue again, and I guess we’re trying not to confuse them too much and there’s
no suggestion that the, well there’s no obvious reason why a change in the
government’s structures, I guess a fairly substantial legacy arrangement such
as gatekeeper needs to lead to any change at all in the government’s general
approach in promoting PKI for particular purposes.
That’s the issue with government online, the democracy, it
doesn’t necessarily mean the government is also in charge of its standards and
the accreditations.
I’m just taking a business point of view, and following on a
little bit from what Tom has said. From
an implementation point of view, I’m an electronic commerce practitioner,
whereas he’s been involved in implementing industry project. We would recommend
perhaps a light touch. We looked at implementing PKI into superannuation for
various transaction purposes.
We found that there were issues in the trading community,
like cost; how much is it going to cost us to set up things like CAs and RAs?
The actual cost of the products that we would need to implement, and the cost
of implementing the product we would have to put in front of our gateways.
The cost of managing keys was quite inhibitive, particularly
when talking about trading chains with
small businesses. I think there’s some issue here that needs to look at exactly
what kind of transactions governments want to introduce as requiring something
like PKI, and what are the transactions you would have trusted partners, people
who probably do businesses using telephone or fax or some other less secure
method.
If the government decides that they want to do PKI, I think
there needs to be a caution in making a lot of transactions have to use PKI
because it will slow down perhaps the implementation of electronic commerce
across Australian industries, and particularly between industries. I wonder
whether that could be two levels, the light touch or commerce which is
considered to have low risk and perhaps a higher touch if you want transactions
which need pure authentication and identification.
There are two issues that I see. The first one’s around a
body as a trusted third party, in particular, a PKI as a trusted third party or
anyone whose performing authentications on behalf of, say a customer through to
an agency. We find that that’s very hard to describe in a private contractual
framework, and there’s limits to what can be done or what I trust them to do
under current law.
What we see is the role in government trying to find those
areas difficult to describe in that relationship and perhaps smoothing out of
the way that that could be contained to what the authentication provider
actually does compare to what transaction is being authenticated. So it's first issue on the table.
The second issue is what is being authenticated ? There's a role by the registrar of
identities within the community and by that I mean civil identities, business
registration identities, communities of interest identities, in seizing what
they are identifying, and making sure that authenticators of those identifiers
are linked into a way that that identity is those granted so that the
government role in managing authenticators in the community also needs to
consider that same role in managing the registrars of those identities. I hope that wasn't a bit too cryptic.
I have some extended comments to make, if you do not
mind. We run the risk in all of this
debate in losing track of what people's certificates are really good for. If you do mind a bit of discourse on that,
my strong view is that a lot of people having preconceptions which is some
years old in terms of certificates already formed from liability, cost and
trust. The original view I think of
digital certificates was that it would be an electronic passport. And this is a metaphor that is very easy to
grasp, and I think that somebody cooked it up almost on the spur of the moment,
when they were just thinking about business opportunities. The trouble with it
is that comes up with a very interesting set of problems.
If you think of the digital certificate as an electronic
passport context to that relationship, you
wind up with issues where Alice has a relationship with Sydney authority, she's
holding a certificate, she's trying to convince Bob who she is, Bob has no
other relationship with Alice he has no of the context to see who she is, he's
got no prior relationship with her CAs. NEAC has indeed spent years on this
problem and had a look at two different very good legal analyses which have
wound up at being somewhat inclusive.
If you look at the NOIE’s website there is a diagram which
has all the relationships and has this rather alarming but correct phrase that
good legal standing of such and such between who the line pays and CAs is
indeterminable. Anybody that wants to get into this debate has looked at the
NOIE website has obviously been put off.
Now I'm not saying that what you said is wrong, but we are all trained over
years and years of going to presentations to think of Alice and Bob as having
no context, and we continue to be trained in PKI's because we have an e-mail,
we receive a little red seal on it and it's a signed e-mail, we click on the
signed e-mail and have a look at the certificate authority which it came from
and we're trained to think in terms of this certificate authority is trusted,
because I had no other way to trust Miss Alice.
The trend at the top of the agenda, the really important
trend, the use of PKI's is dramatically different from that. The technical reason to use PKI is twofold:
it gives you what's called the system identities, the origin and integrity of
the transaction, and it's persisted in so far as I can get a signed form from
Adrian, it hits my machine and I can log it and I can trust it on this machine,
and they can pass it on and they can log it halfway in six months, they can
come back with that form, which has gone from server to server, you can do that
using provisional technology which involves that going through audit trails and
all sort of things.
The other thing that's important about computer certificates
is that they are machine readable. And
this is something that gets insufficient attention. There's no real interest in
application when everybody's actually getting signed emails, it just doesn't
happen. You look at all the other
interesting applications of PKI and they have the same characteristics, the
servers that are processing forms automatically at high volume, and it's pretty
obvious because if we don't have high volumes, we don't have paper
savings.
So it's really important I think to understand the
interesting applications of PKI. Rich-context, Alice and Bob have a preordained
relationship of some sort, and what PKI's doing is automating the existing relationship. If you think about the context of the
submission, what indeed what the HIC's trying to do with the certificates is
purely context based. As a non-lawyer it's easy for me to say I don’t see there
being a lot of liability difficulty in trying to work out what happens when a
transaction goes wrong. I mean, the parties are presentable, a licensed medical
practitioner comes in, a signed form with the HIC.
Steve, if I could just finish that point: The liability of
these things is easy to understand, and the management of these things is easy
to understand. If we try and use PKI to automate these existing relationships
it help us understand what killer applications replaces customs and health –
customs overseas, stuff in Hong Kong is a very important application of how to.
It also helps us understand that PKI is an important trend in the future where
credit card companies are using chip cards now.
The chip cards contain very sophisticated PKI systems, and
yet nobody is being burdened to sign up. The reason for that is that PKI is
embedded in the relationships and the context of the transactions. So I guess
my fervent desire is that the policy agenda gets onto problems that have real
application, the ones that I have enunciated, and they are not Alice and Bob.
