Post on 14-Dec-2015
transcript
PKI: A Taxing ExperiencePKI: A Taxing Experience
Ed BristowTechnical Manager, PKI ProjectAustralian Taxation Office5 December 2000
Secure Foundations
.Canberr
a
•Canberra
Canberra
• What we did• Why we did it• Where are we now?• How did it happen• Learnings• Where to from here?• Conclusion
Presentation Outline
Business Drivers
• Tax Reform– Australian Business Number (ABN)– The New Tax System– GST– Business Activity Statement (BAS)
• Investing for Growth– Must offer services online by end 2001– ATO keen to add to existing eServices
• Electronic Lodgment Service (ELS)• e-tax (self-lodged returns via Internet)
Australia undertook a major change to its taxation system during 2000.
The Federal Government has announced strategies for increasing government transactions available online.
Context & Starting Points• Gatekeeper
– Sets outs standards and processes for evaluating:
• POI• Security• Technology• Operations
– Aims to ensure• Trust• Interoperability
– Assist with• Development of e-
commerce
Gatekeeper establishes a framework for PKI in Federal Govt
The ATO PKI Today
• Roll-out started 16 June 2000
• 306,871 sets of keys & certificates generated so far– Total includes those revoked (12%) and those
requested by businesses unable to use them
• 75,587 have been collected from the PKI web server
• 53,000 businesses are now ‘Ready to Deal’ electronically
The ATO PKI has been in production since June 2000
Australian Businesses are using a PKI enabled application to exchange information with the ATO
Key Features of the ATO PKI• ATO CA operated for ATO by Certificates
Australia Pty Ltd• CA uses UniCERT technology• RA function interfaces with ABR• Keys & Certificates distributed via Internet• Certificates valid for 2 years• End-users get two certificates and key pairs -
authentication and confidentiality• End-entity keys are 1024 bit RSA, CA keys are
2048 bit RSA• Predominantly NT4 platform• Baltimore & ATO custom components
The ATO PKI in Action
• Securing and authenticating eBAS lodgments– Businesses with turnover > $20M
are obliged to lodge electronically
• Superfund administrators lodging Surcharge and other reports – Up to 100,000 records in a file
– Assessments returned to superfunds by ATO
The ATO PKI is being used for the electronic commerce Interface (ECI)
Electronic Commerce InterfaceFat client
Interacts with server component in ATO
Written in Java Swing
Win 95, 98, NT
Netscape 4 & IE 4
Macintosh version also available
Encrypts using confidentiality key and signs using authentication key
ECI and PKI Keys work together
Browser required but not used for interface
HTTP traffic only - firewall friendly
The PKI Project• Very tight timeframe
• Key objectives:– Establish PKI to support Tax Reform
– Get Gatekeeper accreditation by 16 June 2000
• Small core team, but over 300 people involved in some way
• Testing and integration the main technical challenges
• Documentation and and accreditation the most time consuming aspects
Project Milestones
• PKI Project starts 1 June 1999
• Conceptual Design finalised 21 Sept 1999
• Baltimore Delivers Phase 1 30 Sept 1999
• Phase 2 starts 19 Sept 1999
• ABN Registration Process begins 1 Nov 1999
• Baltimore Delivers Phase 2 4 Apr 2000
• ATO CA Certificate signed 25 May 2000
• ATO OCA certificate signed 5 June 2000
• Testing Completed 15 June 2000
Project Milestones
• Gatekeeper Accreditation 16 June 2000
• Start of Certificate issue 16 June 2000
• ECI CD mailout started 22 June 2000
• First download 28 June 2000
• First ‘Ready to Deal’ set 3 July 2000
• First eBAS ready for collection 15 July 2000
• First eBas returned to ATO 27 July 2000
Success Factors
• Ability to use ABN registration process– Businesses already being registered
– Avoided need for face to face POI
• Strong level of commitment from senior management
• Exceptionally hard work by all concerned
• Immovable deadline
What needs to go right in order to compress an 18 month project into
9 months?
Achievements
CA Signing(25 May 2000)
CA Signing25 May 2000
CA and OCA operated for the ATO by Certificates Australia Pty Ltd
Full Gatekeeper
Accreditation(16 June 2000)
Certificate Generation commenced(16 June 2000)
Achievements
CA Signing25 May 2000
Full Gatekeeper Accreditation 16 June 2000
Certificate generation commenced 16 June 2000
ABN Registrations 3.4m (Target 2.5m)
Keys & certificates to mid July 145K
(Target 137K) to 5 December 2000 307K‘Active’ keys & certificates 270K
Reissues 23KRevocations 14K
Total Downloads 76K
‘Ready To Deal’ 53K(Businesses)
Proportion downloaded 84%in use
Achievements
CA Signing25 May 2000
Full Gatekeeper Accreditation 16 June 2000
Certificate generation commenced 16 June 2000
Media Release 27June 2000
3.4m ABNs and 307,0000 sets of Certificates by 5 Dec 2000
Achievements
UniCERT
UniCERT ITSEC E3 certification formally awarded on 4 Sept 2000
The Australian Taxation Office congratulates Baltimore Technologies on achieving ITSEC E3 certification for
• Large scale registration is likely to be hardest and most expensive component of establishing a PKI.
• Beware of tightly coupling PKI and business applications
• Increased security is likely to mean less ease of use
• Gatekeeper accreditation is a non-trivial undertaking - ATO produced 64 different documents
Learnings
• Set up a call centre and be prepared for up to 3 * 5 minute calls from each customer
• Would the outcome have been even better if there had been an opportunity for a pilot?
• Get good partners involved and use their expertise
• Hide complexity wherever possible
• Do not over-estimate computing abilities of end-users, or their willingness to read instructions
Learnings
Learnings• Of Help Desk Calls
– 15 % are related to the ECI and BAS
– 85% are related to PKI
• 15% are due to clients not following instructions
• 50% of PKI calls relate to passwords, PIC or Certificate download issues
• 10% are requests to change Certificate Holder name
• 10% are general enquiries
Where to from here?
• Increase take-up rate• Introduce additional PKI-enabled
applications such as:– Australian Business Register Phase 2
•Businesses able to update their own records on-line
• Extend ATO-CA to be the trust point for ATO specific purposes, such as:– Mobile computing– Authenticated single login– e-tax
The ATO has established a secure foundation for electronic commerce.
There are a number of strategies being developed to take advantage of the PKI deployment to Australian Businesses
Whole Of Government Issues• ATO certificates are for ATO use
only– Initial minimalist position to deal with
liability issues
• NOIE is developing ABN-DSC– Common profile– A number of commercial providers– Federal Govt agencies must accept
ABN-DSC from any provider
• ATO’s systems will accept ABN DSC’s
Many federal government agencies want to roll out PKI enabled applications
NOIE trying to establish common standards
Private sector seen as having key role
To be successful with a complex project you need an environment where:
there are clearly defined business objectives;
there is a well understood time line; and
all participants are 100% committed to achieving a quality business outcome on time.
The introduction of Australia’s Goods and Services Tax provided such an environment
Conclusion
Conclusion
• Australian Taxation Office• Certificates Australia P/L• Office of Government Online• Defence Signals Directorate• Australian Government Solicitor
The overwhelming success of the ATO PKI project was due to the efforts of over 300 talented people from:
• Baltimore Technologies • Admiral Computing• Aspect Computing• EDS Australia
Conclusion
Thank you
References:References:
www.ato.gov.au
www.pki-ato.ato.gov.au
www.taxreform.ato.gov.au
www.business.gov.au
www.fsmke.org
www.ogo.gov.au
www.govonline.gov.au
www.noie.gov.au