DPI PUBLIC KEY INFRASTRUCTURE IMPLEMENTING HIGH-TRUST ELECTRONIC SIGNATURES DIGITAL PUBLIC INFRASTRUCTURE POLICY NOTE SERIES DECEMBER 2024 © 2024 The World Bank 1818 H Street NW, Washington DC 20433 Telephone: +1-202-473-1000; Internet: www.worldbank.org Some rights reserved. This work is a product of The World Bank. The findings, interpretations, and conclusions expressed in this work do not necessarily reflect the views of the Executive Directors of The World Bank or the governments they represent. The World Bank does not guarantee the accuracy, completeness, or currency of the data included in this work and does not assume responsibility for any errors, omissions, or discrepancies in the information, or liability with respect to the use of or failure to use the information, methods, processes, or conclusions set forth. The boundaries, colors, denominations, links/footnotes and other information shown in this work do not imply any judgment on the part of The World Bank concerning the legal status of any territory or the endorsement or acceptance of such boundaries. The citation of works authored by others does not mean the World Bank endorses the views expressed by those authors or the content of their works. Nothing herein shall constitute or be construed or considered to be a limitation upon or waiver of the privileges and immunities of The World Bank, all of which are specifically reserved. Rights and Permissions The material in this work is subject to copyright. Because The World Bank encourages dissemination of its knowledge, this work may be reproduced, in whole or in part, for noncommercial purposes as long as full attribution to this work is given. Cover photo: © Shutterstock, Inc. Used with the permission of Shutterstock, Inc. Further permission required for reuse. Cover Design: Duina Reyes Attribution – Please cite the work as follows: “Christopher Tullis and David Black. 2024. Public Key Infrastructure: Implementing High-Trust Electronic Signatures. © Washington, DC: World Bank.” Any queries on rights and licenses, including subsidiary rights, should be addressed to World Bank Publications, The World Bank, 1818 H Street NW, Washington, DC 20433, USA; fax: +1-202-522-2625; e-mail: pubrights@worldbank.org. 2 TABLE OF CONTENTS Abbreviations 7 About ID4D 8 About KWPF 8 Acknowledgments 8 Executive Summary 9 1. Introduction 12 Digital Public Infrastructure 12 Key Use Cases 13 Legal Validity 15 2. Public Key Infrastructure Fundamentals 18 Public Key Cryptography 18 Why Do We Need an “Infrastructure”? 18 What Does it Take to Implement a PKI? 20 3 Implementing a Public Key Infrastructure 23 Core Components 23 Hierarchical Components 25 Operations 28 PKI Interoperability: Federating Trust 29 Governance 32 Deployment Models 34 Sourcing 38 Managing Liability 41 Driving Adoption 42 Stakeholder Engagement 44 4. Conclusions 46 Establishing Strategic Foundations 46 Designing for Success 46 Ensuring Scalability 47 Promoting Adoption 47 PUBLIC KEY INFRASTRUCTURE 3 IMPLEMENTING HIGH-TRUST ELECTRONIC SIGNATURES Appendices 47 Appendix 1: Glossary of Key Terms 49 Appendix 2: Public Key Cryptography Primer 53 Appendix 3: The Chain of Cryptographic Trust 55 Appendix 4: eIDAS Governance Model 57 Appendix 5: PKI Operational Functions 62 Appendix 6: PKI Interoperability: Federating Trust 68 Appendix 7: Institutional Governance Arrangements 78 Appendix 8: Sourcing Strategies 80 Appendix 9: PKI Sourcing Checklist 90 Appendix 10: Keeping Private Keys Private: Secure Signature Creation Devices 92 Appendix 11: Indicative Costing 94 Appendix 12: Managing Liability 97 List of Case Studies Case Study 1: India 27 Case Study 2: Brazil 28 Case Study 3: United States 71 Case Study 4: European Union 73 Case Study 5: International Civil Aviation Organization 74 Case Study 6: EU Digital COVID Certificate 76 Case Study 7: South Korea 77 Case Study 8: Estonia 83 Case Study 9: Saudi Arabia 85 Case Study 10: The Netherlands 86 Case Study 11: France 87 Case Study 12: United Kingdom 88 Case Study 13: Lebanon 89 List of Boxes Box 1. How do digital signatures and PKI support common online interactions? 13 Box 2: Quantum computing 21 4 List of Figures Figure 1: Comparison of digital and electronic signatures 16 Figure 2: Role of PKI in an electronic signature framework 17 Figure 3: Process for issuance and verification of digital signatures using PKI 23 Figure 4: Comparison of single-, two-, and three-tiered PKI architectures 26 Figure 5: PKI Governance 34 Figure 6: Creating a digital signature using a private key 53 Figure 7: Verifying a digital signature using a public key 54 Figure 8: Chain of cryptographic trust—simple PKI 55 Figure 9: Chain of cryptographic trust—tiered PKI 56 Figure 10: Trust framework for Qualified Trust Services under eIDAS (summary) 57 Figure 11: Components of a Qualified Electronic Signature 58 Figure 12: Trust framework for Qualified Trust Services under eIDAS (detailed view) 59 Figure 13: Summary of PKI federation models 68 Figure 14: Comparison of approaches to federating trust 69 Figure 15: Bridge certification 70 Figure 16: Illustration of a fully meshed PKI network in a cross-border context 72 Figure 17: ICAO PKD as a trust anchor between national PKIs 75 List of Tables Table 1: Digital and Electronic Signatures Compared 16 Table 2: Cryptographic elements of a digital signature 18 Table 3: Vulnerabilities of Public Key Cryptography Addressed by PKI 19 Table 4: Core components and entities of a PKI 24 Table 5: Policies and systems for PKI operations 25 Table 6: Components of a tiered PKI 26 Table 7: Summary of PKI certification functions and implementation challenges 29 Table 8: List of country case studies by federation approach 31 Table 9: Comparison of PKI deployment models 37 Table 10: PKI sourcing strategies compared 40 Table 11: List of country case studies by sourcing strategy 41 Table 12: Governance framework for qualification of trust service providers under eIDAS 59 Table 13: Member-state entities involved in qualification of trust service providers under eIDAS 60 Table 14: Common institutional arrangements for PKI governance 78 Table 15: Stylized illustration of RA sourcing strategies for a selection of typical use cases 81 Table 16: Assessment tool for defining a PKI sourcing strategy 90 Table 17: Devices used for digital signing 92 Table 18: Key cost drivers for implementing and operating a PKI 95 PUBLIC KEY INFRASTRUCTURE 5 IMPLEMENTING HIGH-TRUST ELECTRONIC SIGNATURES DISCLAIMER This Policy Note is a reference document to be consulted by governments, development partners, academics and others when considering, designing, implementing, or managing national electronic signature ecosystems. It is not intended to be a comprehensive guide for planning World Bank operations. This Note is based on evolving international good practice, as understood by the World Bank’s Digital Development practice. It reflects experiences in a range of countries from different regions, with different legal systems, and at different stages of economic development. It also takes into account existing literature, laws, model laws, norms, and principles. There is no guarantee that addressing all the issues raised in this Note will result in successful design, installation, or management of a national electronic signature ecosystem—as doing so will depend on the consideration of many factors, which may be different from country to country. While every attempt has been made to be complete, there may be issues affecting the design, establishment, and operation of a national electronic signature ecosystem that are not addressed in this Note, or that are addressed in the context of certain assumptions, facts, and circumstances that do not apply equally to every situation. This Note is a reference tool only. 6 ABBREVIATIONS CA Certificate Authority KYC Know-Your-Customer CP Certificate Policy eKYC Electronic Know-Your-Customer CAB Conformity Assessment Body NAB National Accreditation Body CPS Certification Practice Statement PKC Public Key Cryptography CRL Certificate Revocation List PKI Public Key Infrastructure CSR Certificate Signing Request RA Registration Authority DPI Digital Public Infrastructure RP Relying Party eIDAS electronic IDentification, Authentication QC Qualified Certificate and trust Services QES Qualified Electronic Signature ENISA EU Agency for Cybersecurity SB Supervisory Body ETSI European Telecommunications SCD Signature Creation Device Standards Institute QSCD Qualified Signature Creation Device e-Signature Electronic Signature TLS Transport Layer Security HSM Hardware Security Module TSP Trust Service Provider ICAO International Civil Aviation Organization QTSP Qualified Trust Service Provider ISO International Organization for Standardization VS Validation Service ITU International Telecommunication Union PUBLIC KEY INFRASTRUCTURE 7 IMPLEMENTING HIGH-TRUST ELECTRONIC SIGNATURES ABOUT ID4D The World Bank Group’s Identification for Development (ID4D) initiative uses global knowledge and expertise across sectors to help countries realize the transformational potential of digital identification systems to achieve the Sustainable Development Goals. It operates across the World Bank Group with global practices and units working on digital development, social protection, health, financial inclusion, governance, gender, and legal, among others. The mission of ID4D is to enable all people to access services and exercise their rights, by increasing the number of people who have an official form of identification. ID4D makes this happen through its three pillars of work: thought leadership and analytics to generate evidence and fill knowledge gaps; global platforms and convening to amplify good practices, collaborate, and raise awareness; and country and regional engagement to provide financial and technical assistance for the implementation of robust, inclusive, and responsible digital identification systems that are integrated with civil registration. The work of ID4D is made possible with support from the World Bank Group, Bill & Melinda Gates Foundation, the UK Government, the French Government, the Australian Government, the Norwegian Agency for Development Cooperation, and the Omidyar Network. To find out more about ID4D, visit id4d.worldbank.org. ABOUT KWPF This work is supported through the Korea-World Bank Partnership Facility (KWPF), a single-donor trust fund sponsored by the government of South Korea and administered by the KWPF Program Management Team within the World Bank Group. KWPF supports projects that identify, implement, and scale sustainable development solutions in developing countries around the globe, drawing on the significant experience and expertise gained by South Korea across its own development journey. ACKNOWLEDGMENTS This policy note was authored by Christopher Tullis and David Black. Excellent feedback and input were provided throughout the development of this guide. The authors thank the following individuals for their various contributions, listed alphabetically: Harm Jan Arendshorst, Audrey Ariss, Adam Cooper, Nay Constantine, Victoria Esquivel-Korsiak, Issam Khayat, Daria Lavrentieva, Viky Manaila, Jonathan Marskell, Anita Mittal, Slavina Pancheva, David Porteous, Satyajit Suri, Emmanuel Vassor, Aishwarya Viswanathan, Gillan Ward, and Matthew Zoller. The authors are also indebted to invaluable comments from our expert peer reviewers: Joseph Atick, Isabella Hayward, Harish Natarajan, and Vijay Vujjini. 8 EXECUTIVE SUMMARY As countries progress in their digital transformation journeys, PKI Fundamentals establishing trust in digital interactions becomes increasingly vital. Public Key Infrastructure (PKI) is a critical enabler of Digital signatures leverage public-key cryptography to ensure secure and trustworthy electronic transactions, constituting the integrity of digital documents and data. Although based a key component of a country's digital public infrastructure. on public-key cryptography, PKI is not a technology. PKI This policy note focuses on how governments can effectively extends cryptographic technologies with complementary implement PKI at a national level—complementing previous policy, organizational, and process elements to enable secure work on electronic signatures—by delving into the policy, deployment of digital signatures in real-world applications. institutional, technology, and governance enablers necessary for It provides a system for managing digital certificates and PKI deployment. The aim of this note is to guide policymakers public-private key pairs, which are essential for securing online in creating a secure, sustainable, and trusted PKI ecosystem transactions, protecting data integrity, and implementing that provides a foundation for the digital transformation of high-trust electronic signatures. government and the economy. Specifically, PKI addresses key vulnerabilities in digital This note is designed to be read alongside the companion signatures by solving three fundamental deployment policy note on electronic signatures,1 which explains the role challenges: (a) ensuring the secrecy of private keys used to of PKI in implementing cryptographically secured digital generate digital signatures, (b) verifying the validity of public signatures within a national electronic signature framework. keys used to authenticate digital signatures, and (c) managing The present note extends this analysis through practical the revocation of compromised keys. Building trust across guidance on implementing PKI at scale, ensuring government these dimensions requires supplementing cryptography efforts complement private sector investments. By surveying with policy, organizational, procedural, and technological different approaches, the note showcases diverse strategies measures—a public key "infrastructure." that policymakers can draw from when designing and building their own national PKI ecosystems. This analysis is illustrated Implementing a national PKI is a complex endeavor that extends through illustrative case studies drawn from countries and beyond technology. It involves establishing a comprehensive organizations across various regions and income levels, namely ecosystem encompassing core components, hierarchical India, Brazil, the United States, South Korea, Estonia, Saudi structures, operational processes, governance frameworks, Arabia, The Netherlands, France, the United Kingdom, and and strategies to promote adoption and manage liability. The Lebanon, as well as the European Union and the International PKI is designed so that the policy, operational, governance, Civil Aviation Organization (ICAO). and technological aspects, taken together, provide robust assurance that private keys are securely issued and managed, public keys are validated and trusted, and compromised keys can be efficiently revoked. 1 Christopher Tullis, Nay Constantine, and Adam Cooper. 2024. Electronic Signatures: Enabling Trusted Digital Transformation. Digital Transformation Policy Note Series; September 2024. © Washington, DC: World Bank. https://hdl.handle.net/10986/42186 License: CC BY-NC 3.0 IGO. PUBLIC KEY INFRASTRUCTURE 9 IMPLEMENTING HIGH-TRUST ELECTRONIC SIGNATURES PKI Implementation Clear legal and regulatory frameworks should define roles, responsibilities, and standards for all stakeholders. This Components and architecture. The core components of a PKI includes policy formulation, compliance mechanisms, include the digital certificates issued to signers, Certificate supervision, and dispute resolution processes. Effective Authorities (CAs) that issue them, and the Registration governance maintains public trust by ensuring that the PKI Authorities (RAs) that verify the identity of signers before operates securely, effectively mitigates risks associated with doing so. Other components such as revocation lists and security breaches, and provides for accountability in cases central directories provide a centralized and trusted source where something goes wrong. of information on certificate validity. These components work together within a hierarchical architecture to establish an Deployment models and sourcing strategies. Governments unbroken chain of trust from the root CA down to individual face choices between insourcing and outsourcing PKI signed documents and data. components based on capacity, cost-efficiency, and security considerations. The note surveys various implementation Operations and policy. Effective PKI implementation requires strategies from these case studies, showcasing how countries robust operational processes, including certificate issuance, have insourced or outsourced different PKI functions to the registration and identity verification, key management, certificate private sector. Hybrid models that combine government renewal and revocation, incident monitoring, and disaster control with private sector innovation are increasingly popular. recovery. Managing these operations demands meticulous Decisions on deployment models—whether on-premises, attention to detail to maintain the integrity, availability, and cloud-based, or hybrid—impact scalability, security, and security of the PKI system, ensuring it functions seamlessly compliance with regulatory requirements. and remains resilient against threats. To maintain trust, a high level of transparency about these operational elements is Driving adoption and engaging stakeholders. Merely providing required, as well as strict adherence to a set of policies and digital certificates is not sufficient to ensure people use them. standard operating procedures. To drive adoption, PKI should be integrated into essential and widely used services, creating compelling use cases that Interoperability and federation. It is common for multiple PKI demonstrate the value of secure digital interactions. To make implementations to coexist for various reasons, including legacy this happen, it is necessary to ensure a simplified and accessible systems, differing jurisdictions and institutional mandates, user experience, relegating the technical complexity of PKI specific regulatory requirements, and the involvement of operations to the background. Ongoing engagement with public and private sector actors. In such cases, trust in one stakeholders—including government agencies, private sector PKI can be extended to others using a variety of federation entities, relying parties, and end-users—is critical for aligning approaches. Technology-based federation techniques the PKI system with evolving needs, ensuring flexibility, and include bridge certification and cross-certification, while building sustained public trust. non-technology approaches include adherence to common standards and the implementation of a trusted central broker. Recommendations Whatever the approach, federation allows independent PKIs to interoperate, ensuring that certificates issued under one To successfully implement a national PKI ecosystem, it PKI are recognized and trusted by others. In practice, many is recommended that governments first establish the countries use federation to allow various PKI implementers strategic foundations of the PKI implementation, and then to operate within their mandates while contributing to an design a PKI architecture and governance framework that interoperable ecosystem. meets these strategic requirements, ensures scalability in the face of increasing demand, and promotes adoption Governance frameworks. Robust governance is essential to through usability and integration into people’s lives. Specific ensure trust and interoperability within the PKI ecosystem. recommendations include: 10 Establish strategic foundations Ensure scalability • Integrate PKI development into the broader digital • Employ federated trust models to enhance interoper- transformation strategy. ability and scalability. • Ensure PKI is part of a comprehensive electronic trans- • Leverage existing infrastructures, such as national actions framework, adopting a risk-based approach. ID systems and registration centers, to streamline PKI processes. • Tailor the PKI ecosystem to local demand and digital maturity. Promote adoption Design for success • Drive adoption by integrating PKI into essential services and improving user experience. • Customize the PKI architecture based on contextual factors like use cases and institutional capacity. • Encourage market development for PKI services, lowering costs and fostering innovation. • Focus on robust governance frameworks encompassing regulations, standards, and oversight mechanisms. • Maintain continuous stakeholder engagement to align the PKI system with user needs and build public trust. • Position the government as an enabler, fostering private sector participation and innovation. PUBLIC KEY INFRASTRUCTURE 11 IMPLEMENTING HIGH-TRUST ELECTRONIC SIGNATURES 1 INTRODUCTION DIGITAL PUBLIC INFRASTRUCTURE data sharing—that underpin the development and delivery of trusted, digitally-enabled services across the public and private sectors, including social protection, health, public As countries advance on their digital transformation journeys, finance, and banking.2 While PKI is typically not necessary transactions that previously required signing paper documents for low-trust transactions, it becomes critical for high-trust can be completed electronically, and procedures that may interactions due to its ability to assure high-level integrity have required an in-person visit can now be completed online. and provenance of transaction data. It plays a pivotal role In many countries, it is now commonplace for basic public in facilitating trusted interactions between various actors services, like paying taxes or requesting a birth certificate, to within a loosely coupled system, addressing key challenges in be carried out digitally without a visit to a government office. establishing a secure, reliable, and inclusive digital economy. It is, however, still uncommon for high-risk activities like real On a technical level, PKI is built around a cryptographic estate transactions, online voting, or high-stakes healthcare technique called public key cryptography. Sometimes referred decisions to be fully digitalized. A barrier to digitalization of to as “asymmetric cryptography” due to its reliance on pairs such higher-risk interactions is insufficient trust, be it in the of mathematically linked cryptographic “keys,” public key identity of the transacting parties, the authenticity of the cryptography is central to securing many digital interactions. supporting documents, or the confidentiality of the online Each key pair comprises both a public key, which is openly communication channel used for exchanging transaction data. available for encrypting data or verifying digital signatures, Because fledgling digital economies do not always offer the and a private key, which remains confidential and is used for requisite level of trust, many transactions—even ones that can decryption or creating digital signatures. Digital signatures, a be initiated remotely—ultimately require in-person verification. subset of electronic signatures, are the primary key use case for PKI, providing assurance of data authenticity, integrity, and Public key cryptography—and the public key infrastructure non-repudiation. Central to PKI implementation are digital (PKI) used to implement it—is a key component of digital certificates, which link cryptographic key pairs to their users, trust. Depending on how PKI is deployed, it can help provide as well as certificate authorities (CAs), the trusted entities that assurance of data integrity, confidentiality, data provenance, issue these certificates to their users. These key concepts and users’ identity, and the security of communication channels. others will be presented comprehensively later in this guide. Taken together, assurance of these key elements can help improve the overall trust environment, allowing more types The purpose of this guide is to demystify core PKI concepts of interactions to be digitalized, including high-risk use cases for practitioners and decision-makers looking to facilitate that cannot be digitalized without this trust. the deployment of PKI at national scale to reinforce trust in the digital economy. In so doing, it will discuss the key When implemented at the national level, PKI is a core considerations that need to be accounted for when developing element of a country’s digital public infrastructure (DPI). DPI a PKI implementation strategy, paying attention not only to the refers to foundational and reusable digital platforms and underlying technology but also to the broader PKI ecosystem building blocks—such as digital ID, digital payments, and 2 DPI is not a replacement for sector-specific digital data or infrastructure—e.g., digital registries for social protection, credit, agriculture; health-sector interoperability and data exchange standards; digital tax or HR MIS, etc.—rather, DPI helps enable and scale sector-owned digital services that rely on sector-owned assets quicker, cheaper, more reliably, and more sustainably.  12 composed of people, processes, and institutional elements of of a user-centric approach and the creation of a supportive trust. The guide will examine some of the tradeoffs between ecosystem for digital trust. different implementation models from technical, operational, efficiency, and sustainability perspectives. KEY USE CASES Section 1 introduces the use cases and conceptual foundations. It highlights the significance of digital certificates and Although often invisible, public key cryptography is all around distinguishes between electronic and digital signatures, us, as are the digital signatures they are used to create, as setting the stage for understanding PKI's critical role in well as the PKI used to verify them. This section will consider secure digital interactions. Section 2 delves into the technical four illustrative examples of such use cases as an introduction mechanisms of public key cryptography and PKI. It outlines to a broader discussion on PKI use cases and requirements. how digital signatures are verified, the purposes of PKI, and the importance of a customized approach to suit national The trust in this remote interaction between Alice and her ecosystems. Section 3 proposes an in-depth exploration of the bank was supported by a number of distinct digital signatures, implementation of a PKI, including architectural, operational, each with a different purpose, and implemented in a different and governance aspects, along with trust federation and way. Each of these signatures serves a distinct role, from sourcing strategies. It emphasizes the need for a holistic technical assurance to legal attestation, each underpinned approach that encompasses more than just technological by varying governance structures and trust frameworks that implementation. Section 4 draws insights from the analysis dictate their operation and validity. and offers strategic guidance for integrating PKI into national digital transformation strategies, emphasizing the importance Box 1. How do digital signatures and PKI support common online interactions? Alice is about to take a significant step—securing a mortgage online. Alice is apprehensive about carrying out such a significant transaction online. She needs assurance that her sensitive financial details are transmitted securely and that she’s indeed dealing with her trusted bank and not an imposter. The bank, on its part, requires a way to securely verify Alice’s identity, both to protect itself from fraud and to comply with strict financial regulations. The assurances that Alice and her bank require are provided by a complex, nested hierarchy of digital signatures verified using PKI. When Alice visits the bank’s website, information flows back and forth that must be encrypted—this private information is turned into a secret code that only Alice and the bank can decipher. To do this, they need to share an encryption key with each other securely. Furthermore, Alice needs to ensure that she is communicating with her actual bank and not an imposter website. This is done using a digital certificate issued by a trusted authority and is automatically cross-checked by Alice’s web browser against a pre-installed list of such authorities. To prove her identity, Alice uses a digitally verifiable identity credential. In her country, the national ID card offers such functionality, relying on a trusted PKI to securely validate her ID card and verify her personal data. Once identified, Alice digitally signs her mortgage application using a PKI-based electronic signature, allowing her to sign the document and locking its content to prevent future changes. Each digital signature in this transaction contributes in its own way to ensuring that Alice can trust the bank and that the bank can trust Alice. They vary in complexity based on what they need to protect—the user’s privacy, some transaction data, or an official document—but together, they weave a strong net of security that allows Alice to confidently proceed with her mortgage, all from the comfort of her home. PUBLIC KEY INFRASTRUCTURE 13 IMPLEMENTING HIGH-TRUST ELECTRONIC SIGNATURES The following section examines the various signatures that Example 2: provide trust in the stages of this interaction. For each, the Website authentication main parties to the transaction are listed, namely: Alice needs to ensure that she is communicating with her actual • Issuing entity: The certificate authority (CA) that issued bank and not an imposter website. This is done using a digital the digital certificate used to generate the signature. certificate issued by a trusted authority and is automatically cross-checked by Alice’s web browser against a pre-installed • Signing entity: The person or other entity that generates list of such authorities. the digital signature. • Verifying entity: The relying party (RP) that verifies the • Issuing entity: Root CA, which supplies certificates to the digital signature. intermediate CA that supplies certificates to the bank. • Data signed: The data or document that is signed as • Signing entity: Intermediate CA supplying certificates part of the use case. to the bank. • Purpose of signing: The purpose served by the signature • Verifying entity: Alice's web browser. in the context of this use case. • Data signed: The bank's certificate and public key. • Governance: The scheme or trust framework in place • Purpose of signing: To prevent phishing by giving Alice that provides trust in the PKI employed in this use case. assurance that she is communicating with her actual bank and not a fraudulent site. The website signature allows Example 1: Alice to authenticate the identity of the website publisher. Key exchange for data encryption • Governance: Typically managed by a CA within a broader When Alice visits the bank's website, information flows back internet trust framework like the Web Trust for CAs.4 and forth that must be encrypted—this private information is turned into a secret code that only Alice and the bank can Example 3: decipher. To do this, they need to share an encryption key Identity verification with each other securely. To prove her identity, Alice uses a digitally verifiable identity credential such as her national ID card. This process relies • Issuing entity: CA supplying certificates to the bank. on a trusted PKI to securely validate her ID card and verify • Signing entity: The bank’s website. her personal data. • Verifying entity: Alice's web browser. • Issuing entity: The root CA of Alice’s country (or other • Data signed: The session-specific cryptographic key used CA that supplies certificates to the national ID authority).5 to establish a secure communication channel. • Signing entity: The national ID authority of Alice’s country. • Purpose of signing: To secure the data transmitted between Alice and her bank, ensuring confidentiality • Verifying entity: Alice’s bank. of the browsing session. • Data signed: The identity attributes on Alice’s national • Governance: Transport Layer Security (TLS) handshakes ID card. are governed by the protocols that are part of the security • Purpose of signing: To allow verification of Alice's standards for web communications.3 identity attributes, fulfilling "Know Your Customer" (KYC) requirements for legal and compliance purposes. 