PKI: A Taxing ExperiencePKI: A Taxing Experience

Ed BristowTechnical Manager, PKI ProjectAustralian Taxation Office5 December 2000

Secure Foundations

.Canberr

a

•Canberra

Canberra

• What we did• Why we did it• Where are we now?• How did it happen• Learnings• Where to from here?• Conclusion

Presentation Outline

Business Drivers

• Tax Reform– Australian Business Number (ABN)– The New Tax System– GST– Business Activity Statement (BAS)

• Investing for Growth– Must offer services online by end 2001– ATO keen to add to existing eServices

• Electronic Lodgment Service (ELS)• e-tax (self-lodged returns via Internet)

Australia undertook a major change to its taxation system during 2000.

The Federal Government has announced strategies for increasing government transactions available online.

Context & Starting Points• Gatekeeper

– Sets outs standards and processes for evaluating:

• POI• Security• Technology• Operations

– Aims to ensure• Trust• Interoperability

– Assist with• Development of e-

commerce

Gatekeeper establishes a framework for PKI in Federal Govt

The ATO PKI Today

• Roll-out started 16 June 2000

• 306,871 sets of keys & certificates generated so far– Total includes those revoked (12%) and those

requested by businesses unable to use them

• 75,587 have been collected from the PKI web server

• 53,000 businesses are now ‘Ready to Deal’ electronically

The ATO PKI has been in production since June 2000

Australian Businesses are using a PKI enabled application to exchange information with the ATO

Key Features of the ATO PKI• ATO CA operated for ATO by Certificates

Australia Pty Ltd• CA uses UniCERT technology• RA function interfaces with ABR• Keys & Certificates distributed via Internet• Certificates valid for 2 years• End-users get two certificates and key pairs -

authentication and confidentiality• End-entity keys are 1024 bit RSA, CA keys are

2048 bit RSA• Predominantly NT4 platform• Baltimore & ATO custom components

The ATO PKI in Action

• Securing and authenticating eBAS lodgments– Businesses with turnover > $20M

are obliged to lodge electronically

• Superfund administrators lodging Surcharge and other reports – Up to 100,000 records in a file

– Assessments returned to superfunds by ATO

The ATO PKI is being used for the electronic commerce Interface (ECI)

Electronic Commerce InterfaceFat client

Interacts with server component in ATO

Written in Java Swing

Win 95, 98, NT

Netscape 4 & IE 4

Macintosh version also available

Encrypts using confidentiality key and signs using authentication key

ECI and PKI Keys work together

Browser required but not used for interface

HTTP traffic only - firewall friendly

The PKI Project• Very tight timeframe

• Key objectives:– Establish PKI to support Tax Reform

– Get Gatekeeper accreditation by 16 June 2000

• Small core team, but over 300 people involved in some way

• Testing and integration the main technical challenges

• Documentation and and accreditation the most time consuming aspects

Project Milestones

• PKI Project starts 1 June 1999

• Conceptual Design finalised 21 Sept 1999

• Baltimore Delivers Phase 1 30 Sept 1999

• Phase 2 starts 19 Sept 1999

• ABN Registration Process begins 1 Nov 1999

• Baltimore Delivers Phase 2 4 Apr 2000

• ATO CA Certificate signed 25 May 2000

• ATO OCA certificate signed 5 June 2000

• Testing Completed 15 June 2000

Project Milestones

• Gatekeeper Accreditation 16 June 2000

• Start of Certificate issue 16 June 2000

• ECI CD mailout started 22 June 2000

• First download 28 June 2000

• First ‘Ready to Deal’ set 3 July 2000

• First eBAS ready for collection 15 July 2000

• First eBas returned to ATO 27 July 2000

Success Factors

• Ability to use ABN registration process– Businesses already being registered

– Avoided need for face to face POI

• Strong level of commitment from senior management

• Exceptionally hard work by all concerned

• Immovable deadline

What needs to go right in order to compress an 18 month project into

9 months?

Achievements

CA Signing(25 May 2000)

CA Signing25 May 2000

CA and OCA operated for the ATO by Certificates Australia Pty Ltd

Full Gatekeeper

Accreditation(16 June 2000)

Certificate Generation commenced(16 June 2000)

Achievements

CA Signing25 May 2000

Full Gatekeeper Accreditation 16 June 2000

Certificate generation commenced 16 June 2000

ABN Registrations 3.4m (Target 2.5m)

Keys & certificates to mid July 145K

(Target 137K) to 5 December 2000 307K‘Active’ keys & certificates 270K

Reissues 23KRevocations 14K

Total Downloads 76K

‘Ready To Deal’ 53K(Businesses)

Proportion downloaded 84%in use

Achievements

CA Signing25 May 2000

Full Gatekeeper Accreditation 16 June 2000

Certificate generation commenced 16 June 2000

Media Release 27June 2000

3.4m ABNs and 307,0000 sets of Certificates by 5 Dec 2000

Achievements

UniCERT

UniCERT ITSEC E3 certification formally awarded on 4 Sept 2000

The Australian Taxation Office congratulates Baltimore Technologies on achieving ITSEC E3 certification for

• Large scale registration is likely to be hardest and most expensive component of establishing a PKI.

• Beware of tightly coupling PKI and business applications

• Increased security is likely to mean less ease of use

• Gatekeeper accreditation is a non-trivial undertaking - ATO produced 64 different documents

Learnings

• Set up a call centre and be prepared for up to 3 * 5 minute calls from each customer

• Would the outcome have been even better if there had been an opportunity for a pilot?

• Get good partners involved and use their expertise

• Hide complexity wherever possible

• Do not over-estimate computing abilities of end-users, or their willingness to read instructions

Learnings

 

Learnings• Of Help Desk Calls

– 15 % are related to the ECI and BAS

– 85% are related to PKI

• 15% are due to clients not following instructions

• 50% of PKI calls relate to passwords, PIC or Certificate download issues

• 10% are requests to change Certificate Holder name

• 10% are general enquiries

Where to from here?

• Increase take-up rate• Introduce additional PKI-enabled

applications such as:– Australian Business Register Phase 2

•Businesses able to update their own records on-line

• Extend ATO-CA to be the trust point for ATO specific purposes, such as:– Mobile computing– Authenticated single login– e-tax

The ATO has established a secure foundation for electronic commerce.

There are a number of strategies being developed to take advantage of the PKI deployment to Australian Businesses

Whole Of Government Issues• ATO certificates are for ATO use

only– Initial minimalist position to deal with

liability issues

• NOIE is developing ABN-DSC– Common profile– A number of commercial providers– Federal Govt agencies must accept

ABN-DSC from any provider

• ATO’s systems will accept ABN DSC’s

Many federal government agencies want to roll out PKI enabled applications

NOIE trying to establish common standards

Private sector seen as having key role

To be successful with a complex project you need an environment where:

there are clearly defined business objectives;

there is a well understood time line; and

all participants are 100% committed to achieving a quality business outcome on time.

The introduction of Australia’s Goods and Services Tax provided such an environment

Conclusion

Conclusion

• Australian Taxation Office• Certificates Australia P/L• Office of Government Online• Defence Signals Directorate• Australian Government Solicitor

The overwhelming success of the ATO PKI project was due to the efforts of over 300 talented people from:

• Baltimore Technologies • Admiral Computing• Aspect Computing• EDS Australia

Conclusion

Thank you

References:References:

www.ato.gov.au

www.pki-ato.ato.gov.au

www.taxreform.ato.gov.au

www.business.gov.au

www.fsmke.org

www.ogo.gov.au

www.govonline.gov.au

www.noie.gov.au