Skip to Content

You are in the Finance archive | Archive Home Page | Return to the Finance homepage | Contact Us

The Department of Finance Archive

The content on this page and other Finance archive pages is provided to assist research and may contain references to activities or policies that have no current application. See the full archive disclaimer.

Gatekeeper Frequently Asked Questions

As of 1 July 2015, ‘Gatekeeper’ is now the responsibility of the Digital Transformation Office

Frequently asked questions about the Gatekeeper Public Key Infrastructure Framework.

GENERAL

1. What is a Public Key Certificate?

A Public Key Certificate is the information that identifies the Certification Authority issuing the certificate; identifies its owner; contains the owner's public key; and is digitally signed by the Certification Authority (CA) issuing it. These certificates may also contain other information, which is secondary.

2. What is Public Key Technology (PKT)?

A user has two keys in PKT systems: a public key, and a private key. The user may publish the public key freely. The keys operate as inverses giving rise to two results. Only the holder of a private key can decode a message someone else has encrypted with the corresponding public key. Also, a user can sign a message with a private key, and the signature can only be verified with the corresponding public key. These two mechanisms allow authentication of an individual, an organisation or a role, non-repudiation of messages, and secure transfer of information.

3. Are there any Australian Standards relating to PKT?

Standards Australia Committee IT/12/4/1 is responsible for the development of PKAF-related Standards. Australian Standard 4539 deals with the Public Key Authentication Framework (PKAF), and consists of the following parts:

  • AS4539.1.1 2000 General-PKAF architecture
  • AS4539 1.2.1 2001 General-X.509 certificate and CRL profile
  • AS4539.1.3 1999 General-X.509 supported algorithms profile
  • AS4539.2.1 2000 A framework for assurance of Certification Authorities

4. How will the Government use PKT?

PKT is a core enabling technology that will allow government agencies to implement a secure on-line transaction capability. It will also be used to authenticate subscribers and to ensure the integrity and confidentiality of information within the government on-line environment.

5. What is the Gatekeeper Policy Committee (GPC)?

The Gatekeeper Policy Committee, established on 29 June 2004, provides a forum for the discussion and development of policy and administrative changes to the Gatekeeper accreditation and recognition programs. The Committee's membership comprises Core Members, Advisors and Observers who are broadly representative of the Gatekeeper community of interest. Back to top

GATEKEEPER PKI FRAMEWORK

1. Why does the Gatekeeper PKI Framework specify different Categories of Digital Certificates?

The Framework acknowledges the different business and risk requirements of agencies utilising PKI as a means of authenticating their clients. It is structured in a manner that simplifies the process for agencies to determine, through appropriate risk assessment processes, which category of digital certificate is most appropriate. The Framework reinforces the concept of a digital certificate that is able to be used by an Individual or Organisation for a wide range of Transactions with agencies (the General Category). It also recognises that, for business or legal reasons, some agencies may require PKI deployments within a narrow and defined group of stakeholders (Special Category). The Framework also satisfies the requirements of those agencies that conduct high risk Transactions and require stronger assurance as to the identity of the Subscriber (High Assurance).

2. What are the distinguishing features of each Category?

Special Category:

  • Certification Authorities (CAs) operating in the Special Category will be required to meet the standards for Highly Protected as set out in the Australian Government Information and Communications Technology Security Manual (ACSI33) and the Protective Security Manual (PSM).
  • Relationship Organisation operating in the Special Category will be Listed under Gatekeeper.
  • Certificates are issued on the basis of the Relationship Organisation’s Evidence of Identity (EOI) Model and can only be used within a defined Community of Interest.

General Category:

  • CAs operating in the General Category will be required to meet the standards for Highly Protected as set out in ACSI33 and the PSM.
  • Registration Authorities operating in the General Category will be required to meet the standards for Protected as set out in ACSI33 and the PSM.
  • Known Customer Organisations and Threat and Risk Organisations operating in the General Category will be Listed under Gatekeeper.
  • Certificates are issued under a range of EOI models and will be able to be relied up on by multiple Agencies.
  • Agencies will be able to determine, from the digital certificate, which EOI model was used as the basis for issuance

High Assurance Category:

  • CAs operating in the High Assurance Category will be required to meet the standards for Secret as set out in ACSI33 and the PSM.
  • RAs operating in the High Assurance Category will be required to meet the standards for Secret as set out in ACSI33 and the PSM.
  • Certificates are issued on the basis of the Formal Identity Verification Model and will be able to be relied up on by multiple Agencies.

3. What is the difference between Gatekeeper Accreditation and Listing?

Accreditation refers to the formal recognition by the Gatekeeper Competent Authority of the technical and operational competence of the Service Provider to carry out the operations described in the Approved Documents. Accreditation is limited to CAs, Registration Authorities (RAs) and Registration Authorities Extended Services (RAES). Listing refers to the process whereby the Gatekeeper Competent Authority approves and publicises Organisations using existing data holdings to verify the identity of Individuals and Organisations for the sole purpose of requesting or authorising the issuance of a digital certificate under the Gatekeeper PKI Framework. Listing is limited to Known Customer Organisations, Threat and Risk Organisations and Relationship Organisations within a defined Community of Interest.