We should turn our attention to more problems, and to a much
clearer debate about who should be regulating these things. The question about
whether the government has a role is a question about grounding till you start
thinking, what is the government’s job in regulating registration roles.
Stephen, out of that very interesting set of comments, we
certainly get the point that a lot of the liability takes place through the
conflict of particular contexts in which particular PKI applications occur.
However, those particular contexts, those you were alluding to, I think were
also likely to involve other forms of authentication in conjunction with PKI as
part of that context. Where do those combinations of factors lead you in
answering our original question of what’s the future role of government in
relation to the regulation of this whole mix of authentication technologies?
Well, there’s two
sides to it. There’s the technological side and this is a government
understated, very clear role. With the technological role of IT, there’s an
enormously important library of this stuff for everyone to seek standards and
by and large it does it in a fairly useful way. [indistinct]. The other side
has got wrapped up in government in a very sort of complicated way, that is the
idea of personal transport and the issue of very strong identity checks.
The strong
identity checks are a national consequence, the idea that Alice and Bob have no
other context. If what we did on the other hand was not to identify people
personally but use the certificates to coordinate transactions, then we look to
the existing communities of interest and the existing authorities.
One example is the
existing authority structures that make me a doctor, a missionary or a
taxpayer. These are not good examples because the government has a will on us.
We all know the good examples, the government has a good understood role in
making taxpayers and in making doctors in that authority. I think the authority
ought to be delegated now to those sorts of things that we have already
charted.
So you’re saying
that there’s no real role for some overall non-government authentication body
here, and that what we should be looking for is industry specific or profession
specific or activity specific regulatory structures being augmented to deal
with the particular problems of authentication.
I think that there
is potentially a role for non-government or semi-government bodies to sit above
and it might be a good idea for somebody else to put up their hand and talk
about the issues around this. The issue, if I’m trying to rely on a
certificate, if I set up a server, and I’m processing forms for people, I want
to know if the certificates were issued properly, and I want to know the
certificate issued was done according to standards, and I want to know that
they’re going to be withdrawn properly. Now that ‘generically’ is a problem
across industry, in different areas, we want to make sure that information
systems are audited and secure.
DSD has a program
in conjunction with NATA… doing all sorts of things, they rely on technical
experts to be making instructions orbiting and the licensing (and I use the
word loosely) and the accreditation of those bodies to do an inspection does in
fact quite often converge in a very small number of accreditation bodies such
as NATA and [something] international.
So I think that
fundamental problem that we have in quality control, if you like, is that the
certificates themselves were generated in a trustworthy manner and are part of
the standards. NOIE right now will know what confers that sort of trust or that
word appears in all sorts of other issues because there are health checks that
NOIE does. Now you could look to other organisations to do those health checks.
I’d just like to
expand on some of Steve’s comments and I think that there’s a lot of synergy
between what I was saying and Stephen’s comments. I think there’s a requirement
for technology neutrality in a lot of this. There is a very strong need for
accountability in all of this, you have trusted third parties who allocate or
designate to be accredited doctors, for instance. We don’t actually ever go
back and check our credentials, but we do want to know that when something goes
wrong, we’ve got a plaque on the wall outside that we can go and hold that
individual or that company accountable.
That’s very
similar to Stephen’s comment about automating process of doing interactive, the
trust and confidence to deal with a particular individual occurs by
non-technology means. The light touch approach, in the superannuation context,
perhaps, is a really good example. The financial planner has a context of a
relationship with a fund manager, there is other processes around those other
forms of accreditation and they are good, working trust party models to date.
The cross
recognition probably, where government might provide some directions, or a
non-government regulatory body. The process by which a doctor gets a bank
account is a form of crude, and slightly esoteric form of cross recognition.
That there is an entity, it has a cross commercial practice, and therefore has
an ability to authenticate for a different type of commercial relationship with
different levels of liability specific to the type of service. So the cross
recognition at the very high level is an area where there could be some
contribution in there.
The Electronic
Transaction Act, just to move on a little bit, the Electronic Transaction Act and
its state derivatives or complementary legislation sets some basic criteria
about what a transaction and what an electronic signature can be. It’s
technology neutral, and there’s numbers of ways of achieving those. PKI is one
of them, I am a vendor promoting an alternate mechanism, and I am sure that
there are multiple other processes in place that will do that the same.
An open market
approach, letting the market decide, perhaps with some valued input from
government or appropriate technology and commercially astute bodies, may well
be the approach to go. It’s a little bit of a moot point whether it’s to be a
government or a non-government body as long as there’s appropriate funding, and
it can maintain the appropriate level of trust, just like the institute of
accountants and auditors do.
I am going to throw
this back to Catherine and Tom for the moment and ask are these contributions
we’re getting answering the questions that you thought you were asking?
I think so. I should note that we do have both Standards
Australia and NATA, and some perspective that they may wish to bring on. I
think that the government is certainly conscious of that distinction I made
earlier, and does not want to be particularly identified as a market leader or
a regulator across the board in all of the areas we’ve been talking about.
There’s been a number of people including Stephen who have
said that since the governments originally mould them in all of these matters 3
or 4 years ago, things have changed quite significantly in the marketplace, in
the expectations and strategic planning with a lot of federal government
agencies and in terms of the will more generally, I guess, and I think the
propositions about transactions in context, about fit for purpose approaches to
not technologies but for business solutions and the propositions I think that
we’ve heard about generally making sure that authentication is seen as a means
to an end, not an end in itself, the ones that are more fairly obvious, so all
those reasons, those are the sort of issues that we’ve locked in, that we
require a bit more detail on, but yes, we’re getting there.
I’ll just preface what I’m about to say by saying that this
is the first time that I’ve spoken on behalf of Standards Australia. There’s a
long history in the area, but a short history in Standards Australia’s
involvement. I guess from a starting perspective, if we keep the conversation
to PKI, Standards Australia has a long history, back to MP75 in ’94, and the
tech tree of the GPKA and running the national PKI committee IT 1241, and
developing the existing national standards in biometrics. I think that’s a
pretty separate subject and one that we’re probably not willing to enter any
arrangements about now but at the international level of debate of biometrics
is pretty fragmented.
