In November 2001 a working group charged with the task of proposing a public key infrastructure (PKI) for the Icelandic government delivered its findings to the Minister of Finance.
Below are a translation of section 1, Summary, and section 5, The Committee's Propositions and Conclusions.
A PDF – version of the original report is available in Icelandic. (203K)
Section 1. Summary
One of the main preconditions for the spread of e-government in Iceland is that the public has as much confidence in the digital handling of affairs as the traditional method. One should be able to rely on the security, privacy and stability of transactions, regardless of the method used.
Digital signatures based on public key infrastructure will be an important factor in building up such confidence. A new Digital Signatures Act, No. 28/2001, and the prospective review of the Public Administration Act, lay the foundation for e-government parallel to traditional methods. The aim should be that, over the coming years, all citizens can obtain certificates and other equipment for fully valid digital signatures and encryption at an acceptable cost.
The development of technical solutions for digital signatures and equipment to support public key infrastructure is very rapid accompanied by intensive marketing activity. In light of the rapid development of the technology, and the fact that the spread among the public will take some time, it does not seem advisable to choose and buy some high-tech solution, e.g. based on smart cards, for the whole country at this time. It seems more attractive to take up simpler solutions in the short-term that can ensure the adequate security of many aspects of digital public services. The same or parallel solutions could be used in various fields of e-commerce.
This opinion of the committee is inter alia based on an almost unanimous opinion of specialists from Nordic authorities as described in the documents referred to.
1.2 The main aspects of a long-term security policy
1. – Spread – general use
The objective should be to make the use of digital certificates general and widespread. Experiments by other nations of the use of smart cards in transactions between the public sector and the general public, where individuals are expected to buy the cards, have failed. Presumably, there are obstacles involved concerning both price and effort. However, in order to maintain a high level of security, some effort must accompany the process of identifying people through the appropriate method and delivering the certificate into the right hands. Innovative ways should be sought to stimulate the use and spread of digital signatures among the public and in the economy.
2. – Market solutions – active competition. Versatile digital certificates
The objective should be that the public can use their digital certificates when communicating with the state, regardless of who issued the certificates and as long as they meet the conditions applied. This should be ensured by making requirements about the content and form of certificates and rules about their handling, which need to be met before they are accepted in communication with public institutions. The requirements should be based on European and international standards, and modelled on requirements made by other Nordic countries, e.g. Sweden. See appendixes 4 and 5. The requirements can be set forth either in framework agreements or a regulation based on the law.
3. – The appropriate level of security - acceptable cost
A common mistake when implementing security systems such as public keys is to determine a certain level of security in advance and then choose a solution and apply it to the whole management. There is no single solution that works everywhere. Therefore, it is necessary for institutions to have a risk analysis carried out for each part of the activity and then choose the appropriate security system with regard to acceptable cost and results of the analysis.
The financing of the system has to work, preferably so that the cost of participants is proportionate to the benefits realised by taking up the methods of e-government. In Sweden, a system is being implemented where the state is expected to accept certificates issued by or for others, in whose interest it is to deliver digital certificates to people. These others might be the commercial banks, various organisations etc. Government institutions will pay a fee to certificate authorities for the verification of signatures when electronically signed documents are received. Thus, the digital certificates of individuals can by used for a variety of services and communications.
1.3. Action plan
The committee emphasises that the preparation for and implementation of public key infrastructure takes a long time and demands strategic methods. Therefore, it is necessary that the work, which started with the nomination of the public key committee, continue at full force and without delay. The committee suggests the following four-part action plan over the next two years. Before that time is up, a revised plan, looking further ahead, should be made available.
Firstly, public institutions should be provided with access to solutions for digital signatures as soon as possible. Such access could for example be obtained by some major institution in need of extensive interactive communications with both individuals and the economy, or a number of institutions in collaboration, being given the task of arranging a tender procedure for such a solution and controlling its operation. An effort should be made to obtain standardised market solutions from the start in accordance with the propositions in Section 5.1. It would be very motivating for the progress of the matter if projects utilising the same certificates for more than one operation could be started soon. (For example, notifications to the Register of Limited Liability Companies, Customs Clearance and the return of tax information).