3 TLS protocols are defined by the Internet Engineering Task Force (IETF), with the current version being TLS 1.3 as specified in IETF RFC 8446. Governance of TLS in web browsers falls under the purview of the Certificate Authority/Browser (CA/B) Forum, specifically the "Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates," as well as the individual policies of the Certificate Authorities that issue the certificates. 4 The CA/B Forum's "Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates." 5 In Example 3, the issuing entity could be either a root CA, an intermediate CA, or something else, depending on the national PKI ecosystem. These points will be discussed in more detail in later sections. 14 • Governance: The digital signatures used by the national signatures extend beyond a purely technical notion of trust identity authority are generated in compliance with and provide a foundation for legal recognition. national and international standards, laws, and regulations to ensure trust and legal validity. To achieve this level of trust, PKI must be integrated into a broader electronic transactions framework that ensures the Example 4: legal enforceability of electronic signatures. This integration Electronically signing a legal document is essential for transitioning from the technical security that PKI offers to a legally recognized trust that underpins digital Alice digitally signs her mortgage application using a PKI-based transactions in a real-world economy. electronic signature, allowing her to sign the document and locking its content by making any future changes detectable. When PKI-based digital signatures are implemented in such a way that the trust they provide can take on a legal dimension, • Issuing entity: The CA that issues certificates to Alice. then it is common to refer to them as electronic signatures, • Signing entity: Alice. both to signal their role in implementing legal frameworks for electronic transactions, and also to help distinguish them • Verifying entity: The bank. from the purely technical notion of a digital signature.6 • Data signed: The mortgage application documents. • Purpose of signing: To ensure the integrity of the Electronic Signatures application and to provide non-repudiation, confirming Alice's commitment to the terms. Like its handwritten counterpart in the offline world, an electronic signature is a legal concept capturing the signatory's intent • Governance: Applicable legal and trust frameworks for to be bound by the terms of a signed document.7 Electronic electronic transactions and electronic signatures ensure signatures can be implemented using a variety of suitable the legal recognition of digital signatures. Such legislation technologies—from something as simple as a name typed governs the conditions under which a PKI-based digital at the bottom of an email for basic use cases to PKI-based signature may be considered legally equivalent to a digital signatures for higher-risk electronic transactions.8 In traditional handwritten signature. other words, while digital signatures refer to the technical The digital signature examples provided above are not process of assuring trust through cryptographic verifiability, an exhaustive list, but rather seek to illustrate the various the term “electronic signature” is generally used to refer to a ways that PKI-based digital signatures provide trust in our socio-legal dimension of trust. The two related but distinct day-to-day interactions. notions are compared in Table 1 and Figure 1. For example, in the eIDAS trust framework for electronic LEGAL VALIDITY signature that is applied across the EU, a PKI-based digital signature is only a requirement for the highest (“qualified”) level of assurance. Most electronic signatures in the EU The above discussion of use cases covers scenarios spanning and other jurisdictions are implemented without a PKI for purely technical applications of PKI for securing communications reasons of cost, complexity, usability, and low relevance (examples 1 and 2) as well as those where PKI is used to to the transaction type. These lower-risk assurance levels create legally valid signatures that can replace handwritten are referred to as “advanced” (for medium assurance) and signatures in the digital economy (examples 3 and 4). This “simple” (for low assurance) in EU terminology. policy note focuses on the latter use cases, where PKI-based 6 This policy note follows this common convention, using the term “digital signature” to refer to a subset of electronic signatures that use specific techniques based on public key cryptography for assuring the authenticity, integrity, and non-repudiation of a document or communication. Readers should note that several jurisdictions use these terms differently; in the United States and India, for example, the term “digital signature” is used to refer to the highest-trust electronic signatures provided for in national regulations. 7 European Commission, “What is eSignature,” (accessed 13 January 2024). https://ec.europa.eu/digital-building-blocks/sites/display/DIGITAL/ What+is+eSignature 8 It should be noted that although the electronic signature use case in the mortgage-signing example above (example 4) was described as a digital signature, in practice, the additional trust offered by PKI is optional for such transactions and it is common for them to be implemented using other technologies. PUBLIC KEY INFRASTRUCTURE 15 IMPLEMENTING HIGH-TRUST ELECTRONIC SIGNATURES Table 1: Digital and Electronic Signatures Compared Term Definition Implementation Scope Electronic Legal concept denoting a signature generated using Technology-neutral A technique for authenticating Signature electronic means for the purposes of authenticating an legally binding electronic electronic transaction. transactions. Digital Technology concept denoting a signature generated using Technology-specific Applications both within and Signature the private key embedded in a PKI-based digital certificate. (PKI) outside of the sphere of legally binding electronic transactions. Figure 1: Comparison of digital and electronic signatures Advanced e-signature Trust Digital Services Signature Qualified Electronic e-signature Signature For more information on electronic signatures, levels of The role of the legal framework. The legal framework for assurance, transaction risk levels, and how PKI-based electronic transactions provides the foundation, establishing digital signatures relate to them, readers are referred to the the conditions under which electronic signatures are recognized companion policy note dedicated to this topic.9 as legally binding. Without this legal underpinning, even the most secure PKI-based digital signatures can only provide Electronic Signature Frameworks technical assurance without the legal enforceability needed in commercial and governmental transactions. Good practice For PKI-based digital signatures to function as legally valid legal frameworks should be technology-neutral, recognizing electronic signatures, the PKI technology must be embedded both PKI-based and non-PKI-based electronic signatures in in a broader legal and regulatory framework that provides a risk-based approach, allowing PKI-based signatures to be for the use of electronic signatures in the digital economy. reserved for high-risk applications. Electronic transaction frameworks build on a legal foundation to provide for complementary roles between different public and private sector actors and clarify the role of PKI. 9 Christopher Tullis, Nay Constantine and Adam Cooper. 2024. Electronic Signatures: Enabling Trusted Digital Transformation. Digital Transformation Policy Note Series; September 2024. © Washington, DC: World Bank. http://hdl.handle.net/10986/42186 License: CC BY-NC 3.0 IGO. 16 The role of PKI. PKI-based digital signatures are a particular The role of government. Governments play a crucial role in technology implementation for electronic signatures, which establishing the legal framework, and in regulating the PKI can be appropriate to use cases requiring a high level of ecosystem. When it comes to PKI implementation, governments trust. Within this legal framework, PKI serves as a critical can choose whether or not they wish to operate their own enabler for high-assurance use cases that require not just PKI in-house. Governments may opt either to operationalize technical security but also legal validity. PKI-based digital a PKI themselves or to outsource some or all PKI functions to signatures are particularly valuable in scenarios where the private sector (see discussion of sourcing below). additional cost and complexity of PKI is justified compared to simpler technologies—such as in high-value contracts, Figure 2 summarizes the way that electronic signature official documents, or any transaction where non-repudiation, frameworks provide the basis for legal validity of PKI-based authenticity, and integrity are at a premium. digital signatures. Figure 2: Role of PKI in an electronic signature framework Government- operated PKI Optional National PKI Ecosystem Public and/or Private Sector Actors Electronic Transactions Legal Framework PKI-base and non-PKI-base Electronic Signatures PUBLIC KEY INFRASTRUCTURE 17 IMPLEMENTING HIGH-TRUST ELECTRONIC SIGNATURES 2 PUBLIC KEY INFRASTRUCTURE FUNDAMENTALS PUBLIC KEY CRYPTOGRAPHY or got into the wrong hands. However, technology does not inherently establish a connection between these keys and their users, whether they are individuals, devices, or Public key cryptography, also known as asymmetric cryptography, other entities. A major challenge in implementing digital uses pairs of keys—public and private—to secure communications signatures is precisely this: reliably linking a key pair with and authenticate digital signatures. For digital signatures, its rightful owner. Because linking a digital signature back the signer is issued a private key that they use to create a to the human signer cannot be done mathematically, the digital signature that can be verified by anyone using the human and process components become key vulnerabilities corresponding public key. Digital signatures implemented of digital signatures when implemented in the real world. using public key cryptography provide a very high level of mathematical assurance of the integrity of the signed data, For further discussion of the technical underpinnings on ensuring that it cannot be tampered with after signing. how public key cryptography creates and verifies digital signatures, see Appendix 2: Public Key Cryptography Primer. Verifying digital signatures can also help confirm the identity of the signer, but only on the condition that complementary processes are in place to ensure that (1) no one except the WHY DO WE NEED AN signer has access to the private key, and (2) the correct public “INFRASTRUCTURE”? key is being used to verify the signature. The cryptographic mathematics underlying digital signatures can only assure binding between the public and private keys in a pair. They The role of public key infrastructure is to enable digital cannot ensure that the keys have not been tampered with signatures to be implemented for real-world use cases while preventing human and procedural vulnerabilities from undermining their security. It is crucial to ensure that private Table 2: Cryptographic elements of a digital keys are issued to and controlled by the person or entity signature authorized to use them for signing. Likewise, it is critical that verifiers use the appropriate public keys for verification Term Description to avoid being misled into trusting a fraudulent signature. Cryptographic elements A common approach to ensuring this is through a system Private A private key is a confidential cryptographic key used for generating, managing, and verifying cryptographic Key used to decrypt data or create a digital signature, keys, i.e., a PKI. known only to the owner. It is mathematically and irrevocably linked to its corresponding public key. Public key infrastructure is the set of people, process, and technology elements that facilitate the issuance, management, Public A public key is a cryptographic key that can be Key disseminated publicly and is used to encrypt data and revocation of digital certificates and the digital signatures or verify a digital signature. It is mathematically and generated using them. A PKI is as much policy and procedure irrevocably linked to its corresponding private key. as it is a technology solution, each of which poses its own Digital Digital files that securely associate cryptographic scalability challenge when implementing a PKI ecosystem at the Certificate key pairs, which can be used for digital signing, national level. This section discusses three inherent problems with identities issued to individuals, devices, that arise when implementing digital signatures in the real or organizations. world and discusses how PKI helps solve these problems. 18 Inherent Vulnerabilities of Digital Signatures Bob doesn’t have to alter the actual document; instead, he only needs to deceive Alice’s bank into using his public Problem 1: key for the verification of signatures on these documents. Keeping private keys secret If the bank mistakenly believes that Bob’s public key is, in fact, Alice’s, any signature verified using this key will appear The first critical vulnerability in the digital signing process legitimate. This misattribution means that any signature Bob is the assumption that private keys are securely issued and makes using his private key will falsely be recognized as remain under the exclusive control of the authorized individual Alice’s. In practice, this deception enables Bob to effectively or entity. If compromised, these keys can be exploited to impersonate Alice in signing documents without detection, generate seemingly legitimate signatures, posing significant at least until the bank realizes the error and identifies the security risks. This vulnerability can arise from various scenarios, correct key for verification. including theft, loss, or insider threats. PKI addresses this by ensuring stringent identity verification and secure key storage, PKI mitigates this risk by providing a trustworthy mechanism minimizing the risk of unauthorized access to private keys. for verifiers to validate and ensure the authenticity of public keys, thereby ensuring that the public key used for verification Returning to the example above, imagine Alice needs to is indeed associated with the correct signer. digitally sign mortgage documents for a bank loan. The bank issues a private key to Alice for this purpose. However, due Problem 3: to inadequate security measures in the key issuance process, Revoking compromised keys Bob, an attacker, gains access to Alice’s private key. He uses it to sign a wire transfer order, siphoning funds from Alice’s bank Another critical vulnerability arises when a private key is account without her knowledge. Since the signature is made compromised but not promptly revoked. In such cases, verifiers with Alice’s authentic private key, it appears legitimate, thus continue to trust signatures made with the compromised both the bank and Alice are unaware of Bob’s interference. key, leading to ongoing security breaches. This problem is compounded when there is a delay in communicating key Problem 2: revocations to all relevant parties. Validating public keys As an example, consider that Alice, realizing that her private The second major vulnerability lies in the validation of public key has been compromised and is in the possession of Bob, keys used for verifying signatures. If an attacker convinces notifies the appropriate authorities, who revoke her key. a verifier to use an incorrect public key, any signature made However, the key revocation information is not efficiently with the corresponding private key will falsely appear valid. disseminated. Another bank, unaware of the revocation, receives This vulnerability can lead to significant security breaches. a document signed by Bob using Alice’s compromised key. Since that other bank’s system does not have the updated Consider a scenario where an attacker, Bob, intends to forge revocation information, the signature is mistakenly validated Alice’s signature on her mortgage documents. To do this, as Alice’s. Table 3: Vulnerabilities of Public Key Cryptography Addressed by PKI Problem Description Solution 1 Keeping private keys Risk of unauthorized access to private keys due Implement robust identity verification and secure secret to insecure storage, management, and issuance key creation, storage, and management protocols. processes. 2 Public key validation Uncertainty about whether the public key used Implement a public key directory to allow for signature verification corresponds to the validation of public keys used for signature signer’s private key. verification. 3 Revoking compromised Need to disseminate key revocation information Implement a system to promptly communicate keys to prevent continued misuse of compromised key revocation to all verifiers or use short-lived keys. certificates. PUBLIC KEY INFRASTRUCTURE 19 IMPLEMENTING HIGH-TRUST ELECTRONIC SIGNATURES PKI addresses this by implementing an efficient and reliable User base key revocation system, which ensures that all parties are promptly informed about the revocation of compromised While PKI implementation for specific, simpler use cases keys, thus preventing their continued misuse. (like integrating digital certificates into web browsers) has been largely successful, the implementation of PKI to serve As will be discussed in Section 3, each component of a PKI a broader user base and use cases remains challenging. is designed to mitigate a problem that arises during the Establishing a national-level PKI that would provide the general implementation of digital signatures in the real world, such population access to secure digital signing capabilities—such as the ones discussed above. Beforehand, it is crucial to as generating high-trust qualified electronic signatures under understand the essential requirements for PKI, tailored to a national electronic transaction regime—is a complex task the strategic needs of each context. that no country has fully mastered. 10 In defining the user base for PKI, it is important to recognize WHAT DOES IT TAKE TO the diversity of needs across different entities. As mentioned, IMPLEMENT A PKI? private keys can be attributed to various types of entities, all of which become “signers.” They include not only people, but also corporate entities, servers, digital devices, or software Essential requirements for PKI applications (such as web browsers). Each type of user has distinct requirements, which necessitates the development of Countries looking to implement PKI should always consider tailored PKI for users. For instance, a PKI that is designed to the essential requirements as well as the various strategies facilitate automated signing by devices will look different from and alternatives to establish digital trust. Who will use the a PKI that must provide for people to generate signatures. certificates issued and what will they be used for? Are there alternatives to PKI itself, or to the implementation model Usability chosen for PKI? In recognizing usability as a key factor for PKI adoption, it In many cases, strong authentication and/or authorization is important to consider the diverse design options for an through a digital identity may well provide adequate trust for improved user experience. Ultimately, the goal is for PKI to transactions to be completed. For example, non-repudiation live in the background and never be seen—hence, tackling can be achieved adequately with a strong authentication the inherent complexity while meeting stringent security process at the transaction’s completion in the same way requirements without imposing unnecessary hurdles on that a PKI-based electronic signature denotes acceptance users is crucial. It avoids high cost and complexity which by the subject who has signed. However, policies and deter adoption in various use cases. legislations often get fixated on outdated constructs, such as wet-signatures, and simply seek a digitized solution rather In cases where signers are individual citizens, it is essential than an equivalent digital solution. to tailor the PKI design to the digital skills of its users. For example, PKIs designed for the general public need to be Risk should always be a key consideration in any large-scale more user-friendly and intuitive; the lower the digital skills IT implementation. Perhaps more so in the case of PKI, where of the intended user base, the greater the need to hide the its implementation is itself a mitigation of risks in other complexity of PKI implementation from the user. transactions and across sectors. As such, countries should be careful to consider how a PKI solution will be utilized now On the other hand, systems designed for a small set of and in the future, the impact it is expected to achieve, and sophisticated users can afford to expose some of its complexity, how this relates to cost of implementation, risks, and threats. potentially offering more advanced features. Ideally, the PKI implementation would operate entirely in the background, 10 While numerous countries have provided citizens with digital certificates for generating high-trust electronic signatures backed by a robust legal framework, the actual uptake has been minimal due to usability challenges and a lack of compelling use cases. For example, national ID cards issued in many European countries embedded a digital certificate stored on the chip of these “smart cards;” however, the practical hurdles around using this chip for signing – such as the need for a dedicated card reader and the installation of specific software, etc. – have impeded use by citizens. The low user base has likely, in turn, made relying parties hesitant to integrate such national-ID-card-based e-signatures into their business processes. Instead, they opt for lower-trust but higher-usability solutions, or simply continuing with traditional paper-based methods. 20 with the intricacies of certificate management masked behind where a country’s entire population are potential signers. an intuitive user interface. Similarly, if the signers and verifiers are dispersed—whether geographically, or across sectoral or national borders—it will Scalability increase the complexity of PKI implementation. The design of PKI should account for scalability requirements, Cost-efficiency which primarily depends on the parties involved and its geographic coverage. For instance, if many individuals or Certain PKI features, such as carrying out in-person identity entities are involved in the signing and verification process, it verification during key issuance, may have benefits in terms may require a more complex PKI implementation structure to of security or accessibility, but come at a cost. The value provide the robust infrastructure needed to manage identities added of deploying such a PKI-based solution for a given use and keys effectively. This is particularly true in implementations case should inform whether the additional cost is justified. Box 2: Quantum computing Quantum computing represents a revolutionary leap in computational power, with its potential to solve certain types of problems much faster than classical computers. While classical computers process information in bits (0s and 1s), quantum computers use quantum bits, or qubits, which can exist in multiple states simultaneously due to the principle of superposition. This allows quantum computers to perform parallel calculations at an exponentially greater scale than their classical counterparts. Modern cryptographic algorithms, such as RSA (Rivest-Shamir-Adleman) and ECC (Elliptic Curve Cryptography), rely on the difficulty of solving specific mathematical problems, like integer factorization and the discrete logarithm problem. These problems are computationally infeasible for classical computers to solve in any reasonable timeframe, which provides the foundation of PKI security. Essentially, they are considered “unbreakable” based on the limits of today’s classical computing power. Quantum computing challenges these assumptions. Algorithms, such as Shor’s algorithm, can efficiently solve the mathematical problems that underpin RSA and ECC. This means that, in theory, a sufficiently powerful quantum computer could break the cryptographic standards we rely on today, potentially rendering existing PKI systems vulnerable.a Although commercially viable quantum computers do not yet exist, their development is progressing. Certificates issued today often have lifespans spanning years or decades, raising concerns that they could be compromised once quantum computing matures. This is referred to as the “harvest now, decrypt later” threat, where encrypted data is captured today with the intention of decrypting it in the future using quantum capabilities.b Given the long-term impact, organizations need to start planning now for the post-quantum world. This includes transitioning to quantum-resistant cryptographic algorithms, which are designed to withstand attacks from both classical and quantum computers.c This is a significant shift that requires not only technical innovation but also governance, standardization, and operational planning.d a Yunakovsky, S.E., Kot, M., Pozhar, N. et al. “Towards security recommendations for public-key infrastructures for production environments in the post-quantum era.” EPJ Quantum Technol. 8, 14 (2021). https://epjquantumtechnology.springeropen.com/articles/10.1140/epjqt/s40507- 021-00104-z b Singh, Mandeep, and Albert H. Carlson. “An Introduction to Quantum Computing and Its Applications.” The Cyber Defense Review 9, no. 2 (2024): 73–92. https://www.jstor.org/stable/48784776 c Christiansen, Lærke Vinther, Ini Kong, and Nitesh Bharosa. “Governing the transition to quantum-safe PKIs in the Netherlands: Paving the way for our quantum-safe future.” (2023). https://hapkido.tno.nl/publish/pages/4385/hapkido_wp3_3-1deliverable_final_241123_.pdf d Kong, Ini, Marijn Janssen, and Nitesh Bharosa. “Challenges in the Transition towards a Quantum-safe Government.” In DG. O 2022: The 23rd Annual International Conference on Digital Government Research, pp. 282-292. 