There’s a recent proposal to the joint tech committee
between ISO and IEC to set up an international standardisation committee for
biometrics led by the USA that I think will probably be picked up in some form,
probably not as a separate committee at an international level but within the
work of one of the other committees. And I guess if that progresses, then we
would see some involvement for us in standardisation of biometric technologies
at the Australian levels.
That said, back to PKI, we’ve had a proposal on the table
for nearly a year or so saying that we could, based on the fact of that
experience, our position as a trusted third party (some people have got
different interpretations of what a trusted third party is) but as a national
trusted body, we could oversee the evaluation and accreditation procedures
based on that experience.
We’ve got a broad representation of stakeholders already,
and rigorous processes in place that we have for development of standards and
accreditation against standards, through certification through CLAWS, and I
guess with appropriate funding, somebody mentioned earlier, we could probably
take on that role, if it was judged to be appropriate by industry and
government, and if there was a perceived demand.
On that point about perceived demand, do members of IT 12
think there is perceived demand in industry sectors, do we need any more
standards, do we have enough? You know, we’ve got PKI coming in anyway, the
gatekeeper accreditors suppliers can issue PKI privately to any community
interest who can pay for it, and so there are cost issues there an so on. But
we need to update 4539 and some parts of that so that the registration authorities
can recognise for example, do that work quickly, does that make a difference to
the demand side of the economy?
I can’t answer straight out. There is probably a role for us
to develop a handbook based on the general risk management framework, which is
4360, I think. The specifics of PKI, looking at value of transactions, and that
would also sit within the existing information security management standards as
well. Draw on that.
I make a point that a handbook on authentication. We’ve got
to be careful that we don’t get [something] trying to reverse issues of
standards and process controls and so on in the absence of any context, and we
got unstuck in the standards group in trying to come to a standard for R8, and it’s
exactly the same as writing a standard for passports. So if you do that in the
absence of any transaction context, and can’t manage risk in the absence of
context, we know that now, we’re at the risk again of just chasing our tail,
coming up with standards that are addressing academic issues, not actually
addressing the real issues which have to do with the specific use of
certificates.
The format of a
handbook is a lower concern, which doesn’t necessarily mean that it’s not a
valid technical document, it means that perhaps that some of the very rigid
process is avoided, The handbook has guidelines, they’re not standards, but
they can carry a fair amount of weight, and I don’t think necessarily we could
get too bogged down thinking about the contextual issues of risk management in
PKI. The handbooks are a more open structure, and I think the emphasis would
have to be on context.
Thanks very much Graham. Maybe the first thing I should do
is explain a little bit about NATA, I was conscious of the comment made earlier
on in this meeting that there are people in this room with all sorts of
different levels of understanding of all different parts of this topic, and I
certainly confess that I am one of those, just blindly followed for a number of
years. I guess some people around this table know something about NATA so if
you’ll forgive me I thought it might help if I lead you through how we got
involved in part of this area, and that is with the Australasian Information
Security Evaluation Program, or AISEP, and the facilities, the AISEFs, that get
involved in this.
First of all, what is NATA? NATA is a laboratory
accreditation organisation. And for laboratory, you can read that very broadly,
it’s testing facilities, testing calibration measurement facilities. It started
in 1947, so we’ve got a pretty long history in this, in fact we can raise the
flag for this country in this one because NATA was the world’s first
comprehensive laboratory accreditation organisation, remains the worlds oldest
comprehensive laboratory accreditation, and the largest, so that’s one for
Australia.
I'll talk about some of our international partnerships in a
minute. We are endorsed by the
Australian government as the Australian authority in laboratory accreditation.
We're also a peak body in inspection accreditation which is another form of
accreditation for doing different things and two different standards and we’re
involved in other things as well. But I think it’s the accreditation side
that’s important here. I said I’d take you on a bit of a journey as to how we
became involved in the AISEP program because it’s a very good demonstration of
what we do.
Defence Signals Directorate (DSD) approached us mid-90s when
they were looking at outsourcing some of the work that they do in certifying
these AISEFS. They were doing a lot of the work themselves in testing products
to go on the EPL (the evaluated products list), there was more work than they
could handle and they needed to outsource. SO they came to us and said, you’re
the accreditation organisation, will you help us develop a program.
So we did, we sat down with a, we drew together a steering
committee, which is our usual way of developing these programs, and the
steering committee, it depends on what sort of program, but usually involves
technical people, business people, whatever’s interested in the area at stake,
stakeholders in the area. We drew those people together and they put together
the criteria which were required in order to tailor the standard that we use in
laboratory accreditation, the international standard that we use to accredit
testing facilities. So that was done, we called for interest in the
accreditation, well, in this case we didn’t have to call for interest because
it’s a closed community in the AISEF community, in others we call for interest
and get in applications.
Then the process is that we go out and we do the assessment,
we do the evaluation, we do that in association with technical experts in the
area. So it’s a peer group technical evaluation. If all goes well, then the
organisation that’s being assessed becomes accredited by NATA, that
accreditation process goes through an accreditation advisory committee, which
is one of the number of volunteer committees which we have within NATA, again
it contains people from within that industry that can make recommendations to
us about how that particular field should operate and through the chairman
whether or not that organisation should be accredited. So once that’s done,
they become accredited by NATA, that gives them national recognition,
particularly if they’re dealing with government.
The other important thing is it gives them international
recognition because NATA is one of a number of accreditation bodies of its type
around the world. There are something like 34 bodies in a mutual recognition
agreement, 34 economies in a mutual recognition agreement, with NATA, which
means that an organisation which produces a test certificate, a NATA-endorsed
test certificate in Australia, that test certificate is recognised in these
other countries as if that body were accredited in one of those other
countries.
Now I think this is a very important phase in the whole area
of e-authentication, because unlike some of the politicians in this country who
might have believed in the past, the internet ends at the border of Australia,
we all know that it doesn’t, and that one day, not very far away, we are going,
and indeed we do at the moment, we all trade internationally, and we’re going
to trade through an authenticated or agreed electronic system. And if there’s
going to be call for that system to be authenticated, to be accredited, then
it’s important that the bodies that accredit that system in the different
countries have some relationship with each other and are recognised one to the
other.
