Getting educated
According to David, part of the problem with implementing PKI in Australia is the lack of regard for other security measures to prevent breaches in the first place. "As security breaches are the main driver of implementing any security technology within an organisation, it seems Australian businesses are waiting until the horse has bolted before closing the gate."
Another confusing factor, particularly for consumers and others that don't fully understand the technology, is the issue of where private information resides and how much of that info is actually required. Baltimore's Jeffries explains, "The 'evidence of identity' required to be gathered by a registration authority (RA) before a certificate is issued is defined in the certificate policy, usually a public document that can be found on the CA's Web site."
"This information normally goes no further than the RA (where it is subject to the normal requirements for storage of confidential client information)," says Jeffries. "The information does not, for example, get sent to the CA or, worse, the Root CA, for central storage."
Jeffries says that it is often assumed that because PKI has a hierarchical structure it implies that this private information gets stored in a centralised location, thus raising privacy concerns. It is this lack of clarity about the issue and the technology that causes uncertainty about the PKI system. Jeffries believes that users, consumers, businesses and organisations need to be fully educated about the structure of PKI as well as its benefits.
Gregg Rowley, managing director of eSign Australia, feels that PKI has the ability to build trust, particularly for consumers. Unfortunately, he believes that Australian consumers are reluctant to buy online because there is a distinct lack of brand trust in the marketplace.
"From a consumer perspective, research suggests that as a nation we lag behind the US and other parts of Asia, in terms of buying online," said Rowley. "Why?"
"When you stop and ask people whether they have bought anything over the Internet, it's still just a few that have," explains Rowley. "So, what's preventing us from doing so? One issue is trust of the brand... But, more importantly, the problem is security and people do not know what to look for in terms of what is a safe site and what isn't."
Rowley believes that the Web is probably one of the safer options for buyers and he feels that Web sites that offer consumers services have a duty to keep their customers informed.
"At the end of the day, the Web is actually safer than you or I giving our credit card to a waiter--the issue is that we don't perceive that to be a risk," said Rowley. "Given the much-publicised hacking incidents, the Internet is deemed a no go area... Perhaps e-tailers need to take the issue and spend more time and effort educating customers that Web sites are one of the safest buying channels."
A possible solution to the education problem could be to have PKI hosted by a secure hosting facility and one such facility was opened in Australia by Baltimore Technologies last week. The centre was built to "generate, manage and host public key infrastructures on behalf of Australian and international organisations and to provide other managed e-security services."
According to Baltimore officials, the facility was designed using ASIO (Australian Security Intelligence Organisation) guidelines that ensure a very high level of physical and operational security. Among the organisations that are using the hosting services and facility include: Austrade, Australian Payment Clearance Association, ANZ, Health eSignature Authority, ATO, beTRUSTed and Telstra's Gatekeeper CA.
The centre has been accredited to provide Identrus and Project Angus (the combined Gatekeeper/Identrus initiative) services.
John Palfreyman, managing director of Baltimore Technologies in the Asia-Pacific region, expects this new centre to be of particular benefit to medium size businesses who understand the importance of adopting a PKI solution. Although these companies might comprehend PKI's significance, they may not have the resources in place to fully secure their businesses, explains Palfreyman.
Baltimore is able to provide these services because, as Palfreyman says, it already supports a number of CAs and the cost to add more clients is quite minimal. "We already have the expertise in place," states Palfreyman. "[Around] 70 percent of security is based on policy not technology."