2022. https://dl.acm.org/doi/abs/10.1145/3543434.3543644 PUBLIC KEY INFRASTRUCTURE 21 IMPLEMENTING HIGH-TRUST ELECTRONIC SIGNATURES Security software distribution channels to facilitate a more seamless user experience. A key factor in designing a PKI implementation is the need for a risk-based approach that aligns with the varying levels of General limitations of PKI assurance required for different types of electronic transactions. Not all transactions warrant the use of a PKI-based electronic While PKI is an important component of a national cybersecurity signature, which can be resource-intensive and complex. By strategy, it is important to recognize that simply implementing applying a tiered approach, PKI can be reserved for high- a PKI will not eliminate fraud or cyberthreats. The majority risk or high-assurance use cases, such as legally binding of current cyberattacks are linked to insecure design, contracts or financial transactions, while lower-risk transactions unpatched systems, misconfigured hardware and software, can be secured using simpler, less expensive methods like social engineering, trojans, broken access controls, and other two-factor authentication or basic digital signatures. This areas that PKI is unable to secure.11 allows governments and organizations to balance security, cost, and usability, ensuring that PKI is deployed where its Digital signatures generated using a PKI alone have no legal robust security is most needed, without overburdening lower- weight. They can be used to secure internal communications risk transactions with unnecessary complexity. channels or web browsing. However, in order to use PKI-based digital signatures to sign official government documents, Interface private contracts, or to provide trust in other transactions with legal implications, there must be a national legal framework The methodology for issuing and managing digital certificates for electronic transactions and signatures to clarify the legal plays a crucial role in determining the user interaction points value of the digital signatures generated using the PKI. If there with the PKI system. An in-person issuance process for a is legacy legislation that requires handwritten signatures or diverse population is intricate, requiring a comprehensive in-person interactions, then digital signatures may be of little network of registration authorities. In contrast, embedding use for key services. Equivalence between electronic and certificates in web browsers simplifies the interaction between handwritten signatures should be established in legislation users and the PKI system. It eliminates the need for direct to ensure acceptance. human identity verification, leveraging the existing secure 11 “The Open Web Application Security Project (OWASP) Top 10 – 2021” https://owasp.org/Top10/ 22 3 IMPLEMENTING A PUBLIC KEY INFRASTRUCTURE CORE COMPONENTS To augment their capacity for identity verification, CAs may elect to partner with external Registration Authorities (RAs) to help scale the registration process. Key actors Similarly, to ensure that the public keys used for verification Typically, a PKI architecture includes one or more issuing correspond to the correct subject, RPs may verify them Certificate Authorities (CAs) that can be cryptographically against an appropriate Validation Authority (VA)—which can linked back through a chain of trust to a secure root CA be internal or external to the CA, depending on the overall held offline. CAs create digital certificates (Cert) which can PKI design—allowing RPs to check if the digital certificate be used by subjects—who can be individuals, devices, or used for signing is valid or has been revoked by the CA. corporate entities—for generating digital signatures, often It should be noted that in the context of PKI implementation, in the framework of an electronic transaction. Entities that an “authority” such as a CA or RA is not the same as the rely on digital signatures (by verifying them) are referred to institutional that houses or implements it. In cases where as Relying Parties (RPs)—generally entities that provide some a PKI involves multiple CAs or RAs, these “authorities” can kind of service that can benefit from the level of trust that either be operated by the same institutional actors or divided digital signatures provide. CAs and RPs can be government between multiple institutions. entities or private firms. Figure 3 below outlines the key entities in a PKI architecture To ensure that digital certificates are issued to the correct and the high-level flows of issuance, subscriber signing (as part subject, or signer, CAs must register users individually and of a transaction), relying party acceptance, and revocation. verify their identity according to an established standard. Figure 3: Process for issuance and verification of digital signatures using PKI Root CA Identity Verification Request Cert Creation RA CA VS Revocation List Identity CA Signs Revocation Evidence and Check Issues Cert RP Check Subject Electronic Signature Cert Cert (issued by CA) (transaction) Metadata PUBLIC KEY INFRASTRUCTURE 23 IMPLEMENTING HIGH-TRUST ELECTRONIC SIGNATURES Root CA signs offline signs The components of a PKI discussed above are summarized 3. Signature verification. Relying parties in receipt of an in Table 4. e-signature should check the metadata associated with the public key of the Subject to ensure, for example, that Certificate lifecycle the certificate has not expired and that the chain of trust can be traced back to an appropriate root. Equally, RPs 1. Certificate issuance. For a digital certificate to be issued, should also check with the Validation Authority to ensure the subject (subscriber) must first identify themselves to that the certificate has not been revoked. Signatures the RA at a level of assurance specified in policy or trust can be verified in person or remotely, online or offline, framework documentation. If the RA is satisfied with the depending on the requirements of the use case. identify verification, a certificate signing request (CSR) 4. Certificate revocation. At any point in the lifetime of a will be sent by the RA to the CA for issuance to occur. certificate, the issuing CA may be required to revoke 2. Signature creation. Once in possession of a digital that certificate and record this action in a revocation certificate, the Subject may use the private key contained list made available to relying parties via a Validation in the certificate to create an electronic signature to Authority. Certificates also expire at the end of their authenticate an electronic transaction or document. This validity period unless renewed by the CA. may then be passed to a RP by means to be determined by the mutual transaction. The certificate actors and lifecycle are supported by a set of policies and systems, as summarized in Table 5. Table 4: Core components and entities of a PKI Term Description Cryptographic elements Root of Trust Root of Trust is the private key used by the (root) CA in a PKI. This key is the foundational element for the trust hierarchy in PKI, as it is used to sign the root certificate and, by extension, any subsequent certificates in the trust chain. Actors Subject (Subscriber) A person, legal entity, or device requesting a digital certificate and subsequently using that certificate for the purpose of creating digital signatures. Certificate Authority (CA)a The entity that signs and issues digital certificates. CAs may issue certificates to subjects or to other CAs. CAs may also manage complementary functions, such as defining a policy or implementing a Validation Service (VS). Registration Authority (RA) The entity responsible for verifying the identity of the subject requesting the digital certificate and forwarding verified requests to the CA. The RA can be a third party, or the CA can also act as the RA. Relying Party (RP) An entity that consumes and verifies (relies on) digital signatures for the purpose of authenticating electronic transactions. a In some contexts, Certificate Authorities may be referred to as Trust Service Providers, especially if the CA also provides additional PKI-based services beyond digital certificate issuance, such as acting as a trusted timestamp authority (to assure non-repudiation). For the purposes of this note, the terms CA and TSP are used interchangeably. 24 Table 5: Policies and systems for PKI operations Term Description Policy elements Certificate Policy (CP) The CP is a high-level document that outlines the rules and policies governing the issuance, management, and lifecycle of certificates. It defines the types of certificates issued, their intended uses, and the requirements for obtaining and managing them. The CP sets the framework for how the PKI aims to manage trust and security, including the obligations of all participating entities (such as CAs, subscribers, and relying parties). Certification Practice The CPS is a detailed document that describes how a CA implements the Certificate Policy. It covers Statement (CPS) the CA’s specific practices regarding certificate issuance, management, revocation, and security controls, which include procedural, physical, personnel, and technical controls implemented by the CA to adhere to the CP. The CPS may also reference fees related to specific services offered by the CA, such as certificate issuance and renewal fees, and revocation fees. Systems Certificate Management Implemented internally by each CA, this system provides lifecycle management of digital System certificates, including processes related to issuance, storage, renewal, suspension, and revocation. It may also include audit logs for security and compliance purposes. Central Directory This is the secure location where the public keys associated with digital certificates are indexed, stored, and made accessible to relying parties.a It is designed to facilitate signature verification. Certificate Revocation List A periodically updated list of certificates that have been revoked by their issuer before their (CRL) scheduled expiration date, which relying parties can consult when verifying a signature.b Validation Authority A service that provides access to certificate revocation information contained in the central directory or revocation list. a The International Civil Aviation Organization (ICAO) Public Key Directory (discussed below) is one example implementation, combining a central directory with other elements, such as a revocation management system. b In addition to CRLs—which provide a relatively static method of confirming a certificate’s revocation status—alternative approaches also exist. For example, the Online Certificate Status Protocol (OCSP) allows relying parties to query a trusted service in real time to determine whether a certificate has been revoked. HIERARCHICAL COMPONENTS Tiered architectures address the limitations of a single-entity PKI by distributing roles and responsibilities across various entities, all while maintaining the core technical element of a PKI, namely, an unbroken cryptographic chain of trust Tiered architectures from the root to end users.12 The Issuing CAs at the lower It is technically possible for a single entity, such as a government tiers handle direct requests from end users, forwarded from agency or private firm, to implement all elements of this chain RAs. These requests are validated according to the policies of trust themselves. In practice, however, this is only common established by the Policy CA and then processed, resulting for small-scale PKIs with a limited set of users. For large- or in the issuance of digital certificates. Some key terms and population-scale PKIs, a hierarchical PKI model with multiple concepts relevant specifically to PKI hierarchy are detailed tiers of CA can thus offer significant advantages in scalability, in Table 6, while Figure 4 illustrates the single-, two-, and security, operational efficiency, policy implementation, and three-tiered PKI architectures. cost management. 12 A detailed discussion of the chain of trust in simple and hierarchical PKI models can be found in Annex 3: Chain of Trust. PUBLIC KEY INFRASTRUCTURE 25 IMPLEMENTING HIGH-TRUST ELECTRONIC SIGNATURES Root CA Table 6: Components of a tiered PKI Identity Verification Request Cert Term Description Creation RA CA VS Tiered PKI An architectural approach that organizes digital certificates and cryptographic keys in a hierarchical structure with multiple levels of CAs with keys and certificates that are mathematically dependent on each other. Revocation Root CA The primary anchor of cryptographic trust, the Root CA List signs the certificates of Intermediate CAs, which are then used to sign end user certificates. The Root CA is typically kept offline to mitigate Identity the risk of compromise. Revocation CA Signs Intermediate CA Evidence and Check These CAs act as middle layers in the trust chain, connecting the Root CA with Subordinate CAs. They are Issues Cert responsible for most certificate issuance and management tasks, reducing the operational load on the Root CA. Policy CA As a specialized CA, often at the intermediate level of the hierarchy, a Policy CA defines and enforces the PKI’s RP certificate policies, ensuring adherence to security standards and practices. The policy Check function can be split Subject over multiple CAs in larger PKIs. Electronic Signature Cert Cert (issued by (transaction) CA) issues and manages digital Metadata Issuing CA This CA directly certificates to end users, including individuals, devices, and servers, in line with established PKI policies and practices. Figure 4: Comparison of single-, two-, and three-tiered PKI architectures Root CA signs offline signs Policy CA Policy CA offline offline Root CA signs offline signs signs signs signs signs CA Issuing CA Issuing CA Issuing CA Issuing CA Issuing CA Issuing CA issues issues issues issues issues issues issues issues RA RA RA RA RA RA RA RA registers registers registers registers registers registers registers registers 26 Benefits of hierarchy Operational efficiency can also improve in hierarchical models, as Intermediate CAs handle the bulk of certificate issuance Scalability is a significant benefit of tiered architectures, allowing and management tasks, reducing the operational load on for the delegation of authority to Subordinate CAs, sometimes the Root CA. Issuing CAs at the lower tiers process direct called Intermediate or Issuing CAs in a tiered architecture. requests from end users, validating these requests according This distribution facilitates efficient certificate issuance and to established policies. For example, one organization with management across a large number of users, accommodating strong capabilities in highly secure backed functions, like diverse use cases from everyday web browsing to high-risk key storage, could provide the root or trust, while other transactions, like mortgage applications. By spreading the organizations with frontend capabilities could handle client- workload, the system can handle high volumes of requests facing functions, like certificate issuance and recovery. without overburdening a single entity. Cost management is another advantage, as distributing roles Security is enhanced by segregating duties across multiple and responsibilities allows organizations to optimize resource tiers, reducing the risk to critical components, such as the Root use and reduce expenses. Tiered architectures can also allow CA. The Root CA is kept in a highly secure environment, often for specialization in a certain operation process or workload, offline, to mitigate the risk of compromise. Many operational allowing each CA in the PKI to maximize economies of scale tasks can be delegated to CAs further down the hierarchy, through specialization in their comparative advantage. The allowing the Root CA to improve its security posture by staying need for highly specialized equipment and secure facilities isolated from day-to-day operations. This layered approach is concentrated at the higher tiers, while lower tiers can helps manage risk and ensures that any breach at a lower operate with less stringent requirements, balancing security level does not compromise the entire system. and cost-effectiveness. Case Study 1: India • Governance: In India, the Office of the Controller of Certifying Authorities (CCA) has been established under the 2000 Information Technology Act for promoting trust in the electronic environment. • Policy: The CAs must comply with the Certificate Policy set by the CCA and have their certificate practice statements approved by the CCA. Compliance is assured through audits carried out by a firm on the panel of auditors accredited by the CCA.a • Root CA: The CCA operationalizes the root of the trust chain in India called the Root Certifying Authority of India (RCAI). The CCA certifies the public keys of all intermediate CAs, and maintains a central directory, called the Repository of Digital Certificates, which contains all the certificates issued to CAs in the country. • Intermediate CAs and RAs: 22 public and private sector CAs have been licensed by the CCA. These CAs are responsible for their own RA function, either by implementing it themselves or through partnerships with other entities.b a At the time of writing, eight Indian firms are empaneled by the CCA and accredited to audit CA compliance. Controller of Certifying Authorities (CCA), Ministry of Electronics & Information Technology, MeitY, Govt. Of India, “List of empanelled Auditors,” https://cca.gov.in/ list_emplaned_auditors.html b CCA, Ministry of Electronics & Information Technology, MeitY, Govt. Of India, “Licensed CAs,” https://cca.gov.in/licensed_ca.html PUBLIC KEY INFRASTRUCTURE 27 IMPLEMENTING HIGH-TRUST ELECTRONIC SIGNATURES Case Study 2: Brazil • Governance: The Brazilian PKI, called ICP-Brasil, was created in 2001. It is overseen by a multi-stakeholder steering committee in charge of formulating and monitoring the execution of public policies related to ICP-Brasil, including its standardization and its administrative, technical, legal, and security processes (including, among other prerogatives, to oversee the operation of the PKI, establish the certification policy that governs the PKI and its participants, and audit and supervise the Root CA). • Policy: ICP-Brasil is governed by a series of policies and resolutions, including on security requirements, biometric standards, cryptographic standards, etc.a • Root CA: The national Information Technology Institute (ITI) operates the PKI and is the single Root CA signing the certificates of all Intermediate CAs in the scheme. • Intermediate CAs: At present, there are 23 CAs directly certified by the ITI-operated root CA (referred to as level-one CAs). These level-one CAs are either public or private entities. They can either issue digital certificates directly to the end users or outsource this function to a lower hierarchical level in the PKI. At this level, there are currently 121 level-two CAs, certified by one of the level-one CAs receiving their certificates from the root of trust.b • RAs: Each Intermediate CA is able to partner with a variety of entities providing registration services. Currently there are 2,575 such RAs in the country. Brazil exemplifies a hierarchical three-tiered PKI model where common standards apply to all the PKI actors in the country. This guarantees a robust PKI based on a unique root of trust and on a broad ecosystem of public and private entities issuing certificates. a Ministry of Management and Innovation in Public Services, Govt. of Brazil, “National Institute of Information Technology, Main Documents” https://www.gov.br/iti/pt-br/assuntos/legislacao/documentos-principais b National Institute of Information Technology, “Structure,” https://estrutura.iti.gov.br/ India and Brazil illustrate the case of a two-tiered and of a revoked certificates, every stage in the PKI lifecycle demands three-tiered PKI model, respectively. As seen in Case Study 1, adherence to stringent security policies. These policies are India has a unique root of trust and eight CAs, each of which essential for managing technology implementation within maintains autonomy in policy and implementation, including organizations and ensuring coordination and consistency outsourcing downstream activities to further Subordinate across various PKI actors. The ultimate goal is for PKI to CAs or RAs. In turn, as seen in Case Study 2, Brazil has a operate seamlessly in the background, but achieving this unique root of trust, 23 level-one CAs, 121 level-two CAs, requires balancing complexity and security to avoid high and 2,575 RAs. costs and low adoption rates. Key functions and challenges OPERATIONS Table 7 maps out the PKI operations to each digital certificate For a PKI to be effective and secure, the way it operates is lifecycle stage from its creation, issuance, and registration just as crucial as the technology it uses. PKI operations are to its ongoing management and recovery, if compromised, complex and thus require a diverse set of capabilities, usually including key operational challenges across lifecycle stages. spread over multiple actors or teams, with assured coordination For a more detailed presentation of PKI operational functions and compliance across all of them. From enrollment of end beyond this summary, the reader is referred to the complete users to maintaining the secrecy of private keys and the list of discussion in Appendix 5: PKI Operational Functions. 28 Table 7: Summary of PKI certification functions and implementation challenges Certification Operational details Key implementation challenges function Registration and Handle identity verification, using physical Scaling identity verification for large populations, identity verification registration centers or robust electronic verification with corresponding logistical and cost challenges, systems, sometimes integrating with national ID while ensuring accessibility and security. systems for streamlined processes. Creation and RA communicates a certificate signing request (CSR) Ensuring efficient and secure issuance, managing issuance to the CA for certificate issuance. The CA generates high volumes, preventing unauthorized issuance, and distributes certificates securely, signing them and safeguarding the integrity of certificates during with its private key. generation and delivery. Renewal and Extending the validity of certificates before expiration Balancing convenience of automatic renewals revocation and invalidating them before their scheduled with security requirements, timely updating and expiration as needed, with timely updates to dissemination of revocation lists, and maintaining revocation lists accessible to all stakeholders. constant availability of revocation lists. Storage and access Secure storage of digital certificates and private keys, Balancing security and accessibility for users, either locally on user devices or remotely managed educating users on their role in secure key by service providers, ensuring easy access for digital management, providing highly available access to signing and authentication. remotely stored keys. Policy and process Define and enforce detailed operational practices Keeping policies updated, effectively security and responsibilities, ensuring security and integrity communicating and enforcing the policies through policy implementation, control, and across all entities involved in the PKI, ensuring audit mechanisms. comprehensive security measures. Incident monitoring Detect and respond to security incidents with Accessing and interpreting data for incident and response dedicated teams and sophisticated monitoring tools, detection, maintaining a skilled response team, integrating with broader cybersecurity platforms for and ensuring consistent incident monitoring and threat intelligence and coordinated responses. response capabilities across all PKI actors. Backup and disaster Securely back up private keys and prepare for Creating comprehensive and executable disaster recovery disruptions with redundant systems and recovery recovery plans, balancing user-friendly recovery procedures to ensure minimal service interruption processes with security protocols, and adapting and data loss, regularly testing and refining disaster plans to various disaster types, whether technical, recovery plans. natural, or human-made. PKI INTEROPERABILITY: example, there may already exist multiple PKIs implemented by different organizations, but which are not interoperable due FEDERATING TRUST to a lack of a common trust anchor. Alternatively, differences in regulatory requirements between jurisdictions may impose The discussion thus far has concerned ensuring trusted a need for separate PKI implementations. Such cases could implementation of a single PKI. In the real world, however, it arise due to differences in national regulations between two is often necessary to extend trust across multiple PKIs. This different countries, or within one country when regulation is section will examine various techniques to render two or tied to a specific sector, such as the financial sector. Another more PKIs interoperable by using various cryptographic and reason why it may be desirable to have multiple interoperable standards-based techniques to bring them into a federation. PKIs operating in parallel is to better cater to the needs of specific users, or to allow for competition and innovation. Why federate? Federating trust across multiple PKIs can thus be an important component for a scalable national PKI implementation. There are various reasons why it might be necessary to render Federation can allow for multiple CAs to autonomously multiple independently operated PKIs interoperable. For implement separate PKIs while ensuring that trust extends PUBLIC KEY INFRASTRUCTURE 29 IMPLEMENTING HIGH-TRUST ELECTRONIC SIGNATURES between them. In other words, federation makes PKIs Types of federation interoperable in the sense that relying parties who trust a CA of one PKI can trust CAs of another PKI in the federation While tiered PKI architectures scale operations by differentiating by extension. Such a federation can operate at the technical roles across trust chain levels, further scalability may require or policy level, or a mix of both, and can be a means of federating trust across multiple chains. This section summarizes providing solutions to the common policy issues that arise technical approaches to federating trust, categorized into when implementing national PKI ecosystems. cryptographic and non-cryptographic methods. For a more detailed discussion alongside case studies, please refer to Federating trust can be a means of providing a framework Appendix 6: PKI Interoperability: Federating Trust. for collaboration, scalability, and security across diverse and complex environments. This approach addresses the Cryptographic Approaches limitations of simpler, purely hierarchical PKIs by providing mutual recognition and interoperability across multiple chains A first class of federation approaches seeks to extend trust of trust. The below summarizes some general benefits of across existing or otherwise independent PKI trust chains by federated PKI models: linking them together mathematically, extending the same cryptographic techniques used to assure trust within a single Institutional mandates. Different sectoral legislation may PKI. Two common models are bridge certification, which mandate different actors to govern or regulate PKIs. Federating introduces an additional hierarchical layer to “bridge” trust trust allows each institution to execute its mandate while over two root CAs, while cross-certification operates at the promoting complementarity between PKIs and interoperability same hierarchical level as the existing root CAs. across the ecosystem. Bridge Certification • Institutional mandates. Different sectoral legislation may mandate different actors to govern or regulate In bridge certification, trust is federated over two existing PKIs. Federating trust allows each institution to execute CAs—and the PKIs they operate—by the introduction of an its mandate while promoting complementarity between additional CA at a higher hierarchical level. This additional PKIs and interoperability across the ecosystem. CA acts as a trust bridge by signing the certificates of the • Legacy systems. Integrating existing PKIs into a national existing CAs. This creates a common root of trust, allowing framework without losing previous investments is crucial. certificates issues by all bridged PKIs to be verified back Federating trust enables the incorporation of legacy to this newly established common root (see Case Study 3: systems, extending the PKI beyond the capabilities of United States). older infrastructures. • Benefits: Provides a single authoritative source for • Competition. Especially when involving the private certificate validation and simplifies governance. sector, allowing for multiple trust service providers to • Challenges: Concentrates risk in the bridge CA, which operate encourages competition, improving quality and creates a single point of failure. Bridged architecture may user experience. not suit contexts requiring autonomy and independence • Differing requirements: Different use cases and regula- across different PKI-implementing entities, or it may not tory requirements, such as those in the financial sector, be ideal for scaling to high certification volumes to meet necessitate specific PKIs. Federating trust allows for growing demand over time. specialized PKIs that can adapt to these specific needs. • Cross-border trust. Facilitating cross-border trust is Cross Certification (Mesh) critical for international transactions. The EU’s eIDAS Multiple distinct PKIs can be cross-certified—also referred and International Civil Aviation Organization’s (ICAO’s) to as mesh certification—when their root CAs exchange Public Key Directory (PKD) are examples where federated cryptographic information, facilitating trust between them. trust frameworks enable cross-border interoperability. In contrast to bridge certification, cross certification does • Public-private sector collaboration. Federating trust not require the addition of an additional cryptographic layer supports collaboration between public and private to the hierarchy. sectors, allowing each to focus on relevant use cases and leveraging their strengths. 