This has happened in the past in a number of areas with
which NATA deals. And the other important thing about this, and touching on the
earlier question about should NOIE remain involved, I believe that the clear
answer to that is yes, because in many of the other areas in which we were
involved, and where technical accreditation underpins trade, and indeed
prevents technical barriers to trade, it’s only because of that technical
recognition, the NATA or NATA-like body around the world, it’s only because
that exists that there can be government to government agreements in some of
these areas. They very much underpin those government to government agreements.
And government to government agreements, it is so obvious, can only be
undertaken by government.
And it seems to me therefore that there has to be a strong
involvement of NOIE or some part of government that’s got the understanding to
advise government on how to negotiate and take part in these agreements which
will undoubtedly become more and more important as we move forward in this
area. Sorry Graham, that was a very long answer, I just tried to lead people
through to what accreditation in this space is about and some thoughts on how
government might be involved.
We’re getting close, about 5 minutes away from having some
afternoon tea, but we don’t seem to be all that much closer to getting any
strong opinions about NOIE’s continuing role. We’ve certainly just heard one
interesting opinion about that, but I’d like to come back to that point: the
role of government in the continuing regulation in this area, and the need for
some alternative private sector body. Would anybody like to come in on that at
this stage?
I think the first point is that accreditation is one thing,
but to have any value, there’s got to be some mechanism to prevent unaccredited
operators. I guess there’s an element of buyer beware, but if the price is
right, there’ll be plenty of people who will use an unaccredited operator. So
that’s issue. The second point that comes out of that is of course, it’s
constitutionally mooted, whether that’s within the commonwealth or the realm of
other jurisdictions, and whether you see it as common, telecommunications or
whatever. But there is a constitutional issue there, it’s not necessarily in
NOIE’s court, and I think it’s presumptuous to think that it is.
That’s one point, the other point is that in terms of what
government normally regulates, what we normally do and when we license, which
is a form of regulation, to license businesses, professionals in various
domains, the criteria are normally pretty straight forward and simple, almost
on the yes/no and not many questions sort of vague. Whereas in this area it is
complex, it is difficult, there’s quite a lot of fuzziness, it’s subjective,
and there’s whole rafted issues of competence and who can technically do it,
and that may well mean that in effect, it is in terms of government
perspective, outsourced to some other body.
And so maybe there is a matter of accreditation, and
accreditation leads to a government regulation, it’s only one part of the
process, it’s not the whole picture, and I think that’s a point to bear in
mind.
I think you are right and you’re touching
on a point that I’ve made for myself. Authentication is a complex topic, and so
are some of the associated risks and liability, they’re topics that have come
up before. We don’t yet have enough experience in electronic authentication to
fully understand the syntax and semantics of what’s being discussed. We should
crawl before we walk. And the accounting industry’s fallen over in a couple of
example with several centuries of experience and background behind it.
NOIE’s role: I think is a good one, as long as the state
includes an educative role, particularly to spread the word about the syntax
and semantics of the issues. And focus on a single technology is a real
problem, as it puts all the eggs in one basket, in one framework, and it leads
to some trade practices issues.
The banking community has a problem if it standardizes on an
interest …forces, everybody to buy an interest can have equipment, for
instance. That may or may not be an issue everywhere but it also must be
whatever technology we choose, we adopt, it must be cost effective. It is a
problem throughout the private sector. We don’t have the budgets the government
does.
A simplistic set of questions. As a user, who is trying to
be authenticated? Is it me as an individual, is it a company, in which case who
should be looking after that?
I’m sort of wondering whether the question as to who looks
after the whole issue depends on strength perhaps of authentication whether
it’s a full PKI/gatekeeper type thing, or whether it’s more a Verisign, and
whether it’s an individual signing a document, or an individual needing to be
authenticated as a person, or in a role whether a secretary of a company or a
person who is authorised to undertake transactions for a company, or is it a
company that’s doing business say with a government organisation?
There is sort of a matrix that we’re trying to deal with
here, and perhaps the question of the role of government in this really depends
where we are on that matrix. A very sort of simplistic view but I think it’s a
little bit confusing because of the complexity and the need for some kind of
matrix. And that might help say, well government is involved, yes, in PKI for
government agencies and for large companies, but perhaps government doesn’t
need to be involved with things like Verisign for individuals, but there may
need to be some form of more legally stringent thing if you’re dealing with the
tax office, which of course is a hub and spoke model rather than a peer to
peer.
We are actually publishing 2 publications next week which
our minister is launching, and one is called “trusting the internet” and it
goes into some of these issues explaining to small business so I think it’s
very timely and that’s the next NEAC sort of product that we’ve got to the
market now. And the other is the “government manager’s guide to authentication
technologies” and it’s got a risk matrix in it so I think when you see some of
those things next week it may go towards solving some of these discussions but
they are very real educated issues that we need to work through in the
marketplace, and they are quite complex.
I confess to be a bit puzzled about this discussion so far,
taking up Julie’s point in a way, but in a sense turning it on its head, I’m
not sure that the level of regulation that’s needed is so much at the large end
of the players or their interests being protected rather than the individuals,
rather the other way round. I mean, my more general point is that it seems to
me there’s a lot of the discussion so far has almost proceeded on the
assumption that forms of authentication are uncontentious, but what we have to
do is try and ensure that there’s necessary degree of quality control, but
we’re not dealing in a field where what is being done is contentious in the
first place.
I mean I find that difficult at the moment because I’m
living in a jurisdiction where from next year everyone that’s likely to have a
digital signature with a PIN and a compulsory national identification number on
a smart card that contains 2 biometrics, a photo and a thumbprint. And to think
that any of these forms of authentication are non-contentious when you have the
potential of combinations like that.
Otherwise, I’m having a nice time in Hong Kong. But that as
I said is the ingredient that seems to be missing in some of this discussion
and I thought we were going to be in part be in the framework that NOIE’s
foreshadowing, going to have some discussion on whether there’s any overall
regulatory body for all types of authentication technologies that would also be
looking at the regulation of the contentious aspects and whether there was any
possibility of that moving outside the government sector.