Secondly, measures should be taken to allow public institutions as soon as possible to provide services on the basis of certificates on smart cards issued by others (commercial banks, organisations and others). Such an arrangement would greatly encourage the spread of digital certificates among the general public.
Thirdly, dynamic user support should be provided for public institutions that want to adopt public key solutions. They should for example receive assistance and consultation on risk analysis.
Fourthly, a task force should be established and charged with the responsibility for co-ordinating activities in this area, liasing with industry and trade concerning standards and other relevant arrangements for the smooth operation of a public key infrastructure and conducting the necessary PR activity.
Work on a definition of rules about form and contents of a certificate policy should be started immediately considering such work already done in Denmark and Sweden as well as taking into account the relevant accepted standards. A specification of the contents of certificate fields should be part of this work. The committee expects that it will be necessary to hire foreign experts to perform this task.
Section 5. The Committee's Propositions and Conclusions
KPMG's analysis (see Appendix 1) has demonstrated the need for public key infrastructure (PKI) in order to improve the secure handling of documents in many places in public administration. An examination of policy documents and the experience gained from experimental projects in our neighbouring countries, such as Denmark and Sweden leads to the same conclusion. An analysis of efficiency, cost or time has not been carried out in this country, but there are a few projects that would almost certainly be well served by public key solutions.
The committee deems it preferable, and it is the essence of its propositions, to use as a role model the "Scandinavian way" described in this report and the documents referred to. By adopting already acquired experience, it is possible to avoid mistakes. By adopting, with changes found appropriate for the local environment, the methods and modus operandi which the specialists of three nations seem to agree on, Icelandic public administration can, to a considerable extent, catch up with the head start already acquired by most of our neighbouring countries.
In order to reach these goals, the following is proposed:
5.1. Standardised market solutions
There are many ways of introducing public key infrastructure and it cannot be determined at a glance which one best suits the Icelandic government. Points that need to be determined include the applicability of certificates, determination of the security level, influence of the current law and cost for the state and its customers. A few of these points will be further treated in Section 6. Furthermore, the role of the market has to be taken into consideration, as certification and issuance of digital certificates along with the sale of various specialised equipment has become a sizeable industry. Two solutions will be mentioned here, one on each end of the spectrum available, before a standardised market solution is proposed.
It might be termed a pure market solution when the state only instructs institutions to use public keys in accordance with the results of a risk analysis. Each institution makes an agreement with its certification service provider (CSP) about the issuance and maintenance of certificates, certification and registration. The certification policy of the service provider is associated with the trustworthiness of a public institution through a formal agreement.
- Advantages: Free market, requires minimum effort from the institution, minimum centralisation.
- Disadvantages: Risk of many types of certificates being in use, each with limited applicability. Cost mostly determined by the price lists of certification service providers. Special arrangements have to be made relating to communications between institutions, such as to make an agreement with one service provider about services for all government institutions, but then there is a danger of the service provider in question dominating the market. Iceland's position relating to communications with the authorities in other countries uncertain.
A pure state solution would be when the public sector established an integral framework of certification authorities, facilities for the issuance of certificates, its own root key, security and surveillance systems and a number of other activities.
- Advantages: Full control over all aspects. The state independent of service providers that come and go.
- Disadvantages: The management becomes cumbersome, no guarantee for conformity to the market.
The third way, which might be termed the standardised market solution, is a solution whereby the state makes requirements about the main points of the certification policy and its implementation as well as the form of certificates. The requirements are in accordance with the implementation of European and international standards as they are used in our neighbouring countries, thereby obtaining a widespread co-ordination.