30 • Benefits: Offers flexibility and decentralization while Central Broker maintaining a cryptographic linkage between PKIs. Suitable for federating trust across multiple PKIs while A central trust anchor manages the database of public keys, allowing a high degree of operational autonomy for each. providing discoverability and revocation information to facilitate trust. Central brokers can complement other federation • Challenges: Complex to manage as the number of approaches for the common standards approach (see Case participating CAs that need to be bilaterally cross- Study 5: ICAO for international passport interoperability). certified increases, making it less suitable for large-scale implementations that require trust to be federated • Benefits: Provides a mechanism to reinforce trust in contexts across many PKIs. where a high degree of operational independence is needed and enforcement of common standards for PKI Non-Cryptographic Approaches operations is not practical due to the dispersed nature of the PKI ecosystem. Applications could include large- The second class of federated models extends trust across scale or cross-border contexts. PKIs through common standards and regulation rather than • Challenges: Requires a robust governance model, a technical measures. central actor with a mandate to play the broker role, and adequate incentives for participating PKIs to dynamically Common Standards share information (e.g., revocation list update) with the Standards-based approaches federate independently operated central broker. PKIs into a common trust framework based on adherence to common standards and governance (see Case Study 4: Hybrid Approaches European Union). Combining elements from various approaches can create hybrid • Benefits: Provides flexibility, autonomy, and scalability models tailored to specific needs, such as accommodating without centralizing control. Enhances resilience legacy systems or regulatory constraints. Such hybrid models through diversification. offer flexibility but may increase governance or management complexity. (For a practical application of hybrid approaches, • Challenges: Relies heavily on governance and consistent please refer to Case Study 7: South Korea.) application of standards, with potential vulnerabilities if inconsistencies arise. Table 8: List of country case studies by federation approach Case Study Federation Model Country Number Cryptographic Bridge Certification United States 3 Cross-Certification (Mesh) Netherlands 10 Non-cryptographic Common Standards European Union a 4 United Kingdom 12 Lebanon 13 Central Broker ICAO 5 Hybrid South Korea 7 France 11 a France and the Netherlands are not listed here explicitly, although they do participate in the standards-based EU-level mutual recognition scheme for PKI-based trust services by virtue of EU membership and by virtue of Regulation (EU) No 910/2014 of 23 July 2014 on eIDAS. PUBLIC KEY INFRASTRUCTURE 31 IMPLEMENTING HIGH-TRUST ELECTRONIC SIGNATURES GOVERNANCE • Legal Recognition. Without a legal framework providing legal recognition, PKI-based digital signatures cannot underpin trust in the digital economy. Legal trust frame- The above discussion makes clear that PKI remains far from works are needed to link the PKI ecosystem to the overall being a commodity service. The various challenges with legal framework for electronic transactions. operating, scaling, securing, and promoting the adoption of PKI-based services underscore the need for rigorous Accomplishing these goals requires collaboration between governance. To successfully promote trust in the digital a variety of disparate actors. One of the critical roles of a economy, PKI must operate in a complex institutional and governance framework is to clearly define the roles and regulatory space characterized by nested—and sometimes responsibilities of the various public and/or private sector overlapping—sectoral and institutional mandates. Although actors involved in ensuring trust in the PKI ecosystem. smaller subnational-scale PKIs may provide adequate levels of Governance frameworks typically provide for complementary trust for a limited set of use cases without such a comprehensive roles of various actors in the implementation and oversight of governance framework being in place, scaling out a national the various components of PKI implementation. Governance PKI ecosystem to population scale requires a more structured frameworks also provide for the legal recognition of governance approach. Planning ahead can allow governments PKI-based digital signatures by linking PKI governance to a to pre-empt a variety of common issues that arise when national-level electronic signature trust framework. A well- scaling a national PKI implementation, helping to ensure defined governance framework establishes clear roles and that the PKI ecosystem is sufficiently flexible, resilient, and responsibilities, thereby mitigating institutional conflicts and trusted to underpin trust in the digital economy as a whole. fostering collaboration. The following list details some outcomes of well-designed PKI governance frameworks: The following list gives some general functions common in PKI governance regimes, drawn from examples in countries • Distribution of Roles. No single entity can efficiently with relatively mature PKI ecosystems. Not all PKI governance handle all PKI functions—from securely managing a root frameworks separate out functions in the same way. In some of trust to registering and providing support to end frameworks, one actor may provide multiple functions. In users—at a population scale. Governance frameworks other regimes, especially in countries with relatively nascent allow for the distribution of roles, ensuring technical PKI ecosystems, trusted international bodies may be relied on tasks and client-facing roles are appropriately separated. for some functions, e.g., standard setting, guidance, or audit. • Flexibility. These frameworks provide flexibility for diverse • Legal Framework. The legal framework provides the use cases and sector-specific regulations by introducing legal foundation for PKI implementation. These laws hierarchical elements and providing for federated trust enable the legal recognition of digital signatures as within the PKI ecosystem. equivalent to handwritten signatures and define the scope of their enforceability in various transactions. The • Resilience. Hierarchical elements and federated trust institutional mandates of the various actors involved in both allow the involvement of additional actors in PKI PKI governance also stem from this framework. implementation, reducing risks by distributing trust across multiple entities. This can promote resilience • Regulation. Regulatory bodies develop and enforce by eliminating single points of failure with downstream specific rules governing the operation of PKI systems, impacts on the entire ecosystem. including the issuance, management, and revocation of digital certificates. These regulations often take the form • Private Sector Participation. Federating multiple PKIs of secondary legislation or detailed rules that ensure into a single interoperable ecosystem can foster competi- PKI systems operate within the legal framework set by tion, enhance service quality, and facilitate private sector national laws. involvement while maintaining government oversight. • Executive. The executive authority coordinates, oversees, • Interoperability. Governance frameworks ensure interop- and enforces the PKI legal and regulatory framework. erability and trust across autonomously managed PKIs This body may issue binding rules, ensure consistent by enforcing compliance with established standards, implementation, and take corrective action when neces- allowing trust to be extended across sectoral and sary. This role may overlap with the supervision function. national boundaries. 32 • Standards. Setting and maintaining technical and CPS must be approved ex ante by the CP-issuing body operational standards is crucial for ensuring the security, (such as a government agency or a Root CA) or by an interoperability, and reliability of PKI systems. Standards independent certification body to ensure that it aligns bodies at the international, regional, and national levels with the larger PKI ecosystem; in other cases, compliance define requirements that PKI operators must meet. These may be verified ex post, for example, through audits. standards may cover various aspects, from cryptographic algorithms to the procedures for identity verification or • Audit. CAs are regularly audited to verify compliance managing digital certificates. Standards are subject to with applicable standards, regulations, and policies. In a rigorous governance process and are not intended to particular, auditors confirm that the CPS is in compliance be amended frequently. with the CP, as well as confirm that CA operations are, in fact, in compliance with the CPS. Accredited auditors • Guidance. Technical guidance documents offer advice perform these audits to assess the conformity of CAs to assist PKI operators with interpreting standards and with the established requirements to maintain the trust implementing them securely. This guidance may include and security of the PKI ecosystem. information on best practices or concrete recommen- dations on how best to achieve compliance with policy • Accreditation. Auditors must be accredited by a trusted and established standards. Guidance documents can body to ensure integrity in the audit framework. Trusted be more easily amended than standards, allowing them processes of accrediting auditors is thus a key component to respond to changes in technology and evolving of PKI governance. National accreditation bodies are threat environments. typically responsible for ensuring that these auditors have the necessary expertise, impartiality, and capabilities to • Policy. The overall policy of a PKI implementation is perform rigorous conformity assessments. governed by standardized policy documents, such as the Certificate Policy (CP). The CP is a high-level • Supervision. Supervisory bodies play an ongoing role in document that defines the rules, requirements, and monitoring and oversight of PKI operators. These bodies practices governing the issuance and management of ensure that all entities involved in implementation and digital certificates within a PKI system. The CP estab - governance of the PKI ecosystem adhere to applicable lishes the legal, procedural, and technical framework laws, policies, and standards. Supervisory bodies may for the PKI’s operations. It provides normative guidance, be empowered to conduct reviews, request additional outlining what must be done, but not necessarily how it audits, and, if necessary, revoke the authorization of should be implemented. Specifically, the CP addresses non-compliant CAs or auditors. questions such as which certificates can be issued for • Dispute Resolution. Effective dispute resolution mecha- what purposes, the security levels required, and the nisms are necessary to address conflicts arising from the roles and responsibilities of various PKI actors, such as use of digital signatures. These mechanisms provide a CAs and RAs. The CP also defines the responsibilities, means for resolving issues, such as invalid signatures obligations, and liabilities of the various participants in or breaches of trust. In some cases, alternative dispute the PKI scheme, including relying parties. resolution methods, such as arbitration or mediation, may • Policy Implementation. CAs are required to publish be used to handle disputes without resorting to litigation. standardized documents that demonstrate how they Assigning roles and responsibilities in the governance framework plan to implement applicable policies in practice. The should consider the available capacity in-country of various Certification Practice Statement (CPS) describes the public and private sector actors, as well as any applicable specific procedures and security measures a CA will legal constraints or mandates. Leveraging and extending use to implement the CP. While the CP outlines what these existing capabilities will promote trust while minimizing must be done, the CPS explains how this will happen, governance overhead. When designing such frameworks, detailing the specific operational procedures to be countries should consider several factors, including: used for certificate issuance, management, validation, and revocation. The CPS also outlines the technical and • Technical Capacity. The governance framework should procedural controls followed by the CA to ensure CP assess the technical and operational skills of the agencies, compliance, including auditing and incident response including local private sector capacity, for operational protocols. Both CPS and CP typically implement applicable roles such as CA and RA. It should also understand the standards and technical guidance. In some cases, the PUBLIC KEY INFRASTRUCTURE 33 IMPLEMENTING HIGH-TRUST ELECTRONIC SIGNATURES Figure 5: PKI Governance Legal Framework Trust Framework St an da rd G s ui da Good Practice nc e Supervisor Trust Executive Accreditor Auditor Services Provider G ui an d ce l na io at rn te In l o na N a ti infrastructure and facilities needed, such as secure data scope of institutions, such as a central bank versus a centers required for CA implementation. national digital economy ministry. Existing coordina- tion mechanisms between the various actors should be • Oversight Capacity. The competency of various firms leveraged when possible. and institutions in areas such as regulation, standard setting, and conformity assessment (audit) should be For more information on PKI governance arrangements and evaluated. The framework should take a broad view of some examples of how roles and responsibilities are distributed available oversight competencies within the country, between institutions in various PKI schemes around the world, leveraging private sector capabilities while providing see Appendix 7: Institutional Governance Arrangements. For trust anchors in the public sector. a concrete case study of how such a governance framework can operate in practice, the reader is referred to Appendix 4: • Scale and Reach. The focus of each firm or institu- eIDAS Governance Model, which includes a detailed case tion—whether citizen-facing or back-end, regulatory or study of the EU governance model for assuring cross-border operational—should be understood. The governance PKI interoperability, including details of the specific actors framework should consider existing relationships and playing each role. touch points with the population, such as networks of offices or branches that can be used for in-person registration and identity verification in the case of the DEPLOYMENT MODELS RA function. • Institutional Mandates. For the public sector specifically, The IT systems used to implement PKI must be hosted in it is crucial to recognize the mandates of institutions highly secure facilities. These dedicated facilities, known involved in PKI implementation and governance/over- as data centers, must be specifically designed to house the sight. The framework should understand the constraints needed network and data infrastructure (such as storage units and opportunities of each public sector body, such as and services) in order to allow PKI services to be deployed whether they are ministries or autonomous agencies, securely and without outages. The traditional deployment their ability to generate revenue, and their staffing capa- model is in data centers that are physically located on the bilities. It should also consider the sectoral or national premises of the organization implementing the PKI, allowing 34 all IT infrastructure to remain under its complete control. More Another critical consideration is how private keys are protected. recent deployment models leverage cloud computing to allow Traditional hardware security modules (HSMs) can be located the PKI operator to access the same secure IT infrastructure, on-premises, co-located with third-party providers, or fully located in off-site data centers, through a network connection. hosted in the cloud using software HSMs. Cloud-based Both deployment models have strengths and weakness, software HSMs, offered by major vendors, are rigorously which will be discussed in this section. tested and highly reliable, and can provide a faster and more cost-effective route to deployment without compromising On-premises versus cloud deployment security. For certain applications, these solutions can offer more than adequate protection for private keys while avoiding When selecting between cloud and on-premises solutions for PKI the high costs associated with acquiring and maintaining infrastructure, especially in environments dealing with sensitive physical HSMs. data, it's essential to assess business, operational, and user needs, as well as security and compliance requirements. Cloud The decision on whether to adopt cloud or on-premises PKI solutions offer advantages like scalability, cost-effectiveness, solutions may also be driven by legal or policy constraints, and multi-tenancy, leveraging shared security practices across particularly if regulation requires data localization. numerous tenants. These features make cloud infrastructure attractive for organizations seeking to deploy PKI services Choosing the right deployment model quickly and efficiently. The ability to scale for multiple clients in a shared cloud environment also reduces the need for The choice of deployment model depends on the needs heavy upfront investments in physical infrastructure. of a specific PKI implementation, and any constraints of the context, including factors such as anticipated use cases, For on-premises deployments, maintaining a high-quality budgetary considerations, available capabilities, and regulatory physical infrastructure, such as Tier 4 data centres with full considerations. The specific threat landscape that the PKI will redundancy,13 can be a significant financial and logistical face is also critical. For this reason, it is important to carry burden. This is particularly true in developing countries, out a comprehensive risk and threat assessment to ensure where such facilities may be unavailable, and maintaining the the solution meets security, business, and operational needs. necessary security certifications, like International Organization This section will examine a few common PKI deployment for Standardization (ISO)/International Electrotechnical models in turn and briefly discuss when they might be Commission (IEC) 27001,14 can be challenging. The responsibility appropriate choices. for securing both the data center and PKI service falls on the operator, making them liable for any breaches or poor On-premises hosting practices that could expose sensitive data like private keys. A key benefit of hosting a PKI in a data center located on the While cloud solutions can sometimes be perceived as vague premises of the organization implementing it is that it allows by policy makers, there are specific cloud deployment options the CA full control over the infrastructure and security. This that address key concerns. For example, private clouds can deployment model can be ideal for organizations with the be hosted in government-approved data centers, ensuring requisite high-security facilities and operational capacity, that sensitive data remains within the country’s control. and in contexts with stringent regulatory requirements or Hybrid cloud solutions offer a middle ground, combining highly sensitive data. By hosting the PKI systems internally, on-premise infrastructure with cloud-native resources. This organizations have the potential to maintain full oversight approach is especially useful in countries concerned with over all aspects of their certificate lifecycle, data encryption, data sovereignty, as it allows for a tailored solution that fits and access controls. both security and policy requirements. However, this approach requires significant upfront investment in hardware, software, and skilled personnel for ongoing 13 The Uptime Institute defines a standardized system for classifying data centers into four tiers (I-IV) with Tier IV offering the highest level of availability, fault tolerance, and redundancy to ensure continuous operation. Uptime Institute. Tier Standard: Topology. Seattle: Uptime Institute, 2018. https:// uptimeinstitute.com/resources/asset/tier-standard-topology 14 ISO/IEC 27001:2022. Information technology — Security techniques — Information security management systems — Requirements. Geneva: International Organization for Standardization/International Electrotechnical Commission, 2022. https://www.iso.org/standard/27001 PUBLIC KEY INFRASTRUCTURE 35 IMPLEMENTING HIGH-TRUST ELECTRONIC SIGNATURES maintenance and updates. It also presupposes that the deployment model, the PKI functions identified as the most implementing CA possesses the requisite technical and critical or highly sensitive (such as certificate management) operational capacity to adequately secure and monitor the can be managed directly by the CA on-premises, while other hosting environment. On the facilities level, this requires the less-sensitive components (such as some operational functions, availability of highly secure data centers in which to house the backup and disaster recovery, cybersecurity monitoring data infrastructure needed to host the PKI systems. On the systems, etc.) can be offloaded to the cloud. systems and operational level, this supposes sophisticated physical and operational security controls as well as intrusion- One example of a hybrid model was already discussed above, detection and other treat-monitoring systems. Due to the where cloud-based HSMs could be integrated with other extensive prerequisites, on-premises hosting is best suited on-prem systems. Such a hybrid model could be deployed for organizations with extensive IT resources and the need to relieve the PKI operator from the responsibility and liability for absolute control over every aspect of their PKI operations. of managing the specialized and costly HSM infrastructure by delegating this task to a trusted third party. This HSM A variant of the on-premises hosting model is called colocation, functionality could then be integrated into other IT systems where the PKI operator leases space in a third-party data supporting PKI implementation, which would themselves be center. In this case, the data center operator manages physical hosted either on premises or in the cloud. security and energy provision, while the PKI provider deploys their own IT infrastructure (servers, HSMs, etc.) into this facility, In this way, the hybrid hosting model allows component-by- accessing them remotely. Although the IT infrastructure is not component decisions on which PKI system or subsystem is technically on premises, the deployment is very similar to the hosted on premises or in the cloud. This approach provides on-prem model in that the PKI operator remains responsible an opportunity to customize the deployment model and for owning and maintaining the IT infrastructure. adapt it to the context, allowing for a bespoke solution that can provide an optimal balance between security, cost, and Cloud hosting compliance issues, while mitigating against the impact of local capacity constraints. Depending on the details of the Hosting PKI systems off-site in the cloud15 offers a flexible, hybrid approach chosen, such a deployment model can scalable solution that reduces the burden on internal IT also introduce operational complexity, requiring expertise teams by leveraging the capacity of cloud providers to to manage interactions between the on-premises and cloud host and manage PKI services. Since cloud providers are environments. Hybrid models are ideal for organizations able to achieve significant economies of scale on their data needing a balance between control and flexibility. centers compared to most organizations implementing PKI, this option provides cost savings through reduced capital PKI as a Service expenditures and the ability to quickly scale PKI resources based on demand. Also, PKI as a Service (PKIaaS), a cloud-based deployment model, delivers fully managed PKI solutions, with certification However, cloud-hosted PKI requires sharing responsibility for services outsourced to a trusted third-party CA. This is distinct security with the cloud provider, requiring the availability of from cloud hosting of PKI systems, where a cloud provider suitable trusted cloud providers. Depending on applicable provides hosting services to a CA, but where the CA is still regulator y framework, cloud hosting may introduce operating the PKI systems (albeit at a distance). With PKIaaS, compliance issues, especially in jurisdictions that impose a customer is relieved of all operational responsibilities for data residency requirements. the PKI, as well as of procuring certification services. Hybrid hosting Buying PKIaaS on the market provides a way for organizations and government entities to use PKI without needing in-house Hybrid PKI models seek to combine the best aspects of PKI expertise or having to manage any of the required systems, on-premises and cloud-based deployment models to provide infrastructure, or facilities. With PKIaaS, organizations benefit an optimal mix of flexibility, control, and scalability. In a hybrid from scalability, reduced maintenance costs, the expert 15 Readers interested about more information on cloud computing are referred to Gelvanovska-Garcia, Natalija; Mačiulė, Vaiva; Rossotto, Carlo Maria. Advancing Cloud and Data Infrastructure Markets (English). Sustainable Infrastructure Series Washington, D.C.: World Bank Group. http://documents. worldbank.org/curated/en/099052824071033398/P1730321d6e1a30f71ae7717923561a28a4 36 know-how of specialist practitioners, and reduced liability. concerns can be mitigated through governance measures that Buying PKIaaS on the market can be a suitable sourcing ensure vetting, certification, and auditing of these third-party strategy for government entities seeking quick deployment to providers. The PKIaaS model is very common in advanced scale their operations, reduce capital expenditures (CAPEX) digital economies, with equivalency between government- costs, or support the development of local markets for trust and market-provided PKI services guaranteed by regulatory services. In can also be suitable for organizations that cannot, frameworks, such as the EU eIDAS framework, which is a or do not, wish to operate a PKI (see Sourcing below). particularly sophisticated example of a PKIaaS governance approach (see Appendix 4: eIDAS Governance Model). Drawbacks of PKIaaS deployment models include less customization and control compared to on-prem or hybrid Some key trade-offs between these deployment models are solutions, with heavy dependence on the service provider’s detailed in Table 9. security measures and compliance with standards. Such Table 9: Comparison of PKI deployment models Option Benefits Disadvantages Determining Factors On-premises Complete control over security High initial setup and Availability of in-house expertise hosting and infrastructure maintenance costs Physical security of available facilities Greater data sovereignty and control Requires significant IT and Available internal expertise to operational resources No reliance on third-party providers manage physical security and data Limited scalability infrastructure Cloud hosting Scalable for dynamic needs Integration challenges with Market offerings and availability of existing systems trusted cloud providers Cost efficiency and lower CAPEX Some loss of direct control Risk of downtime or outages in Simplified operations over infrastructure connectivity to cloud and management May not be compliant with all Available internal expertise to manage Decreased need for internal data regulatory frameworks cloud procurement and security hosting skills and capacity Improved security if requisite skills and facilities are unavailable Hybrid hosting Optimal balance between control Increased complexity Available internal expertise to handle (on-prem) with cost and scalability both environments Increased requirement for (cloud) clear data governance Managing technical integration Greater flexibility than fully cloud- between environments May require specific tools to based models for complying with maintain seamless integration regulatory requirements PKIaaS Highly simplified deployment with Less customizable than self- Market offerings and availability of minimal operational overhead managed PKI solutions trusted PKI service providers Scalability to adapt to dynamic Dependency on provider's Risk of downtime or outages in demand or changing needs security and availability connectivity to cloud Suitable for organizations lacking Loss of granular control When securely operating complex PKI expertise PKI infrastructure is not feasible, for example, in-house expertise is limited PUBLIC KEY INFRASTRUCTURE 37 IMPLEMENTING HIGH-TRUST ELECTRONIC SIGNATURES SOURCING becomes essential to oversee these outsourced functions to preserve the trust of PKI. Conversely, keeping registration processes within government control, such as insourcing them within government, can help maintain consistency and, Sourcing approach in some contexts, promote trust by leveraging the credibility Trust in PKI cascades from the Root CA through issued of trusted government entities. certificates (held by subscribers) to eventual consumption by relying parties. Ensuring that chain of trust is the single most It is also possible to contract a commercial provider to important aspect of a PKI. However, it does not mean that manage the Root CA and physical infrastructure, which the Root CA and subsequent issuance has to be managed provides government agencies with the ability to manage by a single government agency or even within a government. the RA and CA without taking on the cost and liability of These decisions are policy-based, and with the adequate infrastructure management. Outsourcing the sensitive agreements in place, they can be adapted for a variety of components in upstream tiers of the PKI—such as the Root high-trust applications. Below details the trade-off of various CA—to the private sector can reduce cost while enhancing options in outsourcing components and functions. security and cost-effectiveness, especially if government lacks these capabilities or is unable to generate economies Governments may manage all PKI levels in-house, centralizing of scale needed for efficient implementation. Under such trust and maintaining overall oversight. This presents certain arrangement, a private sector CA might manage the root of advantages in terms of government control over the details trust in secure data centers, but registration functions remain of implementation. This can, in turn, simplify governance to be carried out in government offices alongside other public and regulatory arrangements needed since less actors are services. In contrast, insourcing can be preferable in cases involved in PKI implementation. Such insourced models are where adequate capabilities are not available on the market, common for use cases with a relatively limited number of or where government has adequate capacity. users and transactions, or when a high level of government control is required to provide trust, such as for certain types Federated models, where PKI implementation is split over of highly sensitive government documents. multiple parallel chains of trust, opens up new sourcing strategies that increase the flexibility of the overall PKI. However, an in-house government implementation of PKI Federation allows simultaneous insourcing and outsourcing requires significant resources, and can impede scalability or by allowing certain chains of trust to be outsourced. For create a single point of failure. With the exception of the legal example, trust chains serving the needs of specific use framework itself, any part of the PKI operation or governance cases can be outsourced, with other chains operated by can be implemented by either public or private sector players. government actors. Distributing implementation between Indeed, for any component of a national PKI ecosystem—from public and private sector actors promotes scalability and the Root CA to registration activities—examples can be found customizes PKI for specific use cases. Also, it often makes for countries that have insourced and outsourced each. This sense to have separate domain-specific PKI, such as for extends to many policy and governance functions, aspects education, healthcare, or ID Cards. A typical example would of which can also be carried out by the private sector. be banks or other private sector actors acting as CAs for digital commerce use cases, while the government-managed Although outsourcing some or all aspects of PKI implementation CAs sign official public documents. Overall, the federated to the private sector can bring benefits such as scalability, model would not undermine the trust in e-signatures—given security, flexibility, and cost savings, it can also present new trust should not be maintained by the singularity of a PKI challenges and heighten the need for robust governance. system but the operational integrity of each individual PKI. For example, when downstream tiers of the PKI hierarchy— such as CAs and RAs—are managed by the private sector Finally, some governments outsource the operation of the through institutions like private banks, with the central bank entire PKI ecosystem to the private sector, allowing government maintaining control of the Root CA, there is a clear division to focus on regulation, supervision, and compliance roles. of responsibilities. The arrangement can bring comparative This model can be attractive when government lacks the advantages from actors that have citizen-facing systems specialized skills to implement a PKI or wishes to leverage and infrastructure, while simultaneously keeping sensitive private skills and capital for sustainable PKI operation (see back-end functions within government. Robust governance discussion of PKIaaS deployment models above). 