So perhaps Tom could I throw that over to you and say,
what’s the breach of this framework you’ve been talking about?
It’s very
hard for people in these discussions, and the same goes for the one that we had
in Canberra last week. Inevitably as the discussion develops we all tend to
come round, I think about three quarters is coloured consciously or otherwise
by what particular form of authentication and that’s PKI, for all sorts of
reasons it’s interesting technologically, and in some ways it’s more a
sophisticated form of authentication, and it is out there, not to the extent
commercially people thought it 3 years ago, but there are digital certificates
in existence and they generally revolve around some sort of PKI structure.
So I think
that colours our views makes it very hard to talk in terms of policy
principles. I think that the fact that people haven’t expressed particular
views about models of authentication is in itself an answer to some extent,
obviously this will take the most extreme example of passwords to a network are
authentication, no-one has suggested as far as I know that there needs to be a
regulatory policy framework for instance.
Tom that is precisely what is happening in HK, where there
is the investigation of where the PINs should be brought into the
authentication legislation in Hong Kong, I know that’s up in the air of course.
Yes, I can’t see that catching on as a debate here somehow.
At the other end though in terms of emerging issues in biometrics, after
Roger’s presentation I suspect that the discussion around that certainly should
be unimpeded by the advantage that people are bringing to the discussion and
might be a little bit more contentious.
I’m going to give
Patrick the last comment, but other than that this is a good point to stop for
afternoon tea, because as Tom said it’s going to be Roger’s job after afternoon
tea to help drag us back to first principles and more general considerations.
I was just reflecting on whether the government has a role
going forward, and I think there’s a reasonable hypothesis you could defend,
that government has very little role, has needed very little in terms of
choosing and regulating the authentication in terms of individual instances of
certification authorities or the type of technology, but where the market isn’t
likely to work or where there’s likely to be problems is in cross recognition.
And the economic interest of government in the well being of
the country might dictate that cross recognition would be very good for
economic activity and for interaction and for efficiency, where the market left
to its own devices will have people carrying a number of keys which don’t cross
authenticate and therefore cause an extra cost and extra inefficiency which the
technology itself is able to overcome but the force of market and vested
interests and opportunistic, and the fact that when systems start and who uses
them and who chooses them might dictate against, and I’d be pretty comfortable
leaving it to the market as to whether or not I accept a particular certificate
or whether or not I choose to use a particular certificate to authenticate me,
I think I might want to have a number of them for different purposes, for some
purposes I might choose the very best and for others I might want to be
anonymous.
But whether or not those systems spoke to one another is a
much harder question and something where government really does have a role.
Let’s break for coffee, we’re right on time.
[ back
to top ]
Roger Clarke is going to get us started for this session
of the symposium, he needs little introduction, but I haven’t heard him introduced,
as David did for quite a long while, as Roger Clarke of the ANU, that’s a
while ago. While he keeps that affiliation still, as I would say almost all
of you know, Roger has principally been a consultant in the e-commerce and
information infrastructure and electronic publishing and related areas, including
privacy, of course, for quite a number of years now, but he is also one of
the most academically productive and prolific non-academics that I know.
We’ve asked Roger to talk about the public interest aspects
of all forms of e-authentication, to try to indicate the range of public
interest issues that in any further or regulatory or non-regulatory structures
for authentication will need to be factored in. Roger’s going to give a
slightly lengthier presentation than Catherine did, probably around the 25
minute zone I think, because there’s a lot of these public interest issues to
canvas, and that will help us to get off to a good discussion for the rest of
the afternoon.
Roger Clarke
Thanks Graham; evening, ladies and gentlemen. The first
thing I should do is apologise, because I’ve actually printed out a nice
overview set of my slides 9-up. One of the results of this is that the print
size is quite small. So I’m going to have to a Richard Alston from time to
time, and look down my nose at you so I can read what the hell the next point
is.
My background is as Graham said is e-business information
and infrastructure, data balance and privacy, and I do it from a strategic
perspective, I do it from a strategic perspective, a policy perspective, and
public interest perspective and I normally try to say to myself what the hell
am I trying to do tonight? And the
answer is the intersection of all those, because I've drawn slides through a
variety from perspectives here and a variety of slides sets and developed a few
specific to the needs of this evening.
So I will probably do some have to changing from time to time and you
may have to stay awake in order to work out which perspective I'm speaking from
at any given time.
The only other generic sort of point I would like to make before
I launch is I've argued for years and years and years now that a huge amount of
the time was spending on technology and applications of technology and we spend
the time on them in separation from the implications issues. That separation has been symbolized tonight
because we spend the first time until coffee looking at technology and
applications and covenants and those sorts of things and the implications is
that soppy wet pinko that comes after coffee.
And then the separate discussion we have on the implications
and it's all rot, we have got to get it back wound together so that we're
looking at technology applications and implications intertwined and feeding
back on one another. So that's the
attempt that I'm making here.
Now I'm going to lead off with some general points. You can see the structure in the summary
page sitting in front of you. I'm going
to start off by asking the question what authentication means. Here as in most circumstances it's
misinterpreted. The primary sense in
which it gets used and often the exclusive sense in which it is used is as
though it meant identity authentication.
And there are a couple of honourable exceptions during the discussion
earlier on this evening but most of the time that's what everybody implicitly
meant by its and I'm sorry but it's wrong.
Look up the dictionary and think about what it is that you are doing
when you are authenticated, what your focus is. Your focus is on some assertion, that assertion might be about
identity, but it might not.
We have to get back to the real question when we are
discussing authentication as to what the scope is. Now in order to address this what I would like to do is to get to
principles, get to taxonomies, and all those good things that a semi academic
and semi consultant type of person likes to do but it's always easier when we
start with a simple context and set an example. And I use one of my favourite aphorisms of the Internet.
This gets used interminably by everybody including me and of
course that's another $75 U.S. the cartoon bank on the screen for photocopying
it, probably $75 twice, we photocopied it as well. But he'll what I wanted do is to draw out some questions about
what is it that the people at the other end should be authenticated? Now the words their don't say on the
Internet, nobody knows I'm Fido.
