b86933db8780d8f4d344ac0cf9b2acf9.ppt
- Количество слайдов: 25
Secure Foundations PKI: A Taxing Experience Ed Bristow Technical Manager, PKI Project Australian Taxation Office 5 December 2000
Canberra . Canberra • Canberra
Presentation Outline • • What we did Why we did it Where are we now? How did it happen Learnings Where to from here? Conclusion
Business Drivers Australia undertook a major change to its taxation system during 2000. The Federal Government has announced strategies for increasing government transactions available online. • Tax Reform – – Australian Business Number (ABN) The New Tax System GST Business Activity Statement (BAS) • Investing for Growth – Must offer services online by end 2001 – ATO keen to add to existing e. Services • Electronic Lodgment Service (ELS) • e-tax (self-lodged returns via Internet)
Context & Starting Points Gatekeeper • establishes a framework for PKI in Federal Govt Gatekeeper – Sets outs standards and processes for evaluating: • • POI Security Technology Operations – Aims to ensure • Trust • Interoperability – Assist with • Development of ecommerce
The ATO PKI Today The ATO PKI has been in production since June 2000 Australian Businesses are using a PKI enabled application to exchange information with the ATO • Roll-out started 16 June 2000 • 306, 871 sets of keys & certificates generated so far – Total includes those revoked (12%) and those requested by businesses unable to use them • 75, 587 have been collected from the PKI web server • 53, 000 businesses are now ‘Ready to Deal’ electronically
Key Features of the ATO PKI • ATO CA operated for ATO by Certificates Australia Pty Ltd • CA uses Uni. CERT technology • RA function interfaces with ABR • Keys & Certificates distributed via Internet • Certificates valid for 2 years • End-users get two certificates and key pairs authentication and confidentiality • End-entity keys are 1024 bit RSA, CA keys are 2048 bit RSA • Predominantly NT 4 platform • Baltimore & ATO custom components
The ATO PKI in Action The ATO PKI is being used for the electronic commerce Interface (ECI) • Securing and authenticating e. BAS lodgments – Businesses with turnover > $20 M are obliged to lodge electronically • Superfund administrators lodging Surcharge and other reports – Up to 100, 000 records in a file – Assessments returned to superfunds by ATO
Electronic Commerce Interface Fat client ECI and PKI Keys work together Browser required but not used for interface HTTP traffic only - firewall friendly Interacts with server component in ATO Written in Java Swing Win 95, 98, NT Netscape 4 & IE 4 Macintosh version also available Encrypts using confidentiality key and signs using authentication key
The PKI Project • Very tight timeframe • Key objectives: – Establish PKI to support Tax Reform – Get Gatekeeper accreditation by 16 June 2000 • Small core team, but over 300 people involved in some way • Testing and integration the main technical challenges • Documentation and accreditation the most time consuming aspects
Project Milestones • PKI Project starts 1 June 1999 • Conceptual Design finalised 21 Sept 1999 • Baltimore Delivers Phase 1 30 Sept 1999 • Phase 2 starts 19 Sept 1999 • ABN Registration Process begins 1 Nov 1999 • Baltimore Delivers Phase 2 4 Apr 2000 • ATO CA Certificate signed 25 May 2000 • ATO OCA certificate signed 5 June 2000 • Testing Completed 15 June 2000
Project Milestones • Gatekeeper Accreditation 16 June 2000 • Start of Certificate issue 16 June 2000 • ECI CD mailout started 22 June 2000 • First download 28 June 2000 • First ‘Ready to Deal’ set 3 July 2000 • First e. BAS ready for collection 15 July 2000 • First e. Bas returned to ATO 27 July 2000
Success Factors What needs to go right in order to compress an 18 month project into 9 months? • Ability to use ABN registration process – Businesses already being registered – Avoided need for face to face POI • Strong level of commitment from senior management • Exceptionally hard work by all concerned • Immovable deadline
Achievements CA Signing 25 May 2000 CA and OCA operated for the ATO by Certificates Australia Pty Ltd CA Signing (25 May 2000)
Achievements CA Signing 25 May 2000 Full Gatekeeper Accreditation 16 June 2000 Certificate generation commenced 16 June 2000 Full Gatekeeper Accreditation (16 June 2000) Certificate Generation commenced (16 June 2000)
Achievements CA Signing 25 May 2000 Full Gatekeeper Accreditation 16 June 2000 Certificate generation commenced 16 June 2000 Media Release 27 June 2000 3. 4 m ABNs and 307, 0000 sets of Certificates by 5 Dec 2000 ABN Registrations Keys & certificates to mid July to 5 December 2000 ‘Active’ keys & certificates Reissues Revocations 3. 4 m (Target 2. 5 m) Total Downloads 76 K ‘Ready To Deal’ (Businesses) 53 K Proportion downloaded in use 84% 145 K (Target 137 K) 307 K 270 K 23 K 14 K
Achievements Uni. CERT ITSEC E 3 certification formally awarded on 4 Sept 2000 The Australian Taxation Office congratulates Baltimore Technologies on achieving ITSEC E 3 certification for Uni. CERT
Learnings • Large scale registration is likely to be hardest and most expensive component of establishing a PKI. • Beware of tightly coupling PKI and business applications • Increased security is likely to mean less ease of use • Gatekeeper accreditation is a non-trivial undertaking - ATO produced 64 different documents
Learnings • Set up a call centre and be prepared for up to 3 * 5 minute calls from each customer • Would the outcome have been even better if there had been an opportunity for a pilot? • Get good partners involved and use their expertise • Hide complexity wherever possible • Do not over-estimate computing abilities of endusers, or their willingness to read instructions
Learnings • Of Help Desk Calls – 15 % are related to the ECI and BAS – 85% are related to PKI • 15% are due to clients not following instructions • 50% of PKI calls relate to passwords, PIC or Certificate download issues • 10% are requests to change Certificate Holder name • 10% are general enquiries
Where to from here? The ATO has established a secure foundation for electronic commerce. There a number of strategies being developed to take advantage of the PKI deployment to Australian Businesses • Increase take-up rate • Introduce additional PKI-enabled applications such as: – Australian Business Register Phase 2 • Businesses able to update their own records on-line • Extend ATO-CA to be the trust point for ATO specific purposes, such as: – Mobile computing – Authenticated single login – e-tax
Whole Of Government Issues Many federal government agencies want to roll out PKI enabled applications NOIE trying to establish common standards Private sector seen as having key role • ATO certificates are for ATO use only – Initial minimalist position to deal with liability issues • NOIE is developing ABN-DSC – Common profile – A number of commercial providers – Federal Govt agencies must accept ABN-DSC from any provider • ATO’s systems will accept ABN DSC’s
Conclusion To be successful with a complex project you need an environment where: there are clearly defined business objectives; there is a well understood time line; and all participants are 100% committed to achieving a quality business outcome on time. The introduction of Australia’s Goods and Services Tax provided such an environment
Conclusion The overwhelming success of the ATO PKI project was due to the efforts of over 300 talented people from: • Australian Taxation Office • Certificates Australia P/L • Office of Government Online • Defence Signals Directorate • Australian Government Solicitor • Baltimore Technologies • Admiral Computing • Aspect Computing • EDS Australia
Conclusion References: www. ato. gov. au www. pki-ato. gov. au www. taxreform. ato. gov. au www. business. gov. au www. fsmke. org www. ogo. gov. au www. govonline. gov. au www. noie. gov. au Thank you
b86933db8780d8f4d344ac0cf9b2acf9.ppt