38 In general, governments are moving toward outsourcing Financing certain components along the PKI hierarchy. The discussion on sourcing is summarized in Table 10. • Demand analysis. Analyze projected demand for PKI use cases and assess the value proposition of PKI-based Choosing a Sourcing Strategy digital signatures to ensure sustainable demand. • Business model. Define the main goals of the PKI, The decision to insource (operate in-house) or outsource including coverage, adoption, and revenue genera- a national PKI is a complex one that depends on various tion, and ensure that adequate cost recovery provides factors, including the specific needs and capabilities of the sustainable return on investment. country, its government agencies, and its goals for the PKI system. Both approaches have their unique advantages and • Budget. Evaluate whether funds are available for large, disadvantages, and the choice should align with the country's upfront CAPEX in PKI infrastructure, and which cost strategic objectives, resources, and expertise.  drivers could benefit from conversion to operational costs (OPEX) through outsourcing. The choice between insourcing and outsourcing should be • Sustainability. Ensure the sourcing strategy is financially developed based on a careful assessment of the country's sustainable at the chosen scale, given available demand specific requirements, resources, risk tolerance, and long- and resources, with adequate budget for maintenance term goals for the PKI. It may also involve a wide consultation and OPEX. with experts and stakeholders, and a cost-benefit analysis to determine the most suitable approach. In particular, it is Requirements and needs important to consider: • Security. Consider the sensitivity of use cases, their Capacity and constraints requirements, and any regulatory constraints. Consider, in particular, the extent to which it is or is not critical for • Institutional capacity. Assess government resources and government to operate the infrastructure for a given capabilities for managing PKI components, including use case. infrastructure and human resources. • Usability. Ensure that registration, certificate management, • Legacy systems. Integrating with existing PKI implementa- signing, and other PKI-related services are accessible tions. Federated models can offer solutions to leverage and user-friendly. existing investments and avoiding fragmentation without needing to start from scratch or impose centralization. • Flexibility. Ensure the PKI can adapt to the needs of diverse user bases and use cases. • Regulation. Consider regulatory constraints that restrict design and sourcing options. • Scalability. Verify that the approach can handle growing user bases and increased demand as the digital • Market offerings. Evaluate private sector capacity and economy develops. service offerings and consider if involving private sector actors can help augment government capabilities. • Innovation. Assess if the sourcing strategy encourages competition, innovation, and user-centricity. • Market development. Consider if involving private sector actors can help promote innovation or develop • Resilience. Ensure the design and sourcing strategy local markets for trust services. enhance resilience and distribute functions to reduce single points of failure. PUBLIC KEY INFRASTRUCTURE 39 IMPLEMENTING HIGH-TRUST ELECTRONIC SIGNATURES Table 10: PKI sourcing strategies compared Components Insourcing Outsourcing Specific components Upstream tiers • Benefits: Government maintains full control • Benefits: Reduced cost. Improved security if in the hierarchy over root of trust. government lacks adequate capacity. (e.g., Root CA) • Challenges: Resource intensive. Requires • Challenges: Loss of government control. Requires expertise and infrastructure. strong governance and oversight. Downstream • Benefits: Leverage trusted citizen interface and • Benefits: Dynamic scalability by adding registration tiers in existing network of local government offices. partners. Leverage existing client relationships and the hierarchy customer service channels. • Challenges: Operational burden for govern- (e.g., RA) ment. Limited scalability. Requires trained staff. • Challenges: Requires coordination with upstream PKI tiers. Strong governance and oversight needed. Policy & • Benefits: Tight control over security frame- • Benefits: Leverages private sector competence. standards work. Uniform standards promote trust Promotes competition and innovation. functions through transparency. • Challenges: Increased costs. Government • Challenges: Requires strong governance to avoid may lack required capacity. Rigid policies may policy fragmentation or misalignment. deter adoption and/or private sector participa- tion. Oversight & • Benefits: Centralized policy enforcement. • Benefits: Leverage existing capacity (e.g., auditors) compliance to reduce burden on government. functions • Challenges: Resource-intensive; may lack flex- • Challenges: Requires strong governance to avoid ibility. security gaps. Increases complexity of over- sight model. General outsourcing Specific trust • Benefits: Consistency in PKI design and policy • Benefits: PKI can be tailored to the needs of chains and tighter control. specific use cases or regulatory requirements. Optimal distribution of roles between public and private sector. • Challenges: Lack of flexibility to meet • Challenges: Requires strong governance to ensure diverse requirements. Scalability challenges. interoperability between trust chains. Missed opportunity to leverage private sector capacity. The entire PKI • Benefits: High level of government control of • Benefits: Leverages private sector know-how. ecosystem implementation. Minimizes continued OPEX. Mitigates against low government implementation capacity, allowing government to focus on regula- tion and supervision. Minimizes one-time CAPEX. • Challenges: Difficulty scaling to demand of the • Challenges: Increased premium on strong gover- range of use cases across the digital economy. nance and oversight. Sustaining OPEX over time. Missed opportunity to leverage private sector. High CAPEX. 40 Readers looking for a detailed discussion of sourcing strategies For instance, the French Government’s hierarchical government in addition to detailed country case studies are referred to PKI (see Case Study 11) is dedicated to state entities and Appendix 8: Sourcing Strategies. The assessment tool in use cases related to inter-ministerial communication, while Appendix 9: PKI Sourcing Checklist can be used to help over 20 private sector accredited PKIs issue certificates for governments define a PKI sourcing strategy. the broader digital economy’s electronic transactions. The Dutch model represents another hybrid PKI model, where Sourcing trends: hybrid models the government outsources key elements of the trust chain, including core government use cases to private sector PKIs Although some governments consider PKI as a critical national regulated by eIDAS, similar to the French approach. Such infrastructure to be operated in-house for a narrow subset of hybrid models are gaining traction across the EU, where use cases—such as those related to national security, military the eIDAS Regulation has enabled a flourishing ecosystem applications, or official identity credentials, such as national for qualified CAs. These CAs work alongside government- ID cards or passports—there is a growing trend towards operated PKIs that are usually focused on a more limited set encouraging private sector participation in PKI implementation. of public sector use cases (see Case Study 10). The hybrid public-private model is increasingly popular as governments seek to maximize government control for sensitive There are also hybrid models where the government maintains use cases while simultaneously providing the scalability and a vertically integrated PKI for certain use cases, such as flexibility needed for PKI to be able to grow at the speed signing national ID credentials, and allows other private of the digital economy. Many advanced digital economies sector involvement as intermediate CAs or RAs for sub-PKIs operate government-driven PKIs for core use cases while catering to specific use cases. This approach ensures that all allowing private sector participation for other applications. trust chains remain subordinate to the national Root CA. The This strategic combination enhances scalability, innovation, South Korean case is one such hybrid model which retains and cost-efficiency in national PKI strategies. elements of vertical integration for a select set of use cases (see Case Study 7). Creating space for private sector CAs for their ability to innovate and scale PKI operations is likely an increasingly Overall, in the evolving landscape of PKI, there is a rise of important component of national PKI strategies moving hybrid models that strategically merge elements of vertical and forward, especially when digital economies are increasingly horizontal integration with a distributed approach, engaging mature and the demand surges for systems to help secure multiple stakeholders. These models offer a balance of security trust in electronic transactions. and flexibility, leveraging the competitive advantages of both the public and private sector in the operationalization of PKI. Table 11: List of country case studies by sourcing strategy MANAGING LIABILITY Case Sourcing Country Study While technology, governance, and operational measures are strategy Number crucial for PKI security, there is no such thing as a perfectly secure digital system. Given that PKI is often used to secure Insourcing Estonia 8 high-risk transactions, a security breach can result in significant Outsourcing Brazil 2 liabilities. A PKI must be designed to manage these risks downstream tiers South Korea 7 effectively to mitigate potential damages. Saudia Arabia 9 Outsourcing The Netherlands 10 Security breaches in PKI typically stem from either compromise upstream tiers of the physical infrastructure or from operational failures in the Outsourcing France 11 processes overseen by actors such as CAs or RAs. Managing specific trust Lebanon 13 these risks effectively involves ensuring the security of the chains people, process, and technology elements involved in PKI. Outsourcing the United Kingdom 12 (Securing the physical data infrastructure is discussed above entire PKI in the section on deployment models.) PUBLIC KEY INFRASTRUCTURE 41 IMPLEMENTING HIGH-TRUST ELECTRONIC SIGNATURES Managing liability in the CP and CPS is essential to this conditions under which the CA might be held liable for framework, helping to ensure compliance with policies and failures or breaches, and those under which the CA would standards that are critical to operational integrity and trust, disclaim liability. while also limiting liability in the case of incidents. In the event of a breach, the CPS serves as a critical tool for Ensuring the quality of, and compliance with, these policy legal defense, allowing the CA to demonstrate compliance documents is critical to maintaining the operational integrity with the applicable policy framework. By thoroughly detailing and trustworthiness of the PKI, and also for limiting CA liability operational controls and security measures and demonstrating in case of a security incident. Drafting these documents is a their compliance with relevant regulations, policies, and highly skilled task due to their complexity and importance standards, the CA is able to manage the risk of being held in managing security and liability. liable for security breaches arising from their application. Certification of the CPS and audits of the compliance of CA The role of the certificate policy operations also help ensure trust and strengthening of the By clarifying the conditions under which liabilities may arise, liability management framework, giving the CA the ability to the CP helps ensure that all parties are aware of their roles document the adequacy of their operations. The same logic in maintaining the integrity of the system. The CP addresses applies to the due diligence the CA applies to suppliers or liability at a high level, providing the overall framework for downstream CAs and RAs that also may be subject to the liability management, setting out the responsibilities and same CP and CPS. While the certification process can be obligations of different PKI participants (CAs, subscribers, resource-intensive, particularly in developing countries, it relying parties). For example, it sets general expectations builds trust and reduces legal exposure. for how a CA should revoke compromised certificates and handle disputes. Additional discussion on managing liability can be found in Appendix 12: Managing Liability. The CP also outlines the conditions under which CAs, subscribers, and relying parties may be held accountable for breaches or failures, such as misissuance of certificates or failure to revoke DRIVING ADOPTION compromised certificates in a timely manner. For example, a CP typically specifies actions or failures (e.g., failure to revoke Merely providing digital certificates to citizens or businesses a certificate in time) that would render a CA or relying party does not guarantee that they will actually be used. As an liable for a security breach. The CP also defines the general example, one need look no further than the current generation expectations regarding certificate lifecycle management and of national ID “smart” cards that include digital certificates security, including dispute resolution mechanisms. embedded in an electronic chip on the card. In many ways, national ID cards should be a perfect platform for a digital The role of the certification signature creation device, given the high security of the chips practice statement used, the robustness of the issuance process, the provision by trusted government actors, and the broad—sometimes The CPS addresses liability management at an operational level, universal—coverage among citizens across the country. detailing how the CA will implement the provisions outlined However, many governments have been disappointed to in the CP. As noted above, the CPS specifies the procedures find low utilization of these digital certificates in practice, for certificate issuance, validation, and revocation, as well with few citizens using them for signing, and relatively few as the roles and responsibilities of each actor. In particular, services being designed to make use of them.16 it defines the CA’s obligations in specific scenarios, such as certificate issuance and revocation. Indeed, without compelling use cases and good usability, PKI can be complex and cumbersome for everyday users, By clarifying who is responsible for the different aspects of especially when it requires special hardware, such as card PKI operations, the CPS helps in assigning liability in case readers, or the installation of unfamiliar software. If the of a failure in any operational area, thereby clarifying the perceived value does not outweigh the inconvenience, users 16 A list of some such countries can be found in the discussion on registration in Appendix 5: PKI Operational Functions. 42 are unlikely to embrace it. To drive adoption, it is critical to to integrate electronic signatures into service delivery, it is lower both the financial and non-financial costs associated estimated that electronic signatures save each Estonian five with using PKI. This means simplifying the user experience, workdays annually.20 integrating PKI into seamless and relevant digital services, and ensuring that the infrastructure is accessible without requiring Improving usability specialized equipment. At the same time, there must be a reason to use PKI: without compelling services that clearly Usability improvements have also helped drive adoption in demonstrate the benefits of secure digital interactions—such Estonia. Originally linked to the Estonian national ID card, as e-government services, secure financial transactions, or electronic signatures in Estonia can now be generated using a digital identity verification—users will have little motivation smartphone app, making the user experience more seamless.21 to adopt PKI-enabled tools. In the 20 years following the introduction of the electronic signature enabled national ID card in Estonia, 1.09 million Creating demand unique individuals have generated at least one electronic signature, a remarkable statistic for a country with a total One of the most effective ways to encourage PKI adoption is population of only 1.37 million. The number of signatures through the rollout of essential services used by the general generated per year has grown exponentially over time, from population, and re-engineering these services in a way that only 14,000 in 2003 to 123 million by 2022.22 allows them to make appropriate use of the trust offered by PKI. In the European Union, for example, the EU Digital Incentivizing adoption COVID Certificate initiative demonstrated the power of digital signatures by requiring citizens to present digitally signed On the supply side, regulatory reforms that encourage the vaccination certificates to travel and access services during use of digital signatures can help drive adoption. In the the pandemic.17 By making presentation and verification of EU, for example, the second Payment Services Directive these certificates required for daily activities, such as access (PSD2) required participating payment service providers to cultural events, restaurants, bars, hospitals, schools, etc., to identify themselves and their websites using PKI-based this large-scale, public-facing initiative pushed millions of digital certificates.23 individuals to interact with PKI-based services, some for the first time. By the end of the pandemic, over 2 billion such In India, the government has mandated that certain official certificates had been issued.18 communications, financial transactions, and corporate filings in sectors like taxation be signed with a PKI-based digital Outside of the emergency context, in Estonia, PKI-based signature.24 This regulatory push significantly increased the signatures have become integral to a variety of citizens’ adoption of PKI in the financial sector, and later extended interactions with government, including registering a business, further to services like digital procurement, creating incentives filing taxes, notarizing documents, or even voting in national for businesses and individuals to obtain and learn to use elections without any paper signatures and without needing digital certificates. to be physically present in Estonia.19 With a significant push 17 European Commission, "EU Digital COVID Certificate," https://commission.europa.eu/strategy-and-policy/coronavirus-response/safe-covid-19- vaccines-europeans/eu-digital-covid-certificate_en 18 European Commission, "Report from the Commission to the European Parliament and the Council pursuant to Article 16(3) of Regulation (EU) 2021/953 of the European Parliament and of the Council on a framework for the issuance, verification and acceptance of interoperable COVID-19 vaccination, test and recovery certificates (EU Digital COVID Certificate) to facilitate free movement during the COVID-19 pandemic," https://eur-lex.europa.eu/legal-content/ EN/TXT/?uri=COM%3A2022%3A753%3AFIN&qid=1671720830115 19 Brown, Hannah. "What are qualified electronic signatures?" Republic of Estonia E-Residency, February 14, 2023. https://www.e-resident.gov.ee/blog/ posts/what-are-qualified-electronic-signatures/ 20 e-Estonia, "e-Identity, Smart ID" https://e-estonia.com/solutions/estonian-e-identity/smart-id/ 21 Republic of Estonia Information System Authority, "In 20 years, more than 800 million digital signatures have been given in Estonia," October 20, 2022. https://www.ria.ee/en/news/20-years-more-800-million-digital-signatures-have-been-given-estonia 22 Ibid. 23 Article 34, Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market. https://eur-lex.europa.eu/eli/dir/2015/2366/oj 24 For example, the Indian Income Tax Department mandates digital signatures for some types of tax filings are categories of users, including firms, political parties, and individuals whose accounts are auditable under applicable tax law; in other cases, digital signature is optional. https://www.incometax. gov.in/iec/foportal/help/how-to-register-e-filing-dsc-faq PUBLIC KEY INFRASTRUCTURE 43 IMPLEMENTING HIGH-TRUST ELECTRONIC SIGNATURES Similarly, in 2023, the government of Jordan banned service way to further PKI adoption and innovation in trust services providers from requiring citizens to provide certified copies in the respective markets. of paper documents for administrative purposes. Such requirements, which had become common practice, involved obtaining official stamps to authenticate documents, leading STAKEHOLDER ENGAGEMENT to numerous inefficiencies and complaints from citizens. This regulation is designed to incentivize service providers Stakeholder engagement is critical in successfully developing a to develop PKI-based solutions to replace stamped paper national PKI ecosystem. Engaging with all relevant stakeholders, with digitally verifiable solutions.25 Similarly, the United Arab including government bodies, private sector entities, CAs, Emirates has adopted “digital first” and “digital by default” relying parties, and end users, is essential for the successful policies, which require all government services to provide implementation and operation of a PKI system. It is typical digital interactions, thus fostering the development of secure, for regulators, standard-setting bodies, and other entities PKI-enabled platforms for everyday administrative tasks.26 charged with PKI governance to consult stakeholders when defining and revising standards, policies, and regulations. Developing markets Regular consultations and stakeholder engagement ensures that the PKI design and implementation meets the diverse Another means by which governments can facilitate PKI needs of all users and maintains public trust. adoption is by developing markets for PKI-based services, lowering costs and promoting innovation. One means of This section gives an overview of certain key stakeholders doing so is through the establishment of cross-border trust to include in the PKI ecosystem development process along frameworks, which significantly boost demand for PKI-based with guidance on how to effectively engage with them. services by giving CAs and other trust service providers access to international markets. The eIDAS regulation in the European Stakeholder mapping Union is one example of how a unified legal framework can expand the addressable market for CAs, by facilitating cross- A well-structured approach begins with mapping out the key border legal recognition of their trust services. The eIDAS players who will use, implement, and govern the PKI ecosystem. framework simultaneously lowers costs by decreasing the The approach should start by conducting a comprehensive compliance burden for CAs, making it easier to cross-sell a mapping of relevant stakeholders and identifying roles that standardized product in many markets without needing to each stakeholder might fill. Key types of stakeholders to adapt it to comply with multiple regulatory frameworks. This include in the mapping exercise include: regulation not only enhances the trust in digital signatures and other trust services across borders but also expands • End users. Individuals, businesses, and organizations the potential market size for providers by allowing them to who will use digital certificates for signing. Consulting operate across the entire EU, rather than being confined to a diverse array of end users will help ensure that the PKI a single national market. This scalability makes investments is designed from the ground up to promote adoption. in PKI infrastructure more attractive to private companies, as they can serve a much larger customer base while ensuring • Relying parties. Businesses and organizations who will compliance with a single set of standards.27 Other regional rely on digital signatures by verifying them in the context bodies, such as those in ASEAN28 and the African Union,29 of delivering services or carrying out secure transactions, are increasingly exploring similar frameworks to facilitate including international actors in cross-border use cases seamless digital transactions across borders, paving the are envisaged. 25 Jordanian Al-Dustour Newspaper, "Al-Khasawneh issues a circular to stop requesting certified copies of paper documents," https://www.addustour. com/articles/1362708 26 United Arab Emirates, “National Digital Guidelines,” https://u.ae/en/about-the-uae/digital-uae/national-digital-guidelines 27 For more information on the eIDAS case, see Annex 4 and Case Study 4. 