PKI: A Taxing Experience Ed Bristow Technical Manager, PKI Project Australian Taxation Office 5 December 2000 Secure Foundations

. Canberra Canberra

What we did Why we did it Where are we now? How did it happen Learnings Where to from here? Conclusion Presentation Outline

Business Drivers Tax Reform –Australian Business Number (ABN) –The New Tax System –GST –Business Activity Statement (BAS) Investing for Growth –Must offer services online by end 2001 –ATO keen to add to existing eServices Electronic Lodgment Service (ELS) e-tax (self-lodged returns via Internet) Australia undertook a major change to its taxation system during The Federal Government has announced strategies for increasing government transactions available online.

Context & Starting Points Gatekeeper –Sets outs standards and processes for evaluating: POI Security Technology Operations –Aims to ensure Trust Interoperability –Assist with Development of e- commerce Gatekeeper establishes a framework for PKI in Federal Govt

The ATO PKI Today Roll-out started 16 June ,871 sets of keys & certificates generated so far –Total includes those revoked (12%) and those requested by businesses unable to use them 75,587 have been collected from the PKI web server 53,000 businesses are now ‘Ready to Deal’ electronically The ATO PKI has been in production since June 2000 Australian Businesses are using a PKI enabled application to exchange information with the ATO

Key Features of the ATO PKI ATO CA operated for ATO by Certificates Australia Pty Ltd CA uses UniCERT technology RA function interfaces with ABR Keys & Certificates distributed via Internet Certificates valid for 2 years End-users get two certificates and key pairs - authentication and confidentiality End-entity keys are 1024 bit RSA, CA keys are 2048 bit RSA Predominantly NT4 platform Baltimore & ATO custom components

The ATO PKI in Action Securing and authenticating eBAS lodgments –Businesses with turnover > $20M are obliged to lodge electronically Superfund administrators lodging Surcharge and other reports –Up to 100,000 records in a file –Assessments returned to superfunds by ATO The ATO PKI is being used for the electronic commerce Interface (ECI)

Electronic Commerce Interface Fat client Interacts with server component in ATO Written in Java Swing Win 95, 98, NT Netscape 4 & IE 4 Macintosh version also available Encrypts using confidentiality key and signs using authentication key ECI and PKI Keys work together Browser required but not used for interface HTTP traffic only - firewall friendly

The PKI Project Very tight timeframe Key objectives: –Establish PKI to support Tax Reform –Get Gatekeeper accreditation by 16 June 2000 Small core team, but over 300 people involved in some way Testing and integration the main technical challenges Documentation and and accreditation the most time consuming aspects

Project Milestones PKI Project starts1 June 1999 Conceptual Design finalised21 Sept 1999 Baltimore Delivers Phase 130 Sept 1999 Phase 2 starts19 Sept 1999 ABN Registration Process begins1 Nov 1999 Baltimore Delivers Phase 24 Apr 2000 ATO CA Certificate signed25 May 2000 ATO OCA certificate signed5 June 2000 Testing Completed15 June 2000

Project Milestones Gatekeeper Accreditation16 June 2000 Start of Certificate issue16 June 2000 ECI CD mailout started22 June 2000 First download28 June 2000 First ‘Ready to Deal’ set3 July 2000 First eBAS ready for collection15 July 2000 First eBas returned to ATO27 July 2000

Success Factors Ability to use ABN registration process –Businesses already being registered –Avoided need for face to face POI Strong level of commitment from senior management Exceptionally hard work by all concerned Immovable deadline What needs to go right in order to compress an 18 month project into 9 months?

Achievements CA Signing (25 May 2000) CA Signing 25 May 2000 CA and OCA operated for the ATO by Certificates Australia Pty Ltd

Full Gatekeeper Accreditation (16 June 2000) Certificate Generation commenced (16 June 2000) Achievements CA Signing 25 May 2000 Full Gatekeeper Accreditation 16 June 2000 Certificate generation commenced 16 June 2000

ABN Registrations3.4m (Target 2.5m) Keys & certificates to mid July145K (Target 137K) to 5 December K ‘Active’ keys & certificates270K Reissues23K Revocations14K Total Downloads 76K ‘Ready To Deal’ 53K (Businesses) Proportion downloaded 84% in use Achievements CA Signing 25 May 2000 Full Gatekeeper Accreditation 16 June 2000 Certificate generation commenced 16 June 2000 Media Release 27June m ABNs and 307,0000 sets of Certificates by 5 Dec 2000

Achievements UniCERT UniCERT ITSEC E3 certification formally awarded on 4 Sept 2000 The Australian Taxation Office congratulates Baltimore Technologies on achieving ITSEC E3 certification for

Large scale registration is likely to be hardest and most expensive component of establishing a PKI. Beware of tightly coupling PKI and business applications Increased security is likely to mean less ease of use Gatekeeper accreditation is a non-trivial undertaking - ATO produced 64 different documents Learnings

Set up a call centre and be prepared for up to 3 * 5 minute calls from each customer Would the outcome have been even better if there had been an opportunity for a pilot? Get good partners involved and use their expertise Hide complexity wherever possible Do not over-estimate computing abilities of end- users, or their willingness to read instructions Learnings

Of Help Desk Calls –15 % are related to the ECI and BAS –85% are related to PKI 15% are due to clients not following instructions 50% of PKI calls relate to passwords, PIC or Certificate download issues 10% are requests to change Certificate Holder name 10% are general enquiries

Where to from here? Increase take-up rate Introduce additional PKI-enabled applications such as: –Australian Business Register Phase 2 Businesses able to update their own records on-line Extend ATO-CA to be the trust point for ATO specific purposes, such as: –Mobile computing –Authenticated single login –e-tax The ATO has established a secure foundation for electronic commerce. There are a number of strategies being developed to take advantage of the PKI deployment to Australian Businesses

Whole Of Government Issues ATO certificates are for ATO use only –Initial minimalist position to deal with liability issues NOIE is developing ABN-DSC –Common profile –A number of commercial providers –Federal Govt agencies must accept ABN-DSC from any provider ATO’s systems will accept ABN DSC’s Many federal government agencies want to roll out PKI enabled applications NOIE trying to establish common standards Private sector seen as having key role

To be successful with a complex project you need an environment where: there are clearly defined business objectives; there is a well understood time line; and all participants are 100% committed to achieving a quality business outcome on time. The introduction of Australia’s Goods and Services Tax provided such an environment Conclusion

Australian Taxation Office Certificates Australia P/L Office of Government Online Defence Signals Directorate Australian Government Solicitor The overwhelming success of the ATO PKI project was due to the efforts of over 300 talented people from: Baltimore Technologies Admiral Computing Aspect Computing EDS Australia

Conclusion Thank you References:

ABNABN