4. If my Organisation is seeking Listing as a Known Customer (KCO), is Gatekeeper accreditation as a Registration Authority also required?

Accreditation as a Registration Authority is not mandatory for an Organisation seeking Listing as there are third-party Registration Authorities such as Australia Post which are able to offer these services. However, if a KCO wishes to register requests for digital certificates from customers who are not 'known customers', it must demonstrate to the Gatekeeper Competent Authority that its policies and procedures meet the requirements of the Formal Identity Verification model and the Gatekeeper EOI Policy. This process eliminates the need for the KCO to undergo Gatekeeper accreditation as a Registration Authority.

5. What roles are expected to be performed by Supplementary Certificates?

Supplementary Certificates include Device, Corporate and Hosted Certificates each of which has been designed to satisfy a known business requirement. Hosted Certificates, at this stage may only be used within a defined Community of Interest. Reliance on Supplementary Certificates by agencies will be based on internal risk profiles and will usually be Transaction dependent. Supplementary Certificates provide a variety of alternative certificate structures. For example, a Corporate Certificate will only identify an Organisation (not an individual Key Holder) and may also contain or specify roles or positions within that Organisation able to use that certificate on behalf of the Organisation. Back to top

GATEKEEPER PKI FRAMEWORK IMPLEMENTATION

1. What changes will Service Providers face when transitioning to the Framework?

All currently Accredited Service Providers will be expected to transition from their existing PKI deployments to the generation and issuance of digital certificates under the Gatekeeper PKI Framework. The Department of Finance and Deregulation (Finance), through the Australian Government Information Management Office (AGIMO), is meeting with each Accredited Service Provider to discuss and agree timeframes for document preparation and evaluation with the objective of having all service providers accredited under the Framework by the end of June 2008. Accreditation of existing Service Providers under the Framework will involve revision (and simplification) of their suite of Approved Documents as well as policy and technical changes to internal PKI systems and procedures. Agencies relying on digital certificates to authenticate external clients may also have to undergo some degree of system modification although this is expected to be relatively minor. During the transition period Service Providers can continue to issue digital certificates under their existing Approved Documents. These digital certificates will continue to be accepted by relying agencies during their normal lifecycle and upon expiry will be replaced with certificates of the equivalent type as specified in the Framework. For example, an ABN-DSC issued by an accredited Service Provider in January 2007 will continue to be able to be relied on by agencies until December 2009 after which it will be replaced by a General Business  Certificate. The changeover from the ABN-DSC to a General Business Certificate should occur with minimal disruption to end-users. The issuing Certification Authority will therefore need to support both “old” and “new” certificates during this transition period. Similarly relying agencies will need to ensure that their systems are able to accept both “old” and “new” certificates during this period. For further details contact the Gatekeeper team at gatekeeper@finance.gov.au.

2. How long will it take for current Service Providers to obtain Gatekeeper Accreditation under the Framework?

It is expected that all currently Accredited Service Providers will complete their Accreditation under the Framework by the end of June 2008. The duration of each individual Accreditation will be determined by the Service Provider’s capacity to revise their existing documentation and the capacity of Authorised Evaluators to review relevant documentation. The accreditation process will be straightforward as documentation has been reduced and will mainly be derived from existing Approved Documents. There are no changes to the security standards under which Service Providers are currently accredited (although there are likely to have been updates to ACSI33 since some Service Providers were initially accredited that will need to be reflected in new documentation).

3. How long will it take for a new Service Provider to obtain Gatekeeper Accreditation under the Framework?

The Accreditation process (see Accreditation Criteria for Certification and Registration Authorities) is dependant on the ability of the Service Provider to provide documents in a timely manner, engage Authorised Evaluators to review relevant documentation and the capacity of the Authorised Evaluators to review the documents. The reduction in volume of the documentation required for review will reduce the time and cost of Accreditations.

4. How much will it cost to obtain Gatekeeper Accreditation?

Finance, AGIMO does not charge Service Providers for either its evaluation/review of Approved Documents nor for the actual accreditation of Service Providers. However, individual Authorised Evaluators will operate on a fee for service basis.

5. Which documents will be evaluated and by whom?

Gatekeeper has established and maintains a series of Evaluation Panels for the purpose of facilitating evaluation of a Service Provider’s Approved Documents. Details of these Panels are available at www.gatekeeper.gov.au.

  • Legal Documentation (Certificate Policy (CP), Certification Practices Statement (CPS) and end user agreements) will be evaluated by an Authorised Legal Evaluator.
  • Physical Security elements of a Service Provider’s operations will be reviewed by an Authorised Physical Security Evaluator.
  • A Service Provider’s Security Profile (SEC1) will be evaluated by the Defence Signals Directorate (or an I-RAP assessor).
  • A Service Provider’s Operations Manual and Disaster Recovery and Business Continuity Plan will be reviewed by Finance, AGIMO.
  • Personnel vetting will be undertaken by either Australian Security Vetting Services (ASVS) or Australian Protective Services (APS).