28 Association of Southeast Asian Nations, "Digital Economy Framework Agreement (DEFA): ASEAN to leap forward its digital economy and unlock US$2 Tn by 2030," August 19, 2023. https://asean.org/asean-defa-study-projects-digital-economy-leap-to-us2tn-by-2030/ 29 "AU Interoperability Framework for Digital ID." African Union, February 2022. https://au.int/sites/default/files/documents/43393-doc-AU_Interoperability_ framework_for_D_ID_English.pdf 44 • Implementors. Entities responsible for deployment of • Consultation. Understand the unique needs of each any technical components of the PKI, including current stakeholder, particularly relying parties and end users. and potential CAs, RAs, data center operators, etc. • Education. Communicate the complexities of PKI • Governance bodies. Lawmakers, regulators, digital implementation, emphasizing that it involves more than ministries and agencies, cybersecurity authorities, standards just hardware technology “infrastructure.” Explain how organizations, accreditation bodies, auditors, etc. the roles of CAs, RAs, governance actors, etc., interrelate and why cooperation is essential. • Civil society. PKI ecosystems with population-scale scope will have a diverse array of end users with different • Collaboration. Ensure that all stakeholders are involved requirements. Stakeholder mappings should seek to be in creating a roadmap for PKI implementation to maximally inclusive, ensuring to include representatives ensure their buy-in. This includes defining clear roles, of marginalized groups, such as persons with disabilities. responsibilities, and timelines to align with legal and regulatory requirements. Initial engagement Initial engagement and consultation allows policy makers to Continuous engagement gather input on the specific expectations, constraints, and Successful PKI implementation is an iterative process. requirements of identified stakeholders, while also educating Ongoing engagement ensures that stakeholders remain them about the technical and operational realities of PKI. Many aligned, and that the PKI adapts to evolving legal, technical, stakeholders may initially perceive PKI as a purely technical and governance needs of the PKI ecosystem as the digital solution; a coordinated effort across legal, technical, and economy matures. Regular feedback loops allow for adjustments governance structures is needed to help build consensus based on real-world usage and issues that may arise during on the need for various types of actors—technical and the implementation process. non-technical, public and private sector—to work together to ensure successful national PKI implementation. Key elements of a successful engagement include: PUBLIC KEY INFRASTRUCTURE 45 IMPLEMENTING HIGH-TRUST ELECTRONIC SIGNATURES 4 CONCLUSIONS ESTABLISHING STRATEGIC DESIGNING FOR SUCCESS FOUNDATIONS • Design for the context. There is no one correct or preferred architecture for a national PKI implementa- • Develop a comprehensive digital transformation tion. The optimal approach is highly dependent on strategy. Countries should integrate PKI development context-specific factors such as the intended use cases, into their broader digital transformation strategy. This the implementation capacity of government, the avail- strategy should aim to enhance trust in electronic ability of market offerings, and the digital skills of the transactions across the digital economy and promote user base. It is important to assess institutional capacity inclusive service delivery in the private and public and market offerings before settling on a PKI imple- sectors. PKI objectives should be clearly defined in mentation approach to ensure cost-efficiency, security, policy documents and aligned with the national digital and sustainability. transformation strategy. • Focus on governance. Effective PKI implementation • Integrate PKI within a comprehensive electronic trans- requires more than just technical infrastructure; it hinges actions trust framework. Electronic signatures are not on a robust governance framework that encompasses reducible to PKI. Recognize that trust extends beyond regulations, supervision, and compliance mechanisms. PKI and deploy PKI within the framework of a risk-based Countries should prioritize establishing clear legal and approach to implement high-trust electronic signatures regulatory frameworks that define roles and responsibili- within a wider electronic transactions framework, including ties across all stakeholders. Supervision by competent electronic signature legislation. Adopting a risk-based authorities is essential to ensure ongoing compliance with approach where PKI-based solutions are reserved for standards and policies, while also addressing security higher assurance use cases can reduce friction and concerns and maintaining public trust. promote usability and cost-efficiency, encouraging digital economy growth. • Position the government as an enabler of the private sector. Ensure the government is an enabler rather • Build for local demand. Countries should tailor their PKI than a monopolist of digital trust. Governments should ecosystems to the specific needs and maturity level of create a favorable legal and regulatory environment their digital economies. While PKI-based digital signatures for private sector actors to provide signature services offer high levels of trust, they are costly and complex trusted through compliance with standards. By fostering to implement at scale. Investing in a comprehensive an environment that encourages private sector innova- PKI system without sufficient demand could lead to tion, governments can scale trust in the digital economy, underutilized infrastructure, resulting in poor returns on opening new opportunities for digitalization, including investment. PKI should be implemented in the context high-risk transactions. of a risk-based electronic signature framework that is technology neutral and leaves space for other potentially • Optimize deployment and sourcing strategy. Effec- more appropriate signature technologies when needed. tive PKI implementation requires careful consideration of deployment and sourcing strategies that align with national goals, institutional capacity, and market condi- 46 tions. Countries should assess whether to insource or outsource various components of the PKI, considering PROMOTING ADOPTION factors like scalability, security, and cost-efficiency. Hybrid models, which combine government control for sensi- • Use demand to drive adoption. Simply issuing digital tive use cases with private sector involvement to drive certificates is not enough to ensure their use. To drive innovation and scalability, are increasingly common. adoption, governments should integrate PKI into essential and widely used services, creating compelling use cases that demonstrate the value of secure digital interactions. ENSURING SCALABILITY Key services, such as e-government applications, secure financial transactions, or digital identity verification, should be re-engineered to rely on PKI, thus motivating citizens • Federate trust. Implementing various models of feder- and businesses to adopt and regularly use these tools. ating trust allows multiple autonomously-operated PKIs to achieve mutual interoperability. Federated approaches • Focus on usability. The complexity of PKI can deter are particularly relevant to achieve interoperability across adoption if it is not user-friendly. Governments should sectoral boundaries and national borders—or any situ- prioritize making PKI-based services accessible and ation where some autonomy of PKI operations may be easy to use, removing barriers such as the need for needed to adapt to differing use cases or regulatory specialized hardware or complex processes. Integrating requirements. By federating trust, countries can ensure PKI into seamless, everyday digital services, particularly that their PKI architectures are scalable to meet growing those accessible via mobile devices, can greatly enhance demand, facilitate interoperability between new and legacy user experience and increase adoption rates. The user systems, and facilitate participation of both public and experience of marginalized groups, such as persons private sector actors in PKI implementation, as needed. with disabilities, should be foregrounded in the design. • Leverage existing infrastructure for registration. To • Engage stakeholders. Sustained and inclusive engage- maximize efficiency and user adoption, the PKI registra- ment with stakeholders is essential to foster PKI adoption. tion model should leverage existing citizen and customer Governments should involve all relevant actors—ranging touch points. Failing to integrate with these established from government bodies and private sector entities to points can lead to unnecessary duplication in registration end users—in the development and operationalization processes and reduce overall adoption of the PKI system. of PKI. This collaboration ensures that the system is aligned with user needs and expectations, facilitating trust, compliance, and widespread adoption across the digital economy. PUBLIC KEY INFRASTRUCTURE 47 IMPLEMENTING HIGH-TRUST ELECTRONIC SIGNATURES APPENDICES 48 APPENDIX 1: GLOSSARY OF KEY TERMS Asymmetric cryptography: see public key cryptography. the status of digital certificates for individuals and businesses that receive digitally signed messages.”34 Certificate policy (CP) means “a named set of rules that indicates the applicability of a public-key certificate to a Central directory is typically held online with “certificates and particular community and/or class of application with common other information available for retrieval and use in verifying security requirements.”30 The CP is a high-level document digital signatures.” It is used to “make a public key and its that outlines the rules and policies governing the issuance, correspondence to a specific signatory readily available management, and lifecycle of certificates. It defines the verification.”35 types of certificates issued, their intended uses, and the requirements for obtaining and managing them. The CP Certification practice statement (CPS) means “a statement sets the framework for how the PKI aims to manage trust and of the practices that a certification authority (CA) employs security, including the obligations of all participating entities in issuing certificates.”36 The CPS is a detailed document (such as CAs, subscribers, and relying parties). that describes how a CA implements the Certificate Policy. It covers the CA's specific practices regarding certificate Certificate management means the “process whereby issuance, management, revocation, and security controls, certificates are generated, stored, protected, transferred, which include procedural, physical, personnel, and technical loaded, used, and destroyed.”31 controls implemented by the CA to adhere to the CP. Certificate revocation list (CRL) means “a signed list indicating Chain of trust, or chain of cryptographic trust, means “an a set of public-key certificates that are no longer considered ordered list of one or more public-key certificates, starting with valid by the issuing CA.”32 a public-key certificate signed by the trust anchor and ending with the end-entity public-key certificate to be validated.”37 In Certification authority (CA), also called a certification service essence, it is a mathematical relationship between multiple provider, means “an authority trusted by one or more entities entities that provides unbroken, cryptographically verifiable to create and digital sign public-key certificates. Optionally, series of linkages between the root of trust 38 and the signature the certification authority may create the subjects' keys.”33 that the user affixes to the signed data or document. CAs are a type of trust service provider. Cryptographic key means “a value used to control cryptographic Certificate database, or a repository, means a “database of operations, such as decryption, encryption, signature active digital certificates for a CA system. The main business generation, or signature verification.”39 of the repository is to provide data that allows users to confirm 30 Recommendation ITU-T X.509 | ISO/IEC 9594-8 (2019), “Public-key and attribute certificate frameworks.” https://handle.itu.int/11.1002/1000/14033 31 National Institute of Standards and Technology (2020), Special Publication 1800-16, “Securing Web Transactions: TLS Server Certificate Management.” https://doi.org/10.6028/NIST.SP.1800-16 32 Recommendation ITU-T X.509 | ISO/IEC 9594-8 (2019), “Public-key and attribute certificate frameworks.” https://handle.itu.int/11.1002/1000/14033 33 Recommendation ITU-T X.509 | ISO/IEC 9594-8 (2019), “Public-key and attribute certificate frameworks.” https://handle.itu.int/11.1002/1000/14033 34 National Institute of Standards and Technology (2021), Special Publication 800-32: “Introduction to Public Key Technology and the Federal PKI Infrastructure.” https://doi.org/10.6028/NIST.SP.800-32 35 UNCITRAL. 2001. Model Law on Electronic Signatures. Vienna: UNCITRAL. https://uncitral.un.org/en/texts/ecommerce/modellaw/electronic_signatures 36 Recommendation ITU-T X.509 | ISO/IEC 9594-8 (2019), “Public-key and attribute certificate frameworks.” https://handle.itu.int/11.1002/1000/14033 37 Recommendation ITU-T X.509 | ISO/IEC 9594-8 (2019), “Public-key and attribute certificate frameworks.” https://handle.itu.int/11.1002/1000/14033 38 This is the private key used to sign the digital certificates used by issuing CAs in the PKI. 39 National Institute of Standards and Technology (2017), Special Publication 800-63-3: “Digital Identity Guidelines.” https://doi.org/10.6028/NIST. SP.800-63-3 PUBLIC KEY INFRASTRUCTURE 49 IMPLEMENTING HIGH-TRUST ELECTRONIC SIGNATURES Digital certificate, also known as a public-key certificate, message and to indicate the signatory’s approval of the means a “digital document issued and digitally signed by the information contained in the data message.”44 Electronic private key of a certificate authority that binds an identifier signature is a legal (as opposed to technological) construct to a subscriber to a public key.”40 The purpose of a digital (cf. digital signature). certificate is to securely associate cryptographic key pairs, which can be used for digital signing, with identities, such eIDAS Regulation , shor t for Electronic Identification, as individuals or organizations. Authentication and Trust Services Regulation, governs the cross-border mutual recognition of digital identity, electronic Digital identity means the unique representation of a signatures and trust services across European Union members subject engaged in an online transaction. A digital identity states.45 is always unique in the context of a digital service, but it does not necessarily need to uniquely identify the subject Hardware security module (HSM) means “a physical computing in all contexts.41 device that provides tamper-evident and intrusion-resistant safeguarding and management of digital keys and other Digital public infrastructure refers to foundational and secrets, as well as crypto-processing.” HSMs are often re-usable digital platforms and building blocks—such as deployed in secure data centers.46 digital ID, digital payments, and data sharing—that underpin the development and delivery of trusted, digitally-enabled Hash function means “a (mathematical) function which maps services across the public and private sectors. data of arbitrary size into data of a fixed size called a digest.”47 Digital signature means “an asymmetric key operation where Intermediate CA means a CA in a middle layer in a trust the private key is used to digitally sign data and the public chain, “acting as an intermediate CA within a certification key is used to verify the signature.”42 Digital signature is a path when it is the issuer of the next public-key certificate technological (as opposed to legal) construct (cf. electronic on that certification path.”48 signature). Interoperability means the ability of one entity to communicate Electronic transaction means a transaction, action, or set of with another entity.49 In the context of PKI, interoperability actions of either a commercial or non-commercial nature and between two PKIs means that trust in one PKI extends to the includes the provision of information and/or e-government certificates issued by another. services.43 Level of assurance frameworks describe the requirements Electronic signature means “data in electronic form in, that digital identity and electronic signature systems and affixed to or logically associated with, a data message, which services must meet in order to provide a certain level of may be used to identify the signatory in relation to the data assurance in their reliability.50 40 National Institute of Standards and Technology (2017), Special Publication 800-63-3: “Digital Identity Guidelines.” https://doi.org/10.6028/NIST. SP.800-63-3 41 National Institute of Standards and Technology (2017), Special Publication 800-63-3: “Digital Identity Guidelines.” https://doi.org/10.6028/NIST. SP.800-63-3 42 National Institute of Standards and Technology (2017), Special Publication 800-63-3: “Digital Identity Guidelines.” https://doi.org/10.6028/NIST. SP.800-63-3 43 “SADC Model Law on Electronic Transactions & Electronic Commerce, Establishment of Harmonized Policies for the ICT Market in the AC. Support for Harmonization of ICT Policies in Sub-Saharan Africa (HIPSSA).” International Telecommunication Union (ITU), 2012. https://www.itu.int/ITU-D/projects/ ITU_EC_ACP/hipssa/docs/SA4docs/electronic%20transaction.pdf 44 UNCITRAL. 2001. Model Law on Electronic Signatures. Vienna: UNCITRAL. https://uncitral.un.org/en/texts/ecommerce/modellaw/electronic_signatures 45 Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC. http://data.europa.eu/eli/reg/2014/910/oj 46 National Institute of Standards and Technology (2020), Special Publication 1800-16, “Securing Web Transactions: TLS Server Certificate Management.” https://doi.org/10.6028/NIST.SP.1800-16 47 Recommendation ITU-T X.509 | ISO/IEC 9594-8 (2019), “Public-key and attribute certificate frameworks.” https://handle.itu.int/11.1002/1000/14033 48 Recommendation ITU-T X.509 | ISO/IEC 9594-8 (2019), “Public-key and attribute certificate frameworks.” https://handle.itu.int/11.1002/1000/14033 49 Guideline for Using Cryptographic Standards in the Federal Government: Cryptographic Mechanisms. National Institute of Standards and Technology. U.S. Department of Commerce. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-175Br1.pdf 50 UNCITRAL. 2022. Model Law on the Use and Cross-border Recognition of Identity Management and Trust Services. Vienna: UNCITRAL. https:// uncitral.un.org/en/mlit. 50 Non-repudiation means protection against an individual certificate. Registration is completed when the applicant’s who falsely denies having performed a certain action and identity has been verified and the certificate issued. provides the capability to determine whether an individual took a certain action, such as creating information, sending Registration authority (RA) means “those aspects of the a message, approving information, or receiving a message.51 responsibilities of a certification authority that are related to identification and authentication of the subject of a public-key Policy CA means the CA in a tiered PKI architecture that is certificate to be issued by that certification authority. An RA responsible for defining and enforcing the PKI’s certificate may either be a separate entity or be an integrated part of policy and/or certification practice statement. Both root the certification authority.”56 CAs and intermediate CAs could play the role of policy CA. Relying party means “an entity that relies on the data in a Private key means “the secret part of an asymmetric key pair public-key certificate in making decisions.”57 Relying parties that is used to digitally sign or decrypt data.”52 A private key are the verifiers of digital signatures. must be known only to its owner and is mathematically and irrevocably linked to its corresponding public key. Root Certificate Authority, or trust anchor, means a “CA with one or more trusted certificates containing public keys that Public key means “the public part of an asymmetric key pair exist at the base of a tree of trust or as the strongest link in that is used to verify signatures or encrypt data.”53 A public a chain of trust and upon which a Public Key Infrastructure key can be disseminated publicly and is mathematically and is constructed.”58 irrevocably linked to its corresponding private key. Root of trust means the private key used by the (root) CA Public-key certificate: see digital certificate. to sign digital signatures in a PKI. In practice, this key is the foundational element for the trust hierarchy in PKI, as Public key cryptography, or asymmetric cryptography, means the it is used to sign the root certificate and, by extension, any basis for digital signatures, involving the generation of unique, subsequent certificates in the trust chain. mathematically related key pairs using algorithmic functions. Signer, or signatory,59 means “a person that holds signature Public key infrastructure (PKI) means the infrastructure able creation data and acts either on its own behalf or on behalf to support the management of public keys that support of the person it represents.”60 When a subject or subscriber authentication, encryption, integrity, or non-repudiation uses a digital certificate to generate a digital signature, they services.54 become a signer. Registration, in the context of PKI, means the “process through Subject, or subscriber,61 means the person, legal entity, or which an applicant applies to become a subscriber” 55 of a device requesting a digital certificate and subsequently using PKI by contacting a registration authority to request a digital that certificate for the purpose of creating digital signatures. 51 For additional discussion, see also UNCITRAL. 2022. Model Law on the Use and Cross-border Recognition of Identity Management and Trust Services. Vienna: UNCITRAL. https://uncitral.un.org/en/mlit 52 Digital Identity Guidelines. National Institute of Standards and Technology (2017), Special Publication 800-63-3. U.S. Department of Commerce. https://doi.org/10.6028/NIST.SP.800-63-3 53 Digital Identity Guidelines. National Institute of Standards and Technology (2017), Special Publication 800-63-3. U.S. Department of Commerce. https://doi.org/10.6028/NIST.SP.800-63-3 54 Information technology–Open Systems Interconnection–The Directory: Public-key and attribute certificate frameworks. Recommendation ITU-T X.509. International Telecommunication Union (ITU). https://www.itu.int/ITU-T/recommendations/rec.aspx?rec=X.509 55 Digital Identity Guidelines. National Institute of Standards and Technology (2017), Special Publication 800-63-3. U.S. Department of Commerce. https://doi.org/10.6028/NIST.SP.800-63-3 56 Recommendation ITU-T X.509 | ISO/IEC 9594-8 (2019), “Public-key and attribute certificate frameworks.” https://handle.itu.int/11.1002/1000/14033 57 Recommendation ITU-T X.509 | ISO/IEC 9594-8 (2019), “Public-key and attribute certificate frameworks.” https://handle.itu.int/11.1002/1000/14033 58 A Profile for U. S. Federal Cryptographic Key Management Systems. National Institute of Standards and Technology (2015), Special Publication 800-152. U.S. Department of Commerce. http://dx.doi.org/10.6028/NIST.SP.800-152 59 UNCITRAL. 2001. Model Law on Electronic Signatures. Vienna: UNCITRAL. https://uncitral.un.org/en/texts/ecommerce/modellaw/electronic_signatures 60 Recommendation ITU-T X.509 | ISO/IEC 9594-8 (2019), “Public-key and attribute certificate frameworks.” https://handle.itu.int/11.1002/1000/14033 61 See Article 2. UNCITRAL. 2022. Model Law on the Use and Cross-border Recognition of Identity Management and Trust Services. Vienna: UNCITRAL. https://uncitral.un.org/en/mlit PUBLIC KEY INFRASTRUCTURE 51 IMPLEMENTING HIGH-TRUST ELECTRONIC SIGNATURES The subject of a PKI can be any “person, organization, device, that govern a multi-party system established for a common hardware, network, software, or service.”62 purpose, designed for conducting specific types of transactions among a community of participants, and bound by a common Subscriber: see subject. set of rules, policies, and requirements.65 Tiered PKI means a PKI architectural model with CAs established Trust service means “an electronic service that provides in a hierarchical structure where “some certification authorities assurance of cer tain qualities of a data message and only certify other certification authorities, which provide includes the methods for creating and managing electronic services directly to users. In such a structure, certification signatures, electronic seals, electronic time stamps, website authorities are subordinate to other certification authorities.”63 authentication, electronic archiving, and electronic registered delivery services.”66 The certification services provided by a Transport layer security is a commonly used cryptographic certificate authority are a type of trust service. protocol designed to secure internet communications using digital signatures, defined by RFC 5246.64 Trust service provider67 means an entity that “enters into an arrangement with a subscriber” for the provision of digital Trust framework is a generic term often used to describe a certificates or other trust services.68 A certificate authority legally enforceable set of specifications, rules, and agreements is a type of trust service provider. 62 Digital Identity Guidelines. National Institute of Standards and Technology (2017), Special Publication 800-63-3. U.S. Department of Commerce. https://doi.org/10.6028/NIST.SP.800-63-3 63 UNCITRAL. 2001. Model Law on Electronic Signatures. Vienna: UNCITRAL. https://uncitral.un.org/en/texts/ecommerce/modellaw/electronic_signatures 64 Internet Engineering Task Force (IETF), with the current version being TLS 1.3 as specified in IETF RFC 8446 65 “Trust Frameworks for Identity Systems.” Open Identity Exchange. https://openidentityexchange.org/networks/87/item.html?id=175 66 UNCITRAL. 2022. Model Law on the Use and Cross-border Recognition of Identity Management and Trust Services. Vienna: UNCITRAL. https:// uncitral.un.org/en/mlit 67 UNCITRAL. 2001. Model Law on Electronic Signatures. Vienna: UNCITRAL. https://uncitral.un.org/en/texts/ecommerce/modellaw/electronic_signatures 68 UNCITRAL. 2001. Model Law on Electronic Signatures. Vienna: UNCITRAL. https://uncitral.un.org/en/texts/ecommerce/modellaw/electronic_signatures 52 APPENDIX 2: PUBLIC KEY CRYPTOGRAPHY PRIMER ASYMMETRIC CRYPTOGRAPHY CREATING DIGITAL SIGNATURES Cryptography is the branch of applied mathematics concerned For a digital signature, where the recipient needs to ensure with converting messages into an unintelligible form using the message came from a specific sender, the role of the two a set of mathematical formulas and then restoring them to keys is reversed. The signer generates a digital signature using their original state. Digital credentials and signatures are her own private key. Due to the mathematical relationship based on public key cryptography, sometimes known as between public and private keys, this means that anyone can asymmetric cryptography. Public key cryptography involves then authenticate the signer’s signature using her public key, generating two unique keys using algorithmic functions that which provides mathematical proof that the signature was bear a specific mathematical relationship to each other. Each performed by the person in control of the corresponding user has their own public-private key pair associated with private key. them. As the names suggest, the private key is designed to be kept confidential, while the public key is designed to be The second component of a digital signature is called a openly disclosed. hash. Unlike encryption, which is based on cryptographic keys, hashing is carried out using standardized and publicly The key pairs are used in different ways depending on their available algorithms that can be used by everyone. In contrast purpose. For encryption, where the objective is to prevent to cryptographic keys, whose primary use is for providing eavesdropping, the public key of the recipient is used to confidentiality, the purpose of hashing is integrity, or ensuring encode, or encrypt, the message to prevent it from being that messages have not been modified. An algorithm called read by third parties. Since the recipient has sole control over a hash function takes a message as an input and computes the corresponding private key, this ensures that only they an output called a hash digest, which is a pseudorandom can decrypt the message. Two parties can send messages series of digits of a fixed length. This allows verifying the confidentially to each other by encrypting messages using integrity of a message over time by hashing it at a later date each other’s public keys. and comparing the resulting hash digest with a hash digest computed at an earlier date.69 To generate a digital signature, hashing and encryption are combined in a specific way, as Figure 6 illustrates.70 First the Figure 6: Creating a digital signature using a private key hashes signs signs 00001111 10101010 hash digest signature data (document) signed data (document) 69 This hash digest is deterministic, meaning that the same string of characters will be output by the algorithm during subsequent hashing, as long as hashes the underlying input message does not change. Because the hash digest is pseudorandom, even tiny differences between input messages will result in 00001111 completely different hash digests being returned. It is thus not possible to know the degree of change to the underlying message, only whether or not there has been a change. hash digest data (document) 70 Note that cryptographic processes and PKI are also used to assure other elements, such as the precise time at which the signature was generated, which is also a key component of signature nonrepudiation. Such functionality is omitted for simplicity. If equal, compares signature is valid signed data (document) verifies 10101010 00001111 PUBLIC KEY INFRASTRUCTURE 53 signature decrypted signature HIGH-TRUST ELECTRONIC SIGNATURES IMPLEMENTING content to be signed is hashed, generating a hash digest. original (unsigned) document is calculated using the same It is this hash digest which is then signed, by performing method used during signing. In parallel, the relying party uses encryption using the signer’s private key, generating an output the signer’s public key to decrypt the signature to yield an referred to as a digital signature. Finally, as with handwritten output that should match the hash digest. If the two values signature, it is customary to affix the digital signature to the match, the document is authentic and the document content signed data (such as a document) and share the two together has not been modified, confirming integrity of the document. as a signed document, which facilitates verification. The digital signing and verification workflows presented above represent an extremely secure way to assure the VERIFYING DIGITAL SIGNATURES integrity of a signed message or document. In the latter two cases, they also allow to capture the signer's intention while assuring that they cannot repudiate having signed. To subsequently verify the digital signature, a verifier can use The cryptographic methods employed are extremely secure the signer’s public key to reverse this process, as illustrated in when implemented as intended, to the point where a direct Figure 7. First, the relying party separates hashes the signature from signs signs 00001111 attack on the technology itself is next to impossible within 10101010 the signed document for processing. The hash digest of the hash digest the limits of current technology. signature data (document) signed data (document) Figure 7: Verifying a digital signature using a public key hashes 00001111 hash digest data (document) If equal, compares signature is valid signed data (document) verifies 10101010 00001111 signature decrypted signature issues affixes CA signer signed data CA certificate User certificate Signed data/document - Identity of CA - Identity of signer - Content signs - Public key of CA signs - Public key of signer signs - Certificate of signer private key private key private key ROOT Signature of CA Signature of CA USER Signature of root of trust signer (end user) verifies verifies published published public key verifies CA public key SIGNER public key ROOT requests Central public keys Directory shares Relying Party 54 APPENDIX 3: THE CHAIN OF CRYPTOGRAPHIC TRUST The technical source of trust in any PKI is the mathematically in such an arrangement has its own digital certificate that is unbroken chain of trust between the root of trust 71 and issued and signed by a superior CA in the hierarchy. Each tier the signature that the user ultimately affixes to the signed in the PKI is thus mathematically dependent on the superior document. Because all digital certificates are signed using the tiers, ensuring an unbroken cryptographic chain of trust from private key of their issuer one level up in the trust hierarchy, the root of trust down to the end user certificates. An end it is possible to verify these signatures all the way back to the user’s certificate is considered valid if it can be traced back root of trust using the relevant corresponding public keys. to a trusted Root CA through a series of intermediate or This cryptographic process is summarized for a simple PKI in subordinate CAs. Correspondingly, signature and certificate Figure 8 and generalized to a hierarchical PKI in Figure 9.72 validation are performed by verifying trust chains back up the hierarchy to the Root of Trust. Each CA is responsible In hierarchical PKI models, this same cryptographical chain for managing its certificates and revocation processes at its is extended over the various tiers in the hierarchy. In such level of the hierarchy, and for supervising such processes a