[LINK] What's changed in PKI? [was: Electronic witnessing ...]

Stephen Wilson swilson at lockstep.com.au
Fri Jul 30 22:56:23 AEST 2010 


Roger Clarke wrote:
> So what the blazes were the likes of Medicare and NEHTA doing in [PKI]??
> [Sorry, but I just couldn't resist.]
It's a fair question.

Medicare's PKI adventure goes back a very very long time, with the good 
intention to issue digital certificates to doctors.  They built the 
Health eSignature Authority (HeSA) but they got bogged down in Project 
Gatekeeper, which in the late 1990s saw the 100 point check as the only 
true way to do PKI.  To comply with Gatekeeper rules, the registration 
process did nothing more than a 100 point check, so a HeSA certificate 
issued to a doctor actually gave no indication about their medical 
qualifications.  Doctors hated the indignity of presenting evidence of 
identity to score a digital version of their extant qualifications.  
Applications were klunky because the certificates didn't convey enough 
information on their own to authorise anything really interesting.  
Take-up was miserable.  In the mid '00s HeSA saw the light and pioneered 
"Relationship" certificates that were to represent finer grained 
professional credentials; HeSA's strong CA facility would mint 
customised certfiicates with all the RAs delegated to established 
authorities in the sector.  However a re-organisation to focus on 
payments saw Medicare retreat to orthodox PKI, and focus on a special 
breed of machine certificates for securing GP practice-to-government 
transactions.

NEHTA c. 2007 thought that it would step into the void, to specify and 
build a PKI for issuing certificates that stood for all manner of 
healthcare credentials.  The vision for a "National Authentication 
Service for Healthcare [professionals]" was elegant and very doable, but 
the execution has taken a lot longer than anyone expected.  Several 
other countries have managed to build PKI smartcard systems for medicos, 
most notably France, Taiwan, Malaysia and Austria.  The UK and Germany 
have struggled like us; Thailand and India I think have programs too. 

'Students' might get something more out of a history and critique of PKI 
I presented at a NIST conference "Public Key Superstructure" 
http://middleware.internet2.edu/idtrust/2008/papers/07-wilson-public-key-superstructure.pdf


>> The best thing to do with private keys is keep them in
>> personal hardware security modules, aka smartcards and their kin. ...
> And what authentication mechanism protects against any old passer-by 
> invoking the highly-secure signing capability on the chip?
>
> Okay, there are many answers depending on the context ...  
The simplest mechanism is a PIN.  A PKI-enabled smartcard can be 
configured to request the user's PIN before it invokes any private 
key(s) it contains.  With regards to passers-by highjacking one's 
smartcard, I much prefer contact reader systems for "serious" 
transactions like e-health, as opposed to ticketing and retail payments 
where contactless is popular for convenience, and security is lighter. 

Cheers,

Steve.

Lockstep

www.lockstep.com.au <http://www.lockstep.com.au>
Lockstep Consulting provides independent specialist advice and analysis
on digital identity and privacy.  Lockstep Technologies develops unique
new smart ID solutions that enhance privacy and prevent identity theft.

More information about the Link mailing list