The words say ‘on the Internet nobody knows you’re a dog’,
so it gives me a perfect entree to point out immediately that it's not
necessarily about identity. These are
the sorts of things that you might want to authenticate.
One is, which dog?
It's Fido, it's that particular identity.
Is it the same dog that I was talking to yesterday? Consider the typical example of a person who
is operating as a counsellor, an e-counsellor on the net who is dealing with
Wendy or Bob who has been in contact with them last night and has come back and
says it's Wendy again and the counsellor says yes I know, as long as it's the
same Wendy, does it matter to the heck Wendy is? Neither Wendy and all the counsellor want to have their actual
identityhood noted to the other party because it's dangerous for both of
them. The Internet is actually a very
good medium for those kinds of relationships.
So that's a second and quite different kind of assertion
which involves quite different kinds of authentication mechanisms. But sometimes its mind all those things,
it's simply what your qualifications or your pedigree, its attributes about the
entity or identity that masses. And
whether or not you know the identity of entity to go with it is quite
separate. And sometimes it's not even
the question of the attributes or general attributes about the person or dog,
it's about whether when you say I am speaking on behalf of another dog, whether
you really do. And that then is a legal
question.
And the agency here identity as in government agency, I mean
as in principle agent relationship.
That's one was alluded to once during the earlier discussion and I think
it's a very important facet in the B2B marketplace it's particularly
important. And a great deal of the time
all you're actually concerned about is where the what you're getting from the
other party is what it purports to be as distinct from the question of whether
the other party is food they may or may not want to be. So just using that simple little diagram, we
can draw out lots of these kinds of things.
And then of course we can do old dry boring taxonomies, now
these taxonomies, and there is the paper wrapped around this with all of the
points that I'm making here, there's drilled down slide six and drilled down
papers and his references here so you can see the deeper aspects that I'm
trying to argue. But let's look quickly
at the bottom left-hand corner and identity authentication which is what we
seem to be mostly focusing on, we seem to blur the human vs. organization has
been to things that I think most of the discussion so far has been about. That's 2 of 15 that I identified as being
important, approaches to authentication, or differently said, 2 of 15 classes
of assertion that are important in B2B, B2C, G2B and all those other kinds of
e-business. So we've got to shift our focus to look at a much broader
scope. I will talk briefly down the
four on the right, attributes authentication hopefully fairly clear, are you a
doctor or not a doctor, are you really a qualified counsellor, are you really a
member of this club, are you a member of the home forces who can actually open
a bank account with the defence forces credit union, being a fairly topical one
at the moment.
Agency authentication: do you really represent that
principle as you either claim to or as you appear to, not necessarily a claim
but an assertion isn't necessarily that I am Roger Clarke. You just as you I'm Roger Clarke because all
of the billing gave me as Roger Clarke.
I didn't necessarily assert it did I?
You always have to be careful about who's making the assertion.
The third one down the right hand side is the question of
the eye you? This can be quite
important old fashioned issues, is this person logged in from the terminal
that's in the appropriate spot of the building, not just the question of who
you are, but where you are and whether anybody might be looking over your
shoulder who hasn't got your privileges.
There is quite a long-standing question of location authentication but
there's going to be a few more mobile, or now we have to call it, ubiquitous
computing era, and the other one authentication that's already been mentioned,
credit card detail checking, e-cash, credential checking. There's a whole pile of these things that we
really need to look at.
Now, having established that our scope ought to be really
broad if we're talking about e-authentication, otherwise feel free Tom, to call
it identity authentication, but please don't muddy, please determine what this
purpose and use appropriate terms and define out of scope the things that are
out of scope. I much preferred to see
you doing the whole lot, hard and challenging though it's going to be. I will then make the same mistake that
everyone else's making, and all focus mainly on identity authentication, or is
it only identity authentication? I will
bury you back to the top left-hand corner because we are going to do a bit of
that as well.
So let's start with the simple diagram we all work with, and
thanks to Bill Gates, yet again, I cannot believe the number of variations of
bugs between different versions of PowerPoint.
This little thing here says 1, and that says n, and that
says record column. And it’s going to be like this on every one of the next
four slides.
That’s the model that most of us implicitly have most of the
time when we’re talking about identity authentication. Whatever the
epistemological and ontological assumption is, I can never remember,
phenomenology is it? We assume there’s a real world and there are entities out
there and they got attributes. There’s probably a philosopher in the audience
that can sort me out on the words. And we assume, well we’re pretty sure, if
there’s an abstract world there where we abstract things, well we don’t really,
we model the real world by creating some bits of data, some pieces of data
which represent, usually pretty imperfectly, that identity and those
attributes. And for any given identity, there could be multiple sets of
records, possibly using multiple sets of identifiers. That’s the pattern that
we normally think in terms of.
Now what we so often overlook is that underlying that
identity is an entity, a physical being, an identity is not a physical being,
an identity is best conceived of as things like a role or a person in a
situation, the expression being used by several people tonight about it’s the
context in which the person presents to a particular organisation that
determines the identity that they are presenting, so we use identity in that
sense, and there is an entity with attributes underlying it. And this here
points out that there is an m to n relationship between entities and
identities. Firstly you shouldn’t assume that each human being has only one
identity. We have squillions of them. Quick, open your wallet, count your
cards, think about all the numbers that aren’t on cards in your wallet, all of
those organisation-assigned identifiers correspond to an identity. So there’s
many of them. So there’s got to be at least one to many. But in practice there
are many circumstances in which more than one entity presents using a
particular identity. Sometimes with the approval, or perhaps connivance, of the
identity themselves, and sometimes because it’s “identity theft” in the many
senses in which that word gets used and abused.