structure, multiple levels, or tiers, of CAs are established, at subordinate tiers. Revoked certificates can be checked each with its unique role and set of responsibilities. Each CA against revocation lists or revocation responders. Figure 8: Chain of cryptographic trust—simple PKI 71 This is the private key used to sign the digital certificates used by issuing CAs in the PKI. 72 This illustration is agnostic to the choice of implementation architecture (discussed in subsequent sections). In a two-tier model, one institution would house the root of trust while also playing the role of CA, however, in a three-tier model, those roles would be divided between two institutions. In a standards-based model, there would be multiple roots of trust, with each CA operating its own root of trust according to the standards established by the Authority acting as regulator. In a model including RAs, the process on the CA issuing the digital certificate to the user would be outsourced to one or multiple RAs. Finally, while the diagram shows the central directory implemented alone, in practice, it may be implemented alongside other related services, such as a certificate management system, as is the case in the PKD model in its ICAO implementation. PUBLIC KEY INFRASTRUCTURE 55 IMPLEMENTING HIGH-TRUST ELECTRONIC SIGNATURES At the top of the hierarchy is the Root CA, which occupies Each CA may sign the cer tificates of one or multiple the hierarchical level and includes the Root of Trust. It issues subordinate CAs; in the latter case, there will be a fork in this certificates to intermediate CAs, establishing the root of trust particular chain of trust. In general, multiple CAs at the same for the entire PKI. As any breach of the Root CA compromises hierarchical level will both be cryptographically linked back the trust in all certificates in the entire PKI, the Root CA is to the same root but will not be directly cryptographically kept in a highly secure environment, often offline, to protect related to each other. it from external threats. Although the CA or CAs subordinate to the root also employ strict security measures, they are The chain of trust as applied to a tiered PKI is illustrated in more accessible, and Issuing CAs, in particular, are likely to Figure 9. be deployed in online environments. This layered security approach helps with risk management. Figure 9: Chain of cryptographic trust—tiered PKI 56 APPENDIX 4: EIDAS GOVERNANCE MODEL The eIDAS Regulation sets the legal framework for electronic • The signature is created using a Qualified Certificate identification and trust services within the EU, including (QC), or high-trust digital certificate subject to certain electronic signatures for electronic transactions use cases.73 minimum standards, including face-to-face (or equivalent) The highest assurance level for trust services, called “qualified,” identity verification during registration. requires CAs (referred to under the generic name of trust • The QC is managed using a Qualified Signature Creation service provider (TSP) in EU terminology) to undergo a process Device (QSCD), taken from the EU trust list for signa- to demonstrate compliance with qualification criteria. An ture creation devices (SCD).74 For details, please refer electronic signature is considered qualified when all of the to Appendix 10: Keeping Private Keys Private: Secure elements used to create the signature have gone through Signature Creation Devices. an audit that leads to qualification. Specifically, as illustrated in Figure 10, a signature is considered a qualified electronic • The QC is issued by a Qualified Trust Services Provider signature (QES) under eIDAS if: (QTSP), taken from the EU trust list for TSPs.75 Figure 10: Trust framework for Qualified Trust Services under eIDAS (summary) vel er EU le mb l Me leve te St a elDAS regulation European St Commission In rd an te s ( da EU r n IS at O St io , I T (E and na U TS a l I) rd Cy qui nce s Re i d a be rem (E ... G ) u r s e NI ec nt SA Accreditation Supervisory ur s & ) Executive Comformity Assessment it y Trust National Bodies Bodies Good Practice Bodies Services Provider A b e r t io Cy N u t h s ec nal o u r iti rit a es y ts en er nm al v n G o Na t io 73 Regulation (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market (eIDAS), recently updated by Regulation (EU) 2024/1183 establishing the European Digital Identity Framework https://eidas.ec.europa.eu/efda/home 74 “Qualified Signature/Seal Creation Devices and Secure Signature Creation Devices” https://eidas.ec.europa.eu/efda/browse/notification/qscd-sscd 75 “EU/EEA Trusted List Browser” https://eidas.ec.europa.eu/efda/tl-browser/#/screen/home PUBLIC KEY INFRASTRUCTURE 57 IMPLEMENTING HIGH-TRUST ELECTRONIC SIGNATURES Figure 11: Components of a Qualified Electronic NABs in turn are notified and supervised by a “supervisory Signature body” (SB) designed at the member-state level. The SB is responsible for supervisory tasks under the eIDAS Regulation. certificate Typically, the SB designated by each country is a ministry or agency that manages digital transformation, communication, ID Verification and/or cybersecurity. The SBs of each country are also responsible for reviewing conformity assessment reports and confirming the qualification status of TSPs. As part of this QTSP qualified trust QC QES role, SBs may impose additional requirements, such as for Issuance qualified certificate Generation qualified electronic service provider signature ad hoc audits of TSPs to supplement the required biannual QSCD qualified signature audit, should this be deemed necessary. creation device Although each EU member state is required to have its own SB, there is no requirement to notify a NAB to accredit CABs QTSP QSCD at the national level. TSPs seeking to operate in a EU member Trust Lists Trust Lists state without a TSP qualification regime in place (a notified NAB and at least one accredited CAB) are free to solicit a conformity assessment from any CAB appearing on the trust Audit Audit list of any other member state. Similarly, even in countries that do have accredited CABs at the national level, TSPs may TSP SCD elect to be audited by a CAB not based in their country. At the time of writing, 10 member states have NABs/CABs (see Table 13), compared to 29 total states with SBs, thus allowing For a TSP to be included on the EU-maintained trust list, they them to participate in the eIDAS scheme.77 must be qualified under eIDAS. Qualification entails a series of steps to demonstrate issues their technical capacity and operational affixes Continuing up the governance hierarchy leads out of the Intermediate CA Issuing CA signer signed data compliance with EU standards and assurance requirements. member-state level and to the EU level, where the standards CA certificate User certificate Signed data/document To demonstrate ---Identity of CA compliance, the ---Identity TSP is subjected of signer to an ---Content and regulations for the TSP qualification process are established signs ---Public key of CA signs ---Public key of signer signs private key audit, called a “conformity private key assessment,” carried private key out by an ---Certificate of signer and enforced. Specifically, the eIDAS Regulation itself Signature of Signature of CA Signature of accredited “conformity assessment body” (CAB). The signer typical ROOT CA USER Intermediate (end user) provides the legal framework, the European Commission (EC) CABCA is a private sector firm specialized in process audits. provides the executive enforcement function, the European Once the qualified status is granted to the TSP, it is valid for Telecommunications Standards Institute (ETSI) sets and 24 months, at which point a new conformity verifies assessment public key audit verifie s maintains standards, and the EU Agency for Cybersecurity published published public key must be carried out.76 TSPs are verifie responsible s CA for submitting SIGNER (ENISA) provides guidance on implementing those standards. public key the conformity assessment reportROOT to the relevant Supervisory National-level institutions may also provide further guidance. Body (see below). requests ral public keys ory With the status of EU Regulation, eIDAS is applied in all 27 EU they Party member states without requiring transposition into national Before interested firms can be designated as CABs, Relying shares must themselves be accredited by one of the national-level law. This means that any CA qualified under eIDAS in any EU authorities designated (or “notified”) by each EU member country is automatically considered as qualified in all other state, referred to as “national accreditation body” (NAB). EU countries. Accordingly, electronic signatures generated For most countries, the NAB designated is that country’s by the certificates they issue enjoy a presumption of legal existing national accreditation institute (mandated to manage validity in all EU member states.78 The eIDAS regulation certification, testing, inspection, calibration, and similar also includes a provision for extending this trust federation functions). 76 A report must be submitted to the responsible Supervisory Body every 24 months or whenever requested by the Supervisory Body, in order for the TSP to retain its qualified status. 77 This number includes Norway, Liechtenstein, and Iceland, which are non-EU participants in eIDAS. 78 For additional discussion of legal validity of electronic signatures, see: Tullis, Christopher; Constantine, Nay; Cooper, Adam. 2024. Electronic Signatures: Enabling Trusted Digital Transformation. Digital Transformation Policy Note Series; September 2024. © Washington, DC: World Bank. http:// hdl.handle.net/10986/42186 58 Figure 12: Trust framework for Qualified Trust Services under eIDAS (detailed view) Trust List Institutional Framework Technical Framework publishes National Standards publishes Supervisory Accreditation Organization Standards Body publish Body (ETSI) International Standards Organizations accredits informs Cybesecurity Requirements Conformity Cybersecurity approves publishes Assessment Agency National supervises publish Body (ENISA) Authorities Guidelines audits cooperates Trust Services influences International Provider Good Practice Table 12: Governance framework for qualification of trust service providers under eIDAS eIDAS Term Function Description eIDAS Regulationa Legal Provides the legal basis for mutual recognition of trust services across 27 EU Framework member states. European Commission (EC) Executive Responsible for implementing and enforcing the eIDAS Regulation at the Authority EU level. European Telecommunications Standards Setting standards for electronic signatures and TSPs as well as requirements for Standards Institute (ETSI) conformance assessments (audits) of TSPs. Maintains EU-level trust lists for TSPs having successfully undergone the qualification process. EU Agency for Cybersecurity Guidance ENISA proposes technical guidance documents for trust service providers (ENISA) intending to become QTSPs.b National Supervisory Body (SB) Supervision Ongoing monitoring and oversight of qualified trust service providers (QTSPs) to ensure ongoing compliance. National Accreditation Body Accreditation of Selection and accreditation of CABs to ensure that they have demonstrated (NAB) Auditors competence, impartiality, and compliance with relevant standards to carry out specific conformity assessment (audit) activities. Accredited Conformity Audit of TSPs Evaluation of trust service providers to ensure compliance with eIDAS technical Assessment Bodies (CABs) and operational requirements as detailed in the applicable standards. Trust Service Providers (TSPs) Trust Services Equivalent to CAs for the purposes of digital signing, TSPs offer digital signature services in the EU single market. If a TSP has successfully been assessed by a CAB, it can become a qualified TSP or QTSP. a Note that in EU terminology a “regulation” is the highest level of legislation and roughly equivalent to a law in a national context. b “Guidelines on Initiation of Qualified Trust Services - Technical guidelines on trust services” https://www.enisa.europa.eu/publications/tsp-initiation PUBLIC KEY INFRASTRUCTURE 59 IMPLEMENTING HIGH-TRUST ELECTRONIC SIGNATURES Table 13: Member-state entities involved in qualification of trust service providers under eIDASa Country Supervisory National Accredited Conformity Assessment Qualified Trust Bodiesb Accreditation Bodyc Bodies Service Providersd Austria Telekom-Control- Akkreditierung TÜV AUSTRIA CERT GMBH 6 QTSPs, 5 of which for Kommission Austria ZZentrum für sichere QCert for eSignature. Informationstechnologie - Austria Czechia Digital and Information Czech Elektrotechnický zkušební ústav (Electrical 9 QTSPs, 7 of which for Agency Accreditation Institute Testing Institute) QCert for eSignature. LL-C (Certification) Czech Republic a. s. TAYLLORCOX s.r.o. France Agence Nationale de Comité français International Certification Trust Services 31 QTSPs, 19 of which for Sécurité des Systèmes d'accréditation LSTI QCert for eSignature. d'Information (ANSSI) (COFRAC) Germany Bundesamt für Deutsche datenschutz cert GmbH 17 QTSPs, 11 of which for Sicherheit in der Akkreditierungsstelle Deutsche Telekom Security GmbH QCert for eSignature. Informationstechnik; GmbH (DAkkS) KPMG (Liechtenstein) AG (LI) Bundesnetzagentur SRC Security Research & Consulting GmbH für Elektrizität, Gas, TÜV Informationstechnik GmbH Telekommunikation, Post und Eisenbahnen Italy Agenzia per l’Italia Ente Italiano BUREAU VERITAS Italia S.p.A. 34 QTSPs, 30 of which Digitale di Accreditamento CERTIQUALITY S.r.l. for QCert for eSignature. CSQA Certificazioni srl DNV GL Business Assurance Italia S.r.l. IMQ S.p.A. KIWA CERMET Italia S.p.A. QMSCERT Ltd The Rijksinspectie Digitale Raad voor BSI Group The Netherlands B.V. 10 QTSPs, 8 of which for Netherlands Infrastructuur Accreditatie QCert for eSignature. Portugal Gabinete Nacional de Instituto Português Associação Portuguesa de Certificação 7 QTSPs, 6 of which for Segurança De Acreditação QCert for eSignature. Slovakia National Security Slovak National QSCert, spol. s r.o. 10 QTSPs, 9 of which for Authority Accreditation TÜV SÜD Slovakia s.r.o. QCert for eSignature. Service Slovenia Ministry of Digital Slovenian Accreditation Bureau Veritas, d.o.o. 7 QTSPs, 5 of which for Transformation, Slovenski institut za kakovost in meroslovje QCert for eSignature. Information Society Inspectorate Spain Ministry of Digital Entidad Nacional de Aenor Confia, S.A. (Unipersonal) 53 QTSPs, 32 of which Transformation Acreditación Certicar, S.L. for QCert for eSignature. DEKRA Testing and Certification, S.A. (Unipersonal) Trust Conformity Assessment Body, S.L. a This table only includes EU members states that maintain their own TSP qualification regimes, with NABs notified and CABs accredited within their national borders. The list is not exhaustive; detailed and updated information can be found on the eIDAS dashboard: https://eidas.ec.europa.eu/efda/ tl-browser/#/screen/home b eIDAS Dashboard: Supervisory Bodies. Accessed 16 December 2024. https://eidas.ec.europa.eu/efda/browse/notification/supervisory-bodies c eIDAS Dashboard: National Accreditation Bodies and Conformity Assessments Bodies for QTSP/QTS. Accessed 16 December 2024. https://eidas. ec.europa.eu/efda/browse/notification/cab-nab d eIDAS Dashboard: EU/EEA Trusted List Browser. Accessed 16 December 2024. https://eidas.ec.europa.eu/efda/tl-browser/#/screen/home 60 outside of the EU through the Third Country Trust List expanding the federation to additional countries across the (TCTL) program. Under this program, non-EU countries who world, from Albania to Japan.79 implement a governance regime for qualifying trust services that is equivalent to eIDAS (as described above) can enter into This entire governance framework establishing trust in TSP a bilateral Mutual Recognition Agreement with the EU bloc. qualification is summarized in Table 12. The specific entities To date, the only non-EU country with a mutually recognized designated by each member state to implement the TSP trust list with the EU is Ukraine, but there are discussions of qualification process are provided in Table 13. 79 “EC-3rd Countries Trust Services Forum: Paving the Way for Mutual Recognition” https://ec.europa.eu/digital-building-blocks/sites/pages/viewpage. action?pageId=674510260 PUBLIC KEY INFRASTRUCTURE 61 IMPLEMENTING HIGH-TRUST ELECTRONIC SIGNATURES APPENDIX 5: PKI OPERATIONAL FUNCTIONS CERTIFICATE MANAGEMENT is presented in Appendix 11: Indicative Costing for PKI Hardware Components. Whoever operates a CA will also be responsible for the • Challenges. The main challenge in certificate issuance operational aspects of certificate management under the is ensuring the efficient and secure generation and PKI such as the lifecycle of enrollment, issuance, validity distribution of certificates, especially in high-volume checking, revocation, and renewal of certificates. In the environments. This includes safeguarding the integrity of case of a multi-tier architecture, this applies equally to root, the certificate during generation and ensuring its secure intermediate, and issuing CAs. The operational functions delivery to the correct entity. In centralized systems, related to managing the certification lifecycle include the managing the high volume of issuance requests securely following elements, described alongside some key challenges. and promptly can be demanding, while in decentralized systems, the challenge lies in maintaining consistency and security standards across different issuance points. Issuance Another challenge is preventing unauthorized issuance, • Operations. The operation of issuing digital certificates which requires robust checks and balances within the involves generating a certificate with the necessary issuance process. cryptographic information and distributing it to the validated entity. This entails the CA using its private key Registration and Identity Verification to digitally sign the certificate to be issued to the down- stream entity, which could be an end user or another CA • Operations. For higher-trust certificates, the identity in the trust chain. In the case of managing the root CA, of recipients needs reliable verification to prevent the there is a particular premium on security, and operations issuance of certificates to unauthorized entities or indi- are usually conducted in offline environments in highly viduals. This identity verification may be carried out via specialized data centers. a RA or a third-party identity verification service. For the highest trust levels, face-to-face identity verification • Pre-requisites. Secure data centers equipped with may be required.80 The risks and costs associated with high-security servers running specialized software for registration and identity verification have led some coun- certificate issuance and management, as well as qualified tries to bundle a digital signing certificate in with their technical operators are required. An overview of key national ID credentials issued to citizens and residents.81 requirements and costs for the implementation of a PKI 80 In practice, requirements for “face-to-face” identity verification may or may not imply an in-person transaction. Increasingly, live video interviews with a verification agent are recognized as alternatives to in-person identity verification to meet a face-to-face requirement. For example, in the EU, many qualified CAs used video-based interviews for registration. In India, during the COVID-19 pandemic, video recordings became acceptable as an alternative to live interviews even for the highest assurance level. https://digital-strategy.ec.europa.eu/en/news/questions-answers-trust-services-under-eidas 81 Examples of countries that include a PKI-based digital certificate in their national ID credentials, using the ID credential issuance process as an RA function include: Belgium. “La Carte d’identité électronique (eID) » enables identification, authentication and digital signature.” https://www.belgium.be/fr/famille/identite/ carte_d_identite Estonia. “e-Identity: ID-card,” https://e-estonia.com/solutions/e-identity/id-card/ Finland. “‘Citizen Certificate’ in Finish ID card for identification and signing.” https://www.suomi.fi/services/citizen-certificate-digital-and-population-data- services-agency/dc540ff4-0030-46b2-add0-9f7ceb2a41c8 Georgia. MG Law (2019), “Introduction of qualified electronic signature and qualified trust service providers in Georgia,” https://mglaw.ge/2019/02/19/ introduction-of-qualified-electronic-signature-and-qualified-trust-service-providers-in-georgia/ Germany. “Die elektronischen Funktionen des Personalausweises.” https://www.personalausweisportal.de/Webs/PA/DE/buergerinnen-und-buerger/der-personalausweis/funktionen/funktionen-node.html 62 • Pre-requisites. For high-assurance certificates, extensive the availability of digitally verifiable ID credentials, which networks of physical registration centers may be needed. In may not be universally available. cases where online verification is utilized, robust electronic identity verification systems are necessary, managed by Revocation specialists skilled in digital verification. These systems may need to be capable of interfacing with national • Operations. Revocation entails invalidating a certificate ID systems for identity verification, and the national ID before its scheduled expiration. Certificate revocation systems, in turn, would need to offer robust identity is essential for maintaining the security and trustworthi- verification services. Additionally, the PKI infrastructure ness of a PKI system, as it prevents compromised or no requires a secure and seamless network to support longer trusted certificates from being used.82 connectivity between various verification components. The complexity of establishing and maintaining these • Pre-requisites. Dedicated teams are required to manage physical and digital verification mechanisms is substantial, revocation requests, such as a call center and/or physical especially when scaled for a large user base. There may customer service points. Systems for management, timely be opportunities to leverage existing infrastructure. updating and distribution of revocation lists are needed. For example, coordinating certificate issuance with the • Challenges. Timely updating of revocation lists and national ID ecosystem can allow digital certificates to be ensuring their accessibility to all stakeholders are crucial. issued based on the same ID verification process as ID The challenge lies in disseminating revocation informa- credentials, or to leverage strong digital ID authentication tion efficiently to all concerned parties. This can be to enable online PKI registration and key distribution especially challenging in large-scale implementations, without compromising trust. Similarly, utilizing banks with many relying parties verifying signatures, as well as or mobile network operators as registration authorities PKI implementations with many actors to orchestrate. can capitalize on their existing customer relationships and trust. Renewal • Challenges. Scaling up the identity verification process for a population-scale PKI system poses significant • Operations. Renewal involves extending the validity challenges. In-person verification, while of fering of a digital certificate before expiration. Certificate high assurance, requires extensive infrastructure and renewal is a routine operation in PKI systems, and it is coordination, potentially involving local government offices essential to ensure the uninterrupted use of certificates or private actors. This wide network of RAs needed to to ensure continuity. ensure accessibility presents logistical, cost, and security challenges. While online identity verification has some • Pre-requisites. Technical staff are needed to oversee the renewal processes, as well as customer support advantages, such as scalability and convenience, it personnel for user communication. Automated systems may not be accessible to users without reliable internet to manage certificate renewals are also required. access or who lack the digital skills to go through such a process unassisted. Online verification also relies on • Challenges. The usability and cost benefits of automatic renewals need to be balanced against the need to maintain Portugal. “Assinatura digital com Cartão de Cidadão.” https://www.autenticacao.gov.pt/web/guest/cartao-cidadao/assinatura-digital Saudi Arabia. “The Saudi National ID card enables trusted online transactions.” https://shorturl.at/pAQX8 Singapore. “The digital certificate is stored in the Singpass app.” https://www.singpass.gov.sg/main/national-certification-authority/ South Korea. “The physical ID card and the Mobile ID card enables online authentication and digital signature.” https://dgovkorea.go.kr/contents/blog/111 Spain. “‘El Documento Nacional De Identidad electrónico (DNIe)’ enables digitally signing documents.” https://www.dnielectronico.es/PortalDNIe/ PRF1_Cons02.action?pag=REF_1001 Taiwan, China. “‘The Citizen Digital Certificate’ is stored in the secure area of the IC card.” https://moica.nat.gov.tw/en/what.html Türkiye. “Electronic Authentication System (EKDS) has been developed in order to verify the identities of people using the features of the new generation ID card.” https://www.nvi.gov.tr/ekds United Arab Emirates. “Emirates ID enables entities and individuals to sign documents and transactions digitally using their ID card.” https://u.ae/en/ information-and-services/justice-safety-and-the-law/cyber-safety-and-digital-security/esignature-and-digital-certification 82 Revocation can be managed by simply publishing periodically updated lists of revoked certificates (certificate revocation lists; CRL), or, as has become increasingly common, through standardized protocols that allow real-time verification. One example of the latter is the Online Certificate Status Protocol (OCSP). https://datatracker.ietf.org/doc/html/rfc6960 PUBLIC KEY INFRASTRUCTURE 63 IMPLEMENTING HIGH-TRUST ELECTRONIC SIGNATURES PKI security. Manual oversight over the renewal process Private Keys Private: Secure Signature Creation Devices may be preferred to high-trust certificates, which comes presents an overview of secure key storage devices. with additional cost and operational complexity while also negatively affecting the user experience. Clear • Pre-requisites. Backup systems must be both robust and communication with users about upcoming renewals, user-friendly. Redundancy data centers or cloud backup especially when manual renewal processes are required, solutions are needed, as are support and helpdesk is needed to avoid unintended certificate expirations. personnel who can assist users with certificate-related inquiries, issues, and troubleshooting. Storage and Access • Challenges. A significant challenge lies in making the recovery process user-friendly, especially for those with • Operations. The secure storage of digital certificates limited digital skills or unfamiliarity with PKI concepts. and private keys is fundamental in PKI systems. For When a user loses a device or forgets a password, the end users, this often involves a decision between local process to reissue or recover their certificate needs to storage on their device or remote storage managed by be straightforward yet secure. Balancing ease of use with a service provider. Access to these stored keys is crucial strict security protocols is not straightforward and can for enabling digital signing and authentication processes. be a significant barrier to the overall usability of a PKI to • Pre-requisites. Secure servers and hardware security end users. Recovery processes are also highly dependent modules83 (HSMs) are needed for secure storage of keys, on the chosen key-management architecture: while it is along with accompanying systems to manage key access. straightforward to restore access to cloud-based keys Users must have devices or apps that allow them access or obtain cloud-backups if available, in instances where to keys for signing as needed, within the usability, cost, keys are stored locally on a user’s device, the recovery and security constraints required by each type of user. process may entail issuing a new key. • Challenges. The key challenge is to achieve a practical balance between secure storage of and easy access to POLICY AND SECURITY private keys for end users. The decision between local and remote storage options hinges on user convenience Establishing and maintaining robust policies is a cornerstone and technical proficiency. Local storage offers ease of in the operational integrity of a PKI system. These policies access but can pose security challenges for users with guide the operational practices and form the framework limited digital skills, while remote storage options, though within which all PKI-related activities are executed. The potentially more difficult to access, especially if there are security management of a PKI encompasses a broad range connectivity constraints, can facilitate key recovery is users of processes, policies, and practices, all aimed at ensuring lose access to their signing device. Educating users on the system’s security, integrity, and operational effectiveness. secure key management and providing clear guidance Effective security management is essential to protect the for scenarios like device loss or change is also crucial confidentiality, integrity, and availability of digital certificates to ensure both security and usability in the PKI system. and cryptographic keys. PKI security management is an ongoing process that requires vigilant attention to emerging threats, Backup and Recovery evolving best practices, and changes in security requirements. • Operations. Private keys must be securely backed up to Policy allow recovery in case of data loss or hardware failure. The certificate recovery process must ensure that users can • Operations. The relevant authority must define in detail regain access to their certificates without compromising the operational practices and responsibilities within the the security of the PKI system. Appendix 10: Keeping PKI and ensure their enforcement. Examples of such policies often include the CP, a high-level document that 83 A Hardware Security Module (HSM) is a physical