Increasingly, national governments worldwide are actively turning to public key infrastructure (PKI) and digital certificates for the purposes of:
- National ID programs.
- Single sign-on (SSO) for workstations and software applications.
- Signed and encrypted government email.
- Authentication of documents through digital signatures.
- Authentication of citizens’ identities for online services such as taxpaying.
National digital ID programs are a worldwide work-in-progress. According to a 2016 World Bank report, “Most developing countries have some form of digital ID scheme tied to specific functions and serving a subset of the population, but only a few have a multipurpose scheme that covers the entire population.” According to the same report, the reasons for adopting digital ID varies by nation: “In high-income countries, digital ID represents an upgrade from well-established, robust legacy physical ID systems that have worked reasonably well in the past,” while “low-income countries…often lack robust civil registration systems and physical IDs and are building their ID systems on a digital basis, leapfrogging the more traditional physically based system.” In either case, it is clear that the global trend is toward the creation of new national digital ID systems or the expansion of existing systems.
In many cases, initiatives such as these include legislation to create an agency tasked with developing and enforcing national standards for public key infrastructure (PKI), licensing local certificate authorities (CAs) to provide digital certificates, and/or developing government-run PKI and CAs. These agencies are commonly given the title Information and Communication Technologies Authority (or ICT Authority). This article is intended to supply decision-makers at national ICT Authorities and licensed CAs with the information they need to answer important questions like:
- Should we develop our own internal PKI, or contract the services of existing CAs?
- What is the fastest and most efficient route to offering publicly trusted certificates to our citizens?
PKI, Digital Certificates, and CAs: A Quick Review
In a nutshell, Public Key Infrastructure (PKI) is used to manage pairs of public and private keys and bind them to the identities of entities, such as persons and organizations, through the issuance of electronic documents called digital certificates.The mathematics behind PKI ensure that if a certificate is signed with a given entity’s private key, anyone with the public key from the pair can:
- Verify that the entity presenting the signed certificate is in possession of its corresponding private key (authenticity).
- Trust that the content of the certificate has not been altered since it was initially generated (integrity).
- Use the public key to encrypt a message that can only be decrypted with its associated private key (encryption).
By enabling authenticity, integrity, and encryption, PKI and digital certificates permit secure communication over insecure networks, such as the Internet. An organization that maintains a PKI and manages the issuance and revocation of digital certificates is known as a certificate authority (CA).
Public vs. Private Trust
Although there are many applications for digital certificates, their most well-known use is for secure web browsing, made possible through the SSL/TLS and HTTPS protocols. In order to prevent browser warnings and error messages, digital certificates issued for public-facing websites must be signed by a publicly trusted CA. Public trust is also desirable for certificates to be used with email clients, desktop operating systems, and other software for end-users, so that users or IT staff will not have to manually add privately trusted certificates to OS certificate stores.
Publicly trusted CAs are regularly and rigorously audited for compliance with industry standards, such as WebTrust for CAs, in order to be included in the public trust stores of major operating system and software suppliers such as Microsoft, Apple, Google, and Mozilla. It can take many years for a CA to gain inclusion into all of these programs, and they must undergo regular, rigorous audits in order to maintain that status. In contrast, privately trusted CAs are not subject to these standards, but are not as useful for public-facing applications.
Government PKI Development: Internal vs. Hosted
Once a government decides that it needs a PKI to issue certificates to its citizens (or a local company seeks licensing to offer certificates on behalf of the government), a common first thought is to invest in the development of an independent infrastructure. After all, software for implementing a self-signed CA is available at low or no cost through software such as Windows Server, OpenSSL, and EJBCA. On second glance, however, this option has multiple potentially deal-breaking challenges and costs to overcome:
- Achieving public trust for seamless use with desktop operating systems and software such as web browsers, email clients and office suites is typically a long, arduous process, and successful achievement and maintenance of this status is not guaranteed.
- The costs of finding and employing qualified staff to securely and effectively operate a PKI at a national scale are considerable.
- The hardware and networking costs associated with establishing and maintaining a national PKI may be greater than initially expected. Furthermore, attempts to scale PKI (for example, to cover more citizens and enable additional essential government services) will likely require additional expertise and infrastructure over time.
As digital technology and its associated security needs become more intertwined with government processes and more agencies and citizens make full use of digital certificates, hardware, networking, and personnel costs can all be expected to grow. These expanding costs can be a limiting factor on using PKI to its fullest potential to serve a nation and its citizens.
Advantages of Hosted PKI
Some commercial public CAs, including SSL.com, currently offer hosted publicly- and privately-trusted PKI as a service, and offer the potential for governments and their licensees to bypass many of the issues detailed above. Furthermore, the industry standards for security and reliability to which these CAs are held are typically already in compliance with the PKI standards and guidelines issued by national ICT Authorities. By choosing a hosted PKI with a reputable public CA, governments can expect to find:
- Effective systems already in place for certificate issuance, lifecycle maintenance, and expiration, along with automated notifications of impending certificate expiry.
- A PKI already operating successfully at a global scale.
- A CA that is subject to frequent, detailed audits that meet or exceed the standards put in place by the nation’s ICT Authority, and is required to stay abreast of evolving industry standards and best practices.
In most cases – and especially for developing nations – the hosted solution will be found to be less expensive, simpler to implement, and more secure than attempting to develop a home-grown PKI.
Hosted PKI from SSL.com
For our government customers globally, SSL.com offers the following world-class benefits:
- Custom Solutions: SSL.com collaborates with governments and licensees worldwide to optimize the generation, installation, and lifecycles of certificates for smart ID cards and other applications.
- Branded Subordinate CA: A hosted subordinate CA (also known as an issuing CA) from SSL.com offers complete control over the issuance and management of publicly- or privately-trusted certificates, at a fraction of the cost of establishing their own root CA and PKI infrastructure. For example, a local CA licensed to issue certificates on behalf of government can immediately achieve public trust, regulatory compliance, and branded digital certificates.
- Management Tools: SSL.com‘s online management tools allow users to easily issue high volumes of certificates and manage their lifecycle.
- API: Administrators can easily automate certificate issuance and lifecycle with SSL.com‘s SSL Web Services (SWS) API.
SSL.com has all the tools necessary for hosted, branded, publicly- or privately-trusted PKI that satisfies the guidelines of most countries’ ICT Authorities or other IT regulatory bodies. If you would like to contact us for more information, to let us know your specific needs, or have our staff review and confirm our ability to comply with your national guidelines, please contact us by email at Sales@SSL.com or Support@SSL.com, call +1 877-SSL-SECURE, or just click the chat link at the bottom right of this page.