So we have to at least get to that level of complexity
before we can make any sense at all of some of the questions of identity
authentication. And having done that, we then move to the next step, of
recognising that there’s some kinds of identifiers, if you want to call them
that, that are specialised and different from identifiers because they strike
directly through to the underlying identity. And clearly here we are talking
about biometrics in the case of human entities, but in the case of legal
persons, I challenge you to come up with some sensible entifiers for utterly
fictitious legal entities like trust companies, like One.Tel, no even some of
the existent ones. It’s very very challenging to think through what that means
in some of the B2B contexts, and indeed B2C where the consumer is trying to
reach the organisation and strike through to the entity underlying it. Some
interesting philosophical challenges. I use the term entifier because it makes
sense to strip the id off the front and relate it directly to the entity.
I’ve gone back by means of a classic scholar, but the
origins of the words identifier and identity and I’m sure they basically derive
from an ancient Greek verb “to be” and therefore it’s perfectly legitimate to
come up with a neologism like entifier. Interestingly, I don’t think the words
don’t ever existed, it’s like one of those funny things like ‘couth’ that
doesn’t actually exist but should. So I just suggest entifier, just to
distinguish it from identifier, just because it’s significantly different in
practice, and when we have our discussions, once again we need to think our way
through ramifications of this. And as you can see from the right hand side of
the diagram, having a lot of space left, that’s not quite the end of it.
Because there’s one further category which is very easily
overlooked.
In the discussion paper issued by NOIE, there is a mention,
one line, unfortunately not taken any further, but on page 4, this other bit
does get in there. And, my god they come up with another bug there, the words
in the box in the top right hand corner have disappeared. It’s a secret, I’m
not going to tell you what’s in there. Did it print? No? It says up there, NIM
and data items. And by a NIM, which I’ll define on the next slide, or you can
look ahead, I mean a particular kind of identifier. And the particular context
that I’m talking about here, is where we have an identity but it is very
difficult to strike through to the identity that underlies it. That’s meant to
be 2 bars, but for this version of Powerpoint they didn’t separate them enough.
It’s meant to be a blockage.
Now there’s 2 different contexts here, or 2 different
circumstances.
One is where it is not in practice in the circumstances not
feasible to break through, and you can never find out who the entity is
underlying the identity. Somebody emails you from hotdickety [at] hotmail.com, and
you are unlikely to ever break through unless they give you the information,
because you can’t issue search warrants, and you haven’t got the money to buy
people to trace through the layers you’d need to trace through to find out who
the hell is out there using that login ID at hotmail. Some organisations possibly
have, so then it may not be an absolute blockage. So in your context, that’s
anonymity, and that Nym is pretty solid. In the CIA’s context, to go to a
different extreme, perhaps not so, it may only be a pseudonym.
There are of course quite a few circumstances where people
think they’re anonymous and turn out not to be, and there’s been a couple of
expensive but effective criminal investigations which have struck through in
the context of child pornography especially, have struck through what those users
thought was anonymity and got through to the underlying entity, and quite
clearly many of us are very interested in being to achieve that, because the
accountability, the social responsibility aspects are very well served by that.
Couple of quick comments. Anonymity is, anonymity has always
been, and anonymity will be. Anonymity is also challenging as well as being
highly beneficial.
I have been trying to encourage much more discussion of
effective pseudonymity, with appropriate kinds of blockages built in that make
it genuinely hard for governments and powerful corporations to break through,
except when the right circumstances are satisfied. So it’s a combination of
legal and technological and organisational safeguards necessary to achieve it.
I don’t think that there has been much success in interesting people in
effective pseudonymity yet, but boy I’m continuing to work on it.
My essential point is that unless we have got that rich a
model when we talk about identity and entity authentication we aren’t going
anywhere. And that is my definition of Nym, perfectly negotiable, it’s been
published that way, but I’ve been known to gradually modify my definitions as
the years go by. Nym is used by smallish community around the world at the
moment, I originally published all this in 1994, using the term digital
persona, but that hasn’t particularly taken off, the concept is extremely
closely related to what I’m talking about with NIM, but others have taken up
Nym but it’s an extremely useful neologism because it’s not much used to mean
anything else, and the route is appropriate, so let’s use it. But when you look
at the number of different words that are around, that concept has been around
since time immemorial in many different contexts, so I’m heartened by that.
So, so much for the lecture, hectoring, about what
authentication really means. Let’s jump to the question of tools.
And here on this slide, I’ve tried on one slide to fire off
what’s in the NOIE discussion paper and refine it a little, because I think
there’s a couple of aspects that are useful to work on.
The first point that I’m trying to make is that there is a
considerable richness of alternative tools on the left hand side, even more
than is in the listed examples, they’re only listed as examples on the NOIE
discussion paper, there’s an even longer list depending on how you want to
break it down. The second generic point that I’m making on the right hand side
is that for any one of these to work, a whole pile of preconditions have to be
satisfied. The great deal of infrastructure necessary is not just PKI to
support these digital signatures, all these different kinds of tools require
quite a range of things in place.
The next couple of points that I ought to make would be to
draw a couple of these to your attention that might otherwise escape. The
writing of a signature is well established, that is a physical signature, and I
mean by that either the result or the behavioural pattern of writing a
signature, and I don’t believe we should lose that one because it is quite
feasible it may continue to play a role in e-authentication as well. The second
bullet on the left I’d like to generalise the username/password pair because it
is a specific instance of a particular piece of knowledge, password in any
case, if not the username, which is likely to be in the possession of a person
and not in the possession of others. There are many other instances.
There is also various other aspects like password arguments,
so I’d like to generalise that somewhat, and highlight that it’s dependent on a
reasonably well understood pattern of things and processes otherwise it won’t
work.
With the third bullet point, I’d like to highlight that with
PINs, we also have to recognise non-secure PINs. What do I mean by that? Some
are hashed in a secure manner, and the ATM EFTPOS example is up in most of our
minds. There are other instances of things called PINs that I don’t think
should be but they are. How many people have got a telecard or an Optus
equivalent? That PIN is known to the operators at the other end. And you are
then wide open to spoofing by the organisation or any of the individuals who
might move outside their agency relationship with their employer and take
home a whole bunch of PINs, knowing the
number that goes with it. It’s only 12 digits, it’s not very hard to memorise.