6. What is the status of Digital Certificates issued under a Service Provider’s current Gatekeeper Accreditation?

Digital certificates issued by a Gatekeeper accredited CA will remain valid for their normal lifecycle (generally two years). It is expected that CAs will continue to issue digital certificates under the terms of their existing Gatekeeper Accreditation until such time as they are Accredited under the Framework. After this date it would be expected that the CA will cease issuing “old” Gatekeeper Type and Grade digital certificates and commence issuing “new” digital certificates under the relevant categories of the Framework. “Old” certificates will remain viable until their normal expiry (unless revoked earlier by the issuing CA) at which point it would be reasonable for the certificate to be replaced by a “new” certificate. In effect this will require Relying Parties to configure their systems to accept both “old” and “new” digital certificates, albeit for a defined period of time.

7. Are the Certificate Profiles in the General Category mandatory and is there scope to add additional information into the Certificate Profile?

The profiles specified in the General Business and Individual Policy Specifications are mandatory. There is scope for CAs to include additional information in the profile to meet particular business requirements of relying agencies. Where such additional information is included in certificate extensions it must be marked non-critical. Back to top

DIGITAL SIGNATURES

1. Is a digital signature the same as a digitised signature?

No. A digitised signature is a computerised image of the written signature of an entity. It may be attached to a word processing document as an image of the original written signature, and it can be copied, altered and is not bound to the document. A digital signature is a cryptographic technique that encrypts a hash or digest of a document with a users private key. This creates a unique and unforgeable identifier that can be checked by the receiver to verify authenticity and integrity and provide non-repudiation.

2. How can we use digital signatures?

Digital signatures can function on electronic documents in the same way as physical signatures do on paper. This means they can be used to automate transactions that are currently carried out on paper. Digital signatures can be applied to email, Internet transactions, World Wide Web pages, EDI transactions and more. A trusted system of certification for the Australian Government will enable verification and authentication of transactions between clients, industry, government agencies and other governments. Back to top

LEGAL

1. Will individual privacy be protected?

Yes. The Australian Government is committed to ensuring that the privacy of individuals who deal with Commonwealth Departments and agencies is protected. The eleven Information Privacy Principles (IPPs) contained in Section 14 of the Privacy Act 1988 establish standards that cover issues such as the collection, storage, use and disclosure of personal information. The handling of personal information by Departments and agencies will comply with the IPPs. Commercial service providers that have received Gatekeeper accreditation are also contractually bound to comply with the IPPs as if they were a government agency.

2. Is Gatekeeper established by any specific laws?

There is no legislation that specifically relates to Gatekeeper. Instead, Gatekeeper has been established, and is run, administratively. Gatekeeper standards are mandated in contracts between the Department of Finance and Deregulation and Gatekeeper accredited service providers.

3. What laws govern digital signatures?

The Electronic Transactions Act 1999 (Cth) (ETA) provides a general rule that for the purposes of a law of the Commonwealth, a transaction is not invalid because it took place wholly or partly by means of one or more electronic transactions. The ETA came into force generally from 1 July 2001. From this date, all Commonwealth laws will fall under the Act except those specifically excluded. Section 10 of the ETA outlines requirements that must be met for an electronic signature to be valid. Generally,

  1. A method must be used to identify the person and to indicate the person's approval of the information communicated;
  2. The method must be as reliable as was appropriate for the purposes for which the information was communicated; And where the transaction is with the Commonwealth (Gatekeeper is designed for transactions with Government),
  3. The method used is in accordance with the Commonwealth entity's particular information technology requirements.

This section of the ETA refers to the broader term 'e-signatures' which is not defined in the Act. However, a Cabinet decision requires all Australian Government agencies to use Gatekeeper when an on-line authentication system is required. The effect of this is that such transactions with Government agencies require the use of a digital signature. Transactions using digital signatures will also be governed by Common Law principles, eg; contract law, negligence. An on-line transaction will often contain the same elements as an offline transaction, and their validity may be determined by the facts in each case.

4. What privacy protections are in place within Gatekeeper?

Gatekeeper has an extensive range of privacy protections in place.

  • The Head Agreement that Gatekeeper service providers must sign with the Department of Finance and Deregulation binds the service provider to the Information Privacy Principles as contained in the Privacy Act 1988. Head Agreements also contain a number of other requirements to protect personal information. Privacy Audits may be conducted within the terms of these agreements.
  • Users must have the option to possess multiple key pairs under the Gatekeeper Framework.
  • Pseudonymous certificates are supported by Gatekeeper
  • Key escrow is not required under Gatekeeper
  • The Gatekeeper Policy Committee (GPC) includes the Office of the Privacy Commissioner as an Observer to reflect wider community interest.

Gatekeeper is a registered trademark.