How it all works
Generally speaking, public key cryptography involves the use of two keys--one public, one private--which are created simultaneously using the same algorithm by a Certificate Authority (CA). The private key belongs to the company/individual/organisation that requested the creation of a key by the CA, while the public key is made available, as part of a digital certificate, in a directory that all parties can access.
The private key is never transmitted across the Internet or shared with anyone else. Its primary task is to decrypt information that has been encrypted by somebody else using that particular organistaion's public key. The private key can also be used to help that business authenticate information sent to somebody else. This means that you can encrypt data with your private key, and the person you've sent the information to can decrypt it using your public key. The main reason for doing this is to ensure to the person you are sending data to that the data actually came from you (or your organisation).
All of this sounds relatively simple in theory, but you have to remember that it all depends on the security and algorithm implementation of the CA. That is why Gatekeeper has strict standards for those organisations that wish to provide CA services to government departments.
A key part of that is the customer identification process in which the person or organisation that wishes to obtain a digital certificate must provide important ID information. Depending on what level of identification validation is obtained during the approval process for a digital certificate will determine what level of trust is associated with that certificate. The more valid identification information that can be provided, the higher the level of trust that can be attributed.
To complement this approach, there exists within the PKI system the capability to have what are known as Registration Authorities (RA). These verify user requests for a digital certificate and tell the CAs to issue those certificates to the requestor.
In Australia, Gatekeeper has fully accredited only a few CAs including the Australian Taxation Office (ATO), Baltimore Certificates Australia and eSign Australia. In concert with that, Gatekeeper has also fully accredited eSign to act as an RA--enabling it to provide both CA and RA services to the government--and it has also fully accredited the Health eSignature Authority as an RA for extended services.
The Health eSignature Authority is primarily an RA within the Australian healthcare industry, which was established by the Health Insurance Commission as a wholly owned, separate proprietary company. According to the Health eSignature Authority, it "receives applications from organisations and professionals within the Australian healthcare sector, authenticates the identity of the prospective Healthcare Location or Healthcare Individual User and submits requests to its Certification Authority--Baltimore Certificates Australia."
A major feature of eSign's Gatekeeper accreditation is that it is the first commercial CA to have the authority to issue Australian Business Number-Digitally Signed Certificates (ABN-DSC). Australian Senator Ian Campbell, parliamentary secretary to the Minister for Communications, Information Technology and the Arts (Senator Richard Alston), explained when the accreditation was made official, "The ABN-DSC is designed to enable Australian business to have a single online identity when dealing with their business partners and governments."
This is expected to streamline the business of conducting transactions online because the digital signature of each company will be linked to its Australian Business Number.
There are a large number of organisations that have applied for Gatekeeper accreditation as CAs including: SecureNet, KPMG Information Solutions, KNX Asia Pacific (Key Trust), Adacel, Maddock Lonie and Chisholm, Etax CPA, Alchemist Healthcare, beTRUSTed (part of PriceWaterhouseCoopers), SecureGate, KeyPost (a division of Australia Post), Telstra, Perpetua and Centrelink.