So I think something from a regulatory viewpoint that would be really really
handy would be to ban Telstra and Optus from referring to those as PINs. Get
another word, fellas. I’m not saying they shouldn’t do what they’re doing, I’m
saying they shouldn’t debase the concept of PIN, because the concept of PIN
carries with it an image of security. And I think there was one other one that
I wanted to highlight? No, I think that was all the points. Clearly there is an
awful lot of potential points for discussion here. Now let me divert to the
fifth bullet point, digital signature and PKI. I’m going to have to have my
ritual go at conventional go at PKI, because it just wouldn’t be fun if I didn’t.
The first point is that it’s dependent on a number of
things, it’s dependent on public key, it’s dependent on left put private key,
it’s dependent on a lot of software, it’s dependent on a lot of law, and it’s
dependent on a lot of faith. To take that a little further, and let me
underline conventional x509 based public key infrastructures basically don’t
work. There’s plenty of literature on this not only in my papers but much more
erudite cryptographers and lawyers have written on this. There are some things
that a digital signature can do for you, and there are some things that a
public key structure wrapped around it may or may not be able to do for you.
But it’s extraordinarily difficult to come up with a public key infrastructure
to do all the things that used to be claimed.
Now Steven Watts and I have had this out many times,
overread and not overread, and there are phrasings of this which Steve and I
could probably be happy with, not these phrasings, I underline, but some
aspects of this Steven would rephrase, it’s being used for the wrong things,
stop envisioning it as an e-passport, and I’m quoting him this afternoon. So
we’re somewhat apart, but not as far apart as might appear from the phraseology
here.
There’s a whole bunch of prerequisites if you’re going to
depend on public key infrastructure to give you assurance. There are many
possible kinds of public key infrastructure, remember I am reserving my
nastiest for the existing x509v3 based typical implementations of public key
infrastructure. There’s all those sorts of things that has to be done, for
god’s sake don’t think that I can do a tutorial on that slide right now, and
x509v3 we’ve got to recognise where it came from. It was a hammer lying around
when somebody picked up a nail, and somebody said, ooh, ooh I’ve got a hammer,
hit the nail quick!
It has a history, it comes from a history that is rather
separate from, totally unrelated, but rather disjunct from what it’s being
applied to, and it has bunches of features which may well have made a lot of
sense in the original directory context but don’t make a very good fit
especially in a B2C or a G2C context. Got some problems in the G2B and B2B as
well, but especially serious, I believe, are in the B2C context. And indeed
when you’re trying to represent agency relationships, principal/agent, what is
it that this employee can sign for on behalf of the company, there’s been a lot
of that reverberating around the B2B and G2B environments recently. And there’s
always been this problem about what the hell do you do about revocations?
There’s actually a logical philosophical conundrum in the
whole issue of revocation, and it’s basically insoluble, and there’s some
really poor approaches to solve it and some rather better ones which still
actually can’t totally solve the problem. And the invasiveness, not just
comments about e-authentication but to the public concerns about
e-authentication, the impact on the public if the registration authority was to
do its job in the most serious minded way, is very very substantial. I
continually paint the picture that Kerry Packer has got to stand alongside John
Howard has got to stand alongside Prue Goward, has got to stand alongside
Nicole Kidman, holding a sheath of documents, they have to do it in a queue.
I’ve always said that I want to be alongside Nicole Kidman,
but it is a fact of life that these things have all got to be done, and some of
them, adduced difficult, and a great deal of the population is going to have
trouble with it. Some of them because they’re going to have trouble finding the
documents, some of them because they’re just getting seriously upset, some of
them because they’re out bush, running around little territories and such like
places, with a lot of threatening things involved if we actually do it. I don’t
want to dwell much longer, actually I’ll tell you what I do want to do, I want
to slip in the slide that I should have put there and what I didn’t have when I
reviewed this was a rounding off slide on the PKI issue.
Firstly, I don’t want to be interpreted as saying that,
sorry Richard Alston, digital signatures and public key technology applied to
such purposes is totally dead in the water. There are applications and there
are potentially approaches that can be taken than the ones that have been taken
up until now.
And even with conventional PKI certificates there can be
some contexts, device authentication, which we haven’t really talked about, is
one, and closed communities, is the term I’d use for what several people
mentioned under various guises in earlier discussion, and Stephen Wilson’s
point earlier that it’s one of the big things about this in a closed community
is that it’s automated or automatable, and that can give you some considerable
comfort in a closed community environment. I’ve always used the example of the
strong hierarchical organisations, I’ve always talked about the department of
defence and the Catholic church because they’re the obvious examples.
And I suppose I’ll tell some of you this story that a couple
of years ago when I was mentioning that example somebody from the audience came
up to me afterwards, a Belgian, I gave the presentation in Europe, a Belgian
came up to me afterwards and he said, you do know that the Vatican actually
uses x509 v3 based PKI don’t you?
So I don’t want to be interpreted as saying, especially,
that public key technology cannot possibly be applied to a variety of
applications in e-authentication, but what we’ve got at the moment is not
something that enthuses many of us at all.
I’m now going to have my little swipe, and I am afraid it is
going to be a swipe, at biometrics. Once again there’s a bunch of slides
underneath here which are referred to in the paper which I gave Hong Kong
University recently at Graham’s invitation, to go into some depth on what
biometrics is and why it is giving us a lot of difficulties, the way in which
people are approaching it at the moment.
The essential idea
of a biometric process is that you start out by enrolling or registering some
form of measuring device, capturing something, what I would call a reference
measure, but the industry tends to call a master template, and then at some
later time, a measuring device, quite possibly quite a different measuring
device, captures what I would call a test measure, but is usually called a live
template, in the industry, and they are them matched and analysed in some way,
and thereby hang a few tales, which delivers some kind of result, and thereby
hangs a few tales as well. And appreciating that and how it’s applied and used
is very important in making further progress in analysing what biometrics is
and isn’t good for. There’s a bit of argumentation as to how the application
should be categorised, but I’m going to stick to the reasonably conventional
for the moment until I can improve on this, that James Weyman at San Jose is
trying hard to come up with a slightly different characterisation that this.
But you can either try to answer the question who the heck is this person, and
the standard situation in your airport is “
