Conclusion of KPMG Report on Public Key Infrastructure, May 2001

Chapter 6 on PKI

In this final chapter the major findings of the study are presented. Next, some considerations are discussed and possible next steps are recommended.

6.2 Findings
6.2.1 Situation in Iceland
The findings of this study clearly show that within the government of Iceland numerous applications are anticipated that will need or at least benefit from applying and using PKI technology. Most of the departments and agencies interviewed expect that they will use digital signatures and encryption based on digital certificates.

No significant differences were identified in requirements for PKI between the three domains (government internal, government – citizens and government - business). However, it must be noted that very few applications have actually reached a project development or implementation phase yet (hence the word anticipated above), which lead to the result that detailed requirements could only be identified to a limited extent. Exceptions which are further along include the identified applications at the Tax Office, Customs and the Student Loan Fund. The latter outsourced its application to Form.IS which has more governmental customers in need for digital signatures.

Based on our discussions with some of the Icelandic banks, it has become clear that they are planning to issue smart cards to all of their customers starting later this year. This fact may be of relevance due to the possibility that private keys and digital certificates may be stored on such a card. In addition, the banks have stressed that they are more then willing to participate with the government on these PKI and smart card matters. We can also conclude that most governmental departments have in principle no objection to using a certificate that was issued by a private company. We note that the present banking card is used as a de-facto ID by many – public and private – organisations in Iceland, even though officially it is not.

6.2.2 Other studied countries
When looking at the PKI initiatives in Canada, the Netherlands and Sweden, the following tentative conclusions can be drawn:

• It is clear that Canada is at least a few years ahead in using PKI technology for e-government applications. The type of applications that this study identified are to a large extent similar to those anticipated in Iceland. This fact supports the conclusion that Iceland may benefit from using PKI technology and be aligned to the Canadian approach where possible. Though the Netherlands and Sweden are not nearly as far as Canada, they also have a clear view that PKI technology is required to be able to fulfil the security needs of e-government applications.

• Canada and the Netherlands have a similar approach to deploying the governmental PKI. In both countries a co-ordinating infrastructure (made of both organizational and legal standards and technology) is put in place to facilitate departments that want to use PKI technology. By using a common approach and standards, the result is an interoperable infrastructure. In Sweden a simpler model is used, defining a government certificate for citizens that can be issued by multiple private organizations (e.g. the banks). However, these CSPs are not operating under a common root (public) CA.

• Both the Netherlands and Sweden use the European standards (ETSI) as a basis for their own policies. They both expect smart cards to emerge as the standard storage device for keys and certificates in the (near) future.

This report has identified the need for PKI technology for deploying Iceland's e-government applications. It also looked into the approaches that some other countries took in meeting their e-government trust and security objectives. Emerging from this is the overall conclusion that further action from the Icelandic government is required. Related to this are the following considerations:

Timing		The study showed no pressing need for PKI functions at this point in time but given the anticipated governmental applications this need will manifest itself within the near future. Establishing a structure capable of fulfilling this need requires substantial effort and time. Therefore, further action on this matter should commence shortly to be able to service the governmental departments and agencies when required. In this way the risk of the arising of non-interoperable PKI-islands (e.g. different certificates for each governmental application) can be avoided.
Building expertise within the government		As stated before PKI technology is a complex matter and little knowledge regarding its development and usage is available either within the private or public sector. The process of the government of Iceland becoming a large user of this technology will be most effective if at least a certain level of expertise if available from internal governmental employees. This expertise should cover organisational, legal as well as technical aspects of PKI.
International Governmental Forum		Iceland is not the only country to adopt PKI technology for e-government applications. Numerous other nations have done so of which some quite early. Participating in the international platforms (forums) that exist on (governmental) PKI, provides the opportunity to learn from the experiences of others.

As mentioned in the introduction, the requirement analysis is an important yet initial step in the process of developing the PKI approach for the government of Iceland. Next steps in this process should include the following:

Develop alternative scenarios for fulfilling the digital certificates needs (requirements)		Insight in the different options and their respective advantages and disadvantages can be derived from developing a number of likely scenarios in which the digital certificate needs can be fulfilled. These scenarios should distinguish between – amongst others – the level of in/outsourcing or corporation with other parties; the scope of certificate usage, the usage domains distinguished. The consequences on or interdependencies with the government's PKI originating from the Icelandic legislation should be reckoned with in building the scenarios. Financial consequences should also be analysed. Another critical subject to be addressed in this step is the reciprocal impact in the event a national ID card will be used in Iceland.
Determine the PKI approach		In this step the most favourable and feasible (combination) of scenario(s) is chosen.
Develop initial PKI Trust and Governance Model		A PKI Trust Model describes the position and roles of the different PKI components and should be based on the government of Iceland organisational structure and ICT infrastructure. The Governance model describes how the PKI is controlled and kept trustworthy. A Policy Management Authority or similar committee may be established that defines standards and sets policies as a main component of a Governance model.
Set up initial government PKI organisation and start with implementing a few pilot projects		It is recommendable to use a phased approach for the PKI deployment and to start with a limited number of pilot projects in areas where a successful implementation is most likely. In these projects, the embedding of PKI within the overall security architecture needs to be addressed. The results of these projects will provide valuable insights and expertise for determining the preferred approach for all government-led PKI deployments.