The requirements are put forth in a framework agreement or regulation. Government institutions can deal with any CSP that has made a framework agreement or can confirm compliance with the relevant regulation, whichever arrangement is chosen. An agreement is made with the market about the division of cost. The Swedish State has chosen this method and framework agreement will be signed at around mid November. Available information indicates that both Danes and Norwegians plan to take a similar course.
- Advantages: Standardised solution, relatively simple to implement, the same certificate can have many uses, e.g. for individuals.
Two things are gained by this: an open market with many possibilities of the sharing of certificates; and the rules will be in accordance with the provisions of law and directives about qualified signatures. The committee believes it highly likely that a general consensus could be reached about this method in Iceland, especially when considering the fact that the use of digital signatures is not yet widespread.
5.2. Ambitious goals, realistic achievements
The development of technical solutions for digital signatures and equipment to support public key infrastructure is very rapid parallel to their strong marketing. Standards to ensure compatibility and thereby the efficient use of investments in equipment, are being developed. Readers for smart cards could soon become standard equipment in new computers, e.g. in government framework agreements. The spread of such equipment is bound to take longer among the general public. On the other hand, it should be remembered that methods of identifying people are also being developed. This includes biometrics technology such as fingerprint scanners. Digital signatures with certified fingerprints have been used in experimental projects, in Holland for example.
Smart cards or other such hard media carried by the certificate holder are believed to provide the only secure method of preserving valid certificates. Equipment to read smart cards is still not widespread. In light of the above, it seems very risky to purchase immediately some high-tech solution, e.g. based on smart cards, for the whole nation.
This by no means represents a divergence from the policy of introducing and supporting valid digital signatures. All preparation should assume that government institutions could use them in communications with the companies and the public as soon as the demand rises. Demand from the public may rise due to the spread of certificates issued for another purpose, e.g. home banking.
Experiments by other nations of the use of smart cards in communication between the public sector and the general public, where individuals are expected to buy the cards, have failed. Presumably, there are obstacles involved concerning both price and effort. However, when maintaining a high level of security is concerned, some effort must accompany the process of identifying people through the appropriate method and delivering the certificate into the right hands.
The financing of the system has to work, preferably so that the cost of participants is proportionate to their benefits gained from taking up digital communications. It would be very motivating for the progress of the matter if projects utilising the same certificates for more than one operation could be started soon. (For example, notifications to the Register of Limited Liability Companies, Customs Clearance and the return of tax information).
Experience in other countries, shows that implementing a public key infrastructure is time consuming. Therefore, the committee finds it necessary to continue the development work as soon as the committee's task is done. The future management system of the state's PKI needs to be considered. Many of our neighbouring countries have established a common command, which is responsible for the public key infrastructure, maintains it and regularises the operations of authorities.
The procedure is rather complicated and its significance rarely recognised in public administration and throughout society. Therefore, intensive publicity needs to be maintained both among executives of government institutions and the general public.
A common mistake when implementing security systems such as public keys is to determine a certain level of security in advance and then choose a solution and apply it to the whole management. There is no single solution that works everywhere. Therefore, it is necessary for institutions to have a risk analysis carried out for each part of the activity and then choose the appropriate security system with regard to the results of the analysis. The following three levels of confidence are commonly recognised.
- A high level of security meets the requirements of a qualified signature in the Digital Signatures Act No. 28/2001. In Norway, Denmark and Sweden, the requirements of a qualified signature are not considered met unless certificates are stored on smart cards or other hard keys which people carry with them.
- A medium level of security is based on an advanced digital signature as described by the law. This level usually allows the saving of encryption keys on a workstation or on disk, as long as the system solution used ensures that they are not easily accessible. The relevant PIN-number should be used each time a signature is used. This security level is considered adequate in the handling of many affairs and communications in government institutions.
- A low level of security, for example other types of certificates, identifier based on keywords and PIN-numbers alone (SSL and such solutions).
The committee believes that in the implementation of new projects regarding public services, a high or medium level of security should be used whenever giving out personal information or sensitive information about corporations.