SLUG Mailing List Archives
Re: [SLUG] ATO's keys and certificates
- To: Rev Simon Rumble <simon@xxxxxxxxxx>, Jamie Honan <jhonan@xxxxxxxxxxxxxxxx>, slug@xxxxxxxxxxx
- Subject: Re: [SLUG] ATO's keys and certificates
- From: Anand Kumria <wildfire@xxxxxxxxxxxxxxxxxx>
- Date: Fri Jul 21 13:33:25 2000
- Reply-to: slug@xxxxxxxxxxx
On Wed, Jul 19, 2000 at 11:39:13AM +1000, Rev Simon Rumble wrote:
> On Wed, Jul 19, 2000 at 12:03:15PM +1000, Jamie Honan uttered:
> > Its aim is to enable me to verify that I am who I say I am, thus
> > requiring my 'profile' to be publically available?
> Your public key, yes. But in this scheme it appears that the ATO are
> generating the keys. That means they can take a copy in escrow and
> forge your signature. I don't like that.
basically you don't have choice, the governments wants all most interactions
to take place electronically. Are you sure that you are getting a Public/Private pair for encryption?
This URL <URL: http://www.govonline.gov.au/projects/publickey/abn-dsc.htm>
talks about digital certificates.
> You can create a PKI without key escrow -- in fact that's what
> assymetric keys are all about. What you do is generate your own key,
Eh? Asymetric keys are part of PKI. Asymetric keys are used for PKI w/ escrow
and without escrow. Escrowness has nothing to do with the asymetric keys.
> however you want to do that, and present the public key to a signing
> authority (with appropriate identifying documentation, of course) who
> then signs it.
Which reallys on a one/multiple "authoritative" signing authorities. Can
you spell monopoly (V.E.R.I.S.I.G.N)?
>People can verify the signature on your key against the
> signer's public key and so on up the chain and make a decision about "do
> I trust that this signer has followed their stated procedure of
True; but verification is also about has the key been revoked/compromised?
Has it expired? Who else has signed it? The tower model of PKI (ala SSL)
handles the first two questions (not well mind you) and implies only a
The peer-to-peer model doesn't handle revovation/comprimisation or expiration
well at the moment.
> There is enormous good that can come about from a solid,
> government-supported PKI. For starters it could make online credit card
> orders non-repudiable if digital signatures are given the same force as
> normal signatures.
I was under the impression that Digital signatures already had the force
of normal signatures. I mean we are way ahead of the world here; we already
censor the Internet, right?
Anyway, this <URL: http://www.law.gov.au/aghome/advisory/eceg/single.htm>
may be useful.
> I meant DSD: Defence Signals Directorate. They seem to be
> running/coordinating this sge.net which looks like it'll run the secure
> transaction systems for the ATO and probably other agencies.
I don't know where you got that impression.
> Have a poke around online for references to the DSD. In particular look
> for references to Steve Orlowski of the Attorney-General's Department
> who seems to be the main technical shaker and mover behind crypto issues
> in this country. He is also an outspoken proponent for key escrow and
> reducing the public's access to strong crypto.
According to this: <URL: http://www.govonline.gov.au/projects/publickey/index.asp>
Peter Anderson is the main technical mover and shaker on PKI issues in the government. His title is "General Manager, Government Public Key Infrastructure".