Tugger the SLUGger!SLUG Mailing List Archives

Re: [SLUG] ATO's keys and certificates


On Wed, Jul 19, 2000 at 11:39:13AM +1000, Rev Simon Rumble wrote:
> On Wed, Jul 19, 2000 at 12:03:15PM +1000, Jamie Honan uttered:
> 
> > Its aim is to enable me to verify that I am who I say I am, thus
> > requiring my 'profile' to be publically available?
> 
> Your public key, yes.  But in this scheme it appears that the ATO are
> generating the keys.  That means they can take a copy in escrow and
> forge your signature.  I don't like that.

basically you don't have choice, the governments wants all most interactions
to take place electronically. Are you sure that you are getting a Public/Private pair for encryption?

This URL <URL: http://www.govonline.gov.au/projects/publickey/abn-dsc.htm>
talks about digital certificates.

> You can create a PKI without key escrow -- in fact that's what
> assymetric keys are all about.  What you do is generate your own key,

Eh? Asymetric keys are part of PKI. Asymetric keys are used for PKI w/ escrow
and without escrow. Escrowness has nothing to do with the asymetric keys.

> however you want to do that, and present the public key to a signing
> authority (with appropriate identifying documentation, of course) who
> then signs it.  

Which reallys on a one/multiple "authoritative" signing authorities. Can
you spell monopoly (V.E.R.I.S.I.G.N)?

>People can verify the signature on your key against the
> signer's public key and so on up the chain and make a decision about "do
> I trust that this signer has followed their stated procedure of
> verification".

True; but verification is also about has the key been revoked/compromised?
Has it expired? Who else has signed it? The tower model of PKI (ala SSL)
handles the first two questions (not well mind you) and implies only a
single signature.

The peer-to-peer model doesn't handle revovation/comprimisation or expiration
well at the moment.

> There is enormous good that can come about from a solid,
> government-supported PKI.  For starters it could make online credit card
> orders non-repudiable if digital signatures are given the same force as
> normal signatures.

I was under the impression that Digital signatures already had the force
of normal signatures. I mean we are way ahead of the world here; we already 
censor the Internet, right?

Anyway, this <URL: http://www.law.gov.au/aghome/advisory/eceg/single.htm>
may be useful.

> I meant DSD: Defence Signals Directorate.  They seem to be
> running/coordinating this sge.net which looks like it'll run the secure
> transaction systems for the ATO and probably other agencies.

I don't know where you got that impression.

> Have a poke around online for references to the DSD.  In particular look
> for references to Steve Orlowski of the Attorney-General's Department
> who seems to be the main technical shaker and mover behind crypto issues
> in this country.  He is also an outspoken proponent for key escrow and
> reducing the public's access to strong crypto.

According to this: <URL: http://www.govonline.gov.au/projects/publickey/index.asp>

Peter Anderson is the main technical mover and shaker on PKI issues in the government. His title is "General Manager, Government Public Key Infrastructure".

Anand