device designed to securely store and handle digital keys used for encryption and other security purposes. It can be compared to a highly secure safe where digital keys can be created, stored, and used in a way that prevents them from being stolen or accessed by unauthorized users. HSMs are used to enhance security for various operations, such as securing transactions, authenticating identities, and protecting sensitive data. 64 outlines the rules and policies governing the issuance, training personnel, and audit and control specialists. management, and lifecycle of certificates; as well as the Continuous training mechanisms and facilities are required. CPS which is a detailed document that describes how a CA implements the CP and covers the CA's specific • Challenges. The main challenge is ensuring that all PKI practices regarding certificate issuance, management, actors have the institutional capacity to implement these revocation, and security controls.84 As shown in Table 18, comprehensive security measures. Not all actors might specific reference to fees for the issuance of certificate possess the necessary resources or expertise, which could to a CA might exist. lead to vulnerabilities in the system. Achieving a consistent level of security across various actors in the PKI, each • Pre-requisites. Institutional capacity is required to develop, with different capabilities and resources, is a complex update, and enforce comprehensive and rigorous PKI task that requires ongoing attention and adaptation. policies. Required human resources include legal and policy experts, compliance officers, and auditors. External Key Management auditors may be required to assess and certify the PKI’s compliance with industry standards and regulations, • Operations. Key management involves careful handling such as the X.509 standard 85 and the European eIDAS of cryptographic keys throughout their lifecycle, including regulation. Legal resources are necessary to ensure that their generation, distribution, storage, and destruction. the PKI complies with relevant laws, regulations, and Ensuring the confidentiality of keys during transmission contractual agreements. between PKI actors is crucial. The process is closely linked to incident monitoring and certification processes, like • Challenges. The PKI actor in charge of certificate policy, revocation, to maintain the overall security of the PKI. which can be a CA or other authority, must continu- ally update these policies to ensure that they remain • Pre-requisites. Secure facilities with advanced cryp- comprehensive, up-to-date, and compliant with the tographic systems are required, including HSMs for latest in security standards and regulatory requirements. secure key storage. Staff requirements include special- Additionally, effectively communicating and enforcing ized profiles such as cryptographers and IT security these policies across all entities in the PKI, especially personnel. All institutions within the PKI must have the in large-scale or decentralized environments, can be ability to rigorously implement and audit secure key complex. Balancing the thoroughness of the policy with management processes. practical concerns, such as ease of implementation and user comprehension, must be considered. • Challenges. Maintaining the confidentiality and integrity of keys, especially during transmission between different entities in the PKI, is a significant challenge. This requires Process Security robust encryption methods, secure communication • Operations. Process security entails ongoing processes channels, and robust and clear procedures for conducting and practices ensuring the security and integrity of the key ceremonies. Additionally, integrating key manage- PKI system, including vigilance against emerging threats ment with incident monitoring systems to quickly identify and adapting to changes in security requirements. This and respond to key compromises is critical. encompasses securing not just the technological aspects of the PKI system but also its processes and human Incident Monitoring and Response components. It involves a blend of policy implementation, control and audit mechanisms, technology, and training, • Operations. Incident response within a PKI system along with promoting a security-first culture within the primarily involves developing an internal capacity to organizations implementing the PKI. detect and respond to security incidents. This includes setting up dedicated teams and systems capable of • Pre-requisites. All institutions within the PKI must have analyzing relevant data, identifying threats, monitoring the ability to rigorously implement and audit secure incidents, and executing response protocols efficiently. processes. Required staff include cybersecurity experts, The operation should integrate incident detection tools 84 In the case of Brazil, relevant documents are available at: https://www.gov.br/iti/pt-br/assuntos/repositorio. 85 X.509 is an International Telecommunication Union (ITU) standard defining the format of public key certificates. https://www.itu.int/rec/T-REC-X.509/en PUBLIC KEY INFRASTRUCTURE 65 IMPLEMENTING HIGH-TRUST ELECTRONIC SIGNATURES that are specifically tailored to monitor PKI-related swiftly executable. Regular testing and refinement of activities, such as unauthorized certificate issuance, these plans are necessary to ensure they are effective in unusual access patterns, and potential compromises of real-world scenarios. The plan must also be adaptable key infrastructure. A well-defined incident-response plan to various types of disasters, whether technical, natural, is needed, including regular drills and updates based or human-made. on emerging threats. • Pre-requisites. The PKI will require systems for incident SCALING OPERATIONS detection and a responsive team for incident management. Integration with broader cybersecurity platforms will As can be seen in the above discussion on use cases, digital allow the ability to tap into their sophisticated monitoring signatures are increasingly integral to a variety of digital tools. Relevant PKI actors will need to have cybersecurity interactions and transactions. During an everyday web browsing analysts and incident response professionals on staff. session, tens or even hundreds of digital signatures might • Challenges. A significant challenge is ensuring that the be generated or verified using a PKI built into commonplace PKI has access to the right data for effective incident digital devices and software, such as a web browser. However, detection. This requires sophisticated monitoring tools other use cases—such as signing a mortgage application and skilled personnel capable of interpreting the data online—are significantly riskier in addition to being far less accurately. Building and maintaining a skilled incident commonplace and more complex to manage. The diversity response team within the PKI is crucial. This team needs of these use cases directly influences the complexity and to be equipped not only with technical expertise but also structure of the required PKI to implement each. with the ability to quickly analyze and respond to the incidents. Linkages with broader national cybersecurity The following factors could influence the complexity of a PKI: platforms like Security Operations Centers (SOCs) and • Type of signers. Private keys can be attributed to many Computer Emergency Response Teams (CERTs) may different types of entities, all of which become “signers.” also help to share intelligence, coordinating responses As seen above, these entities can include not only people, to larger-scale threats, and staying aligned with national but also corporate entities, servers, digital devices, or cybersecurity policies and practices. There is a need software applications (such as web browsers). A PKI that for regular audits of actors and systems throughout the is designed to facilitate automated signing by devices PKI lifecycle, with adequate rigor and transparency to will look different to a PKI that must provide for people ensure trust. to generate signatures. Disaster Recovery and Business Continuity • Number of signers (and verifiers). If many individuals or entities are involved in the signing and verification process, • Operations. Disaster Recovery (DR) and Business it can result in a more complex PKI implementation to Continuity (BC) planning in PKI entails preparing for and provide the robust infrastructure needed to manage responding to events that could disrupt the PKI services. identities and keys effectively. If the signers and verifiers This includes establishing redundant systems, data backup are spread out—geographically, or across sectoral or protocols, and recovery procedures to ensure minimal national borders—it will increase the complexity of service interruption and data loss. DR/BC plans and their PKI implementation. effective implementation are critical in maintaining trust in the PKI system and ensuring uninterrupted service. • Certificate issuance and management processes. The methodology for issuing digital certificates and managing • Pre-requisites. Key staff must be available, such as them plays a crucial role. An in-person issuance process disaster recovery specialists and business continuity for a diverse population is intricate, requiring a network planners. Redundant infrastructure, such as secure cloud of registration authorities, while embedding certificates or other off-site backup locations, is needed, as well as in web browsers is relatively straightforward due to the the operational budget to provide for such redundancy. absence of direct human identity verification and the existence of secure software distribution channels. • Challenges. The challenge lies in creating a DR/BC plan that is not only comprehensive but also practical and 66 • Cost constraints. Certain PKI features, such as carrying electronic transaction regime—is a complex task that no out in-person identity verification during key issuance, country has fully mastered. For reasons of cost, complexity, may have benefits in terms of security or accessibility and usability, most countries decide to limit the requirement but come at a cost. The added value of deploying a to use PKI-based electronic signatures to only the highest- PKI-based solution for a given use case will inform risk electronic transactions. whether the additional cost is justified. The ultimate goal is for PKI to live in the background and • Digital skills of signers. In cases where signers are never be seen. Unfortunately, the complexity and security individual people, the digital skills of these users affect requirements can often bely this goal, which leads to high cost PKI design. Systems used by a small set of sophisticated and complexity for users and accompanying low adoption users can afford to expose some complexity to the user, for some use cases. for example, to offer more features. PKIs intended to allow the general public need to be more user-friendly Although a number of countries have issued the population and intuitive; the lower the digital skills of the intended with digital certificates that can be used for generating user base, the greater the need to hide the complexity high-trust electronic signatures backed by a robust legal of PKI implementation from the user. Ideally, the PKI framework, usability challenges and the current lack of implementation would be completely hidden from practical use cases has led to very low usage for signing. signers, with the intricacies of certificate management For example, the national ID cards that many European masked behind an intuitive user interface. countries issue to all citizens include a digital certificate stored on the chip of these “smart cards;” however, the usability While PKI-related problems for simpler use cases (like constraints around using this chip for signing—which may integrating digital certificates into web browsers) are largely require users to buy a dedicated card reader, install special resolved today, significant challenges remain in broader software, etc.—have impeded use by citizens. Perhaps due implementations. Establishing the sort of national-level to the low user base, relying parties have shown reticence PKI that would provide the general population access to to integrate such national-ID-card-based e-signatures into secure digital signing capabilities—for example, to generate their business processes, opting for lower-trust but higher- high-trust qualified electronic signatures under a national usability solutions—or just sticking to paper. PUBLIC KEY INFRASTRUCTURE 67 IMPLEMENTING HIGH-TRUST ELECTRONIC SIGNATURES APPENDIX 6: PKI INTEROPERABILITY: FEDERATING TRUST While tiered PKI architectures can scale up PKI operations by more adequately, accommodate the need for institutional allowing for differentiated roles and responsibilities across the independence, or extend existing trust frameworks across different levels of the trust chain, scaling further horizontally national borders. may require federating trust across multiple trust chains. Although expanding a PKI horizontally through the addition This section explores the technical and governance dimensions of parallel trust chains increases operational complexity, this of such approaches to extending trust horizontally, which may be outweighed by other benefits, such as flexibility or can be grouped into two broad categories. The first set scalability. Whatever the reason for such horizontal expansion, of approaches use cryptography to federate trust at the for the certificates issued by CAs to be recognized by all actors technology level and include models such as bridge and cross in all sub-PKIs, it is important to federate trust across these certification. Such cryptographic approaches offer a direct trust chains. This federation can be done through technical method of extending trust across pre-existing PKIs at the means, governance arrangements, or a combination of the technology level and can be appropriate in contexts where two. This section gives an overview of the various approaches the regulatory environment lends itself to such alignment. possible for federating trust horizontally across a PKI system and integrating them into a trust framework. The second group of approaches establish trust across PKIs without linking them cryptographically. These non-cryptographic The question of how to federate trust horizontally arises not approaches include implementation of central brokers of only when separate, pre-existing PKIs need to be integrated public keys to facilitate signature verification across multiple into a common trust framework, but can also be relevant when PKIs, as well as approaches based on implementing common designing new PKI ecosystems. For various reasons, it may standards.86 Such approaches can be particularly beneficial be desirable to distribute trust over multiple parallel PKIs, for in cross-border contexts, where the co-existence of different example, to cater to the needs of a diverse set of use cases pre-existing regulatory regimes may make federation at the technology level infeasible. Figure 13: Summary of PKI federation models Federation Cryptographic Non-cryptographic approaches approaches Cross certification Bridge certification Common standards Central broker (mesh) 86 In practice, hybrid approaches combining elements of these models are also feasible. For instance, a PKI might primarily use a bridge model but incorporate aspects of the mesh model for specific inter-organizational trust relationships. Such hybrid models can offer tailored solutions that align with the unique needs and strategic objectives of the PKI stakeholders. 68 The models presented here are illustrated below.87 or sectors, potentially leading to more optimized and effective PKI implementations. Each of these models presents distinct advantages and • PKI systems can grow organically over time by stepwise challenges. The choice between them depends on the specific extension of trust frameworks. requirements and constraints of the implementing organization or government. In addition to the benefits and challenges Challenges discussed above in the context of horizontal disintegration, the following additional benefits and challenges are specific • Managing multiple parallel trust chains can add to federation. complexity, putting an additional premium on coordina- tion and oversight. Benefits • Ensuring interoperability between different trust chains • Having mechanisms to add additional trust chains can can be challenging and may require additional techno- provide flexibility and scalability to accommodate demand logical and policy considerations. growth over time. Bridge Certification • Running a federated trust model puts a premium on good Cross-Certification (Mesh) • There are resilience benefits to having multiple trust governance, especially if the federation model chosen signs Bridge CA signs paths, as problems or breaches in one path may not relies heavily on standards-based trust. If oversight is affect others. weak, inconsistent shares keys security standards and practices across the different trust chains can introduce additional shares keys • brought Existing PKIs can beRoot CA together into Root CA a common Root CA Root CA vulnerabilities. In sum, there is a risk for the PKI to be trust framework while signs degree of signspreserving a high signs only as strong as its weakest signs link. operational, technical, and/or policy independence as may be required. • The need to accommodate the needs of various use cases Intermediate Intermediate Intermediatemight lead to compromises and implementing entities Intermediate • Federation mechanisms CA facilitate interoperability CA of CA CA in security controls and policies. trust frameworks across sectors and national borders. signs signs signs signs signs signs signs signs Different trust paths can specialize in specific use cases Figure 14: Comparison of approaches Issuing CA Issuing CA to federating Issuing CA Issuing CA trust Issuing CA Issuing CA Issuing CA Issuing CA Federation through cryptography Federation through standards Bridge Certification Standards-Based Models Bridge Certification Cross-Certification Cross-Certification (Mesh) (Mesh) signs Bridge CA signs signs Bridge CA signs Regulation shares keys shares keys shares keys shares keys Root CA Root CA CA RootCA Root Root CA Root Root RootCACA CA Root CA Root CA signs signs signs signs signs signs signs signs signs signs Intermediate Intermediate Intermediate Intermediate Intermediate Intermediate Intermediate Intermediate Intermediate Intermediate CA CA CA CA CA CA CA CA CA CA signs signs signs signs signs signs signs signs signs signs signs signs signs signs signs signs signs signs signs signs Issuing CA Issuing CA Issuing CA Issuing CA CA IssuingCA Issuing Issuing IssuingCA CA Issuing CA Issuing CA Issuing Issuing Issuing CA CACA Issuing Issuing IssuingCACA CA Issuing CA Issuing CA Issuing CA Issuing CA 87 Audun Jøsang (2013), “PKI Trust Models,” in Atilla Elçi Standards-Based Standards-BasedSolutions et al. (editors), Theory and Practice of Cryptography Models Models for Secure Information Systems (CRYPSIS). IGI Global, May 2013. ISBN13: 9781466640306. https://www.mn.uio.no/ifi/english/people/aca/josang/publications/jos2013-crypsis.pdf Regulation Regulation Root CA Root CA Root CA Root CA PUBLIC KEY INFRASTRUCTURE signs signs signs signs 69 IMPLEMENTING HIGH-TRUST ELECTRONIC SIGNATURES • Achieving a common set of standards and practices Figure 15: Bridge certification across different PKIs can be challenging and may Bridge Certification require coordination and change management across multiple entities. There may be a risk that the need to signs Bridge CA signs accommodate diverse entities and systems might lead to compromises in security controls and policies. sh Root CA Root CA Root CA Cryptographic Approaches signs signs signs Bridge Certification The most straightforward way to anchor trust over multiple Intermediate Intermediate Intermediate CA CA CA trust chains is by signing the certificates of the CAs atop these PKIs. This operation is sometimes referred to as bridge signs signs signs signs signs signs certification as the superior CA is acting as a trust “bridge.” In this model, a common root CA bridges other upstream CAs, playing the role of Root CA and federating all downstream trust chains on a technology level. Figure 15 illustrates the Issuing CA Issuing CA Issuing CA Issuing CA Issuing CA Issuing CA Bridge certification model. Technically speaking, the bridge architecture is identical to that of any single PKI where all trust chains point back to develop markets, provide for scalability and innovation, or a common root of trust, as discussed earlier in the tiered to comply with regulatory requirements. Standards-Based Models model. The “bridge” terminology is typically reserved for cases where multiple pre-existing PKIs, usually operated by The bridge model may be suited for environments where different actors, are subsequently federated into one PKI. In centralized control and simplified governance are requirements. Regulation cases where a PKI is designed from the ground up to have a However, the bridge model may not scale in response to common root of trust, it is less common to speak of bridge increased demand over time due to the operational strain Root CA Root certification; in such cases, it is more common to conceive on upstream CAs including the root. Bridge certification may of the operation as a single PKI. It should be noted that also not be suitable in cases where centralized signs control is not sign bridge certification models have the same drawbacks as any needed or wanted, such as when federating established hierarchical PKI, such as introducing a single point of failure, PKIs with mature policy environments, or when federating where a compromise at the bridge CA level compromises trust across sectoral boundaries or national borders, where Intermediate Interme all keys issued by any CA in the entire PKI. the federated PKIs need to maintain some CA independence. CA The bridge model simplifies trust chains by having a single The United States’ federal government implemented signs signs a bridge signs authoritative source for certificate validation and providing certification model. As shown in Case Study 3 below, this a technological anchor for the trust framework. However, it approach aims to meet the specific needs of the federal concentrates risk and control in the root CA, which may not government and its multiple agencies, and guarantee Issuing CA Issuing CA Issuing CA be suitable in all contexts, particularly where autonomy and interoperability between the legacy and new systems through independence across different entities are required. Such a cross-certification mechanism. autonomy may be beneficial to promote competition and 70 Case Study 3: United States The U.S. Federal Public Key Infrastructure (FPKI) aims to meet the unique security needs and policy requirements of the federal government. • Governance: The Federal PKI Policy Authority (FPKIPA) is the specialized body tasked with overseeing the FPKI’s implementation and compliance across federal agencies. Its mandate is to align PKI practices with federal security standards and operational requirements, ensuring a government-wide uniform approach to digital identity and communication security. The FPKIPA is also in charge of reviewing and approving application submissions of organizations wishing to become CAs under the framework. • Policy: The FPKI’s policy framework established standards and policies applicable to both legacy systems and new CAs, and guaranteed interoperability between all legacy and new systems through a cross-certification mechanism, the Federal Bridge. The FPKI policy framework is detailed in three specific documents: • Common Policy Framework (CPF): Serves as the foundational policy document for the FPKI, establishing the core requirements for identity verification, digital signatures, and encryption across the federal government. It’s designed to ensure a consistent security posture across all federal digital interactions. • Federal Bridge Certification Authority (FBCA) Certificate Policy: This policy facilitates interoperability between different government agency PKIs and external partners. It specifies the criteria for cross-certification, allowing diverse PKI systems to trust and accept each other’s certificates, crucial for secure inter-agency and government-to-public communications. • Federal Public Trust TLS Certificate Policy: Exclusively focuses on the issuance and management of TLS certificates for federal websites and online services. It’s tailored to safeguard the integrity and confidentiality of data in transit, ensuring that public-facing federal digital services are secure and trustworthy for users. • Root CA: The FPKI does not have a single, centralized Root CA. Instead, it operates under a framework where each participating PKI has its Root CAs, with the FPKIPA often serving as the central trust anchor for the majority of federal agencies. • Federated trust and interoperability: Along with the standards established in the CPF, the FBCA also plays a crucial role in the FPKI by facilitating trust among various federal agencies’ PKI systems and with external partners through cross-certification. However, it is not a Root CA. • Intermediate CAs and RAs: Each PKI participating in the FPKI scheme manages their own subordinate hierarchical levels in compliance with the policy framework governing the FPKI. PUBLIC KEY INFRASTRUCTURE 71 IMPLEMENTING HIGH-TRUST ELECTRONIC SIGNATURES Cross Certification (Mesh) A mesh-based PKI is a hybrid approach that combines elements Figure 16: Illustration of a fully meshed PKI network in of bridge-certification and standards-based models. In a a cross-border context mesh PKI, multiple operationally independent PKI chains are cryptographically connected to each other, as in the bridge model. However, in the mesh model, this is accomplished without adding an additional hierarchical layer (“super root”). Country A Country B In the mesh model, the root CAs of the participating PKI chains are connected directly to one another. This connection happens at the same level of hierarchy, through a process Country H Country C called cross-certification. In this process, CAs interact as equals, making discretionary decisions to trust and cross- certify each other’s certificates. This involves an exchange and mutual verification of public keys, which then enables them to issue certificates recognized and trusted across the mesh. Country G Country D The advantage of this model is that it allows verification of the certificate issued by an unfamiliar CA by tracing its lineage back to a trusted CA within the network. Trust is extended based on the assumption that the CA is part of a network Country F Country E vetted by other trusted CAs.88 This model enables a flexible and decentralized trust structure which may be suitable for environments where there is a need to federate trust across Conversely, a partial mesh, where not all CAs are directly multiple independent organizations or across pre-existing connected, reduces some technical and operational complexity PKIs built around independent roots of trust. at the cost of reducing overall trust in the network, since it implies that some entities are trusted implicitly in the absence While offering scalability and operational independence, of any direct due diligence by a trusted party. The broader the mesh model introduces complexities in managing trust the partial mesh network, and the fewer direct connections, relationships, cross-certification processes, and certificate the higher the risk of having to trust an entity that may be validation paths. Security in a mesh PKI requires ensuring that one, two, or more degrees removed from a direct connection. cross-certification is carried out when the actor in question Such risks can be mitigated through mechanisms and rules can be trusted, including at the policy and process level, to, for example, limit the length of the chain of certificates to ensure that only trustworthy certificates are recognized used in verification processes, but such rules come at the across the mesh network. expense of full interoperability of certificates across the trust framework. However, implementing mesh models presents both technical and operational challenges, particularly as the number The inherent complexities of cross-certification in a mesh of participating CAs increases. In a fully meshed network PKI make it less suited for national PKI implementations. Its where every pair of CAs cross-certifies, the complexity optimal application is found in smaller, more interconnected scales exponentially with the number of CAs, increasing the environments. For instance, two government departments, each computational complexity of verification.89 Figure 16 illustrates with their own CA and closely aligned policies and technical the complexity of a fully meshed PKI network. standards, might find cross-certification a straightforward solution to promoting interoperability without undertaking significant reforms. Mesh networks may evolve organically, 88 Galexia Research (2005), “PKI Interoperability Models,” https://www.galexia.com/public/research/assets/pki_interoperability_models_2005/pki_interoperability_models_2005-4_2_.html 89 C. Liu, Y. Feng, M. Fan and G. Wang, "PKI Mesh Trust Model Based on Trusted Computing," 2008 The 9th International Conference for Young Computer Scientists, Hunan, China, 2008, pp. 1401-1405, doi: 10.1109/ICYCS.2008.384. https://ieeexplore.ieee.org/document/4709178 72 extending across departments or similar entities. Since there in the overarching system of PKIs. This model is common is no centralized governance or policy function that spans at both national and international levels. The governance across the mesh, such arrangements are limited to situations arrangements facilitating this shared trust is discussed in underpinned by strong, pre-existing relationships. more detail below. In a standards-based approach, each PKI operates autono- NON-CRYPTOGRAPHIC APPROACHES mously but adheres to agreed-upon governance, policy, and operational standards. This model offers greater flexibility and autonomy for participating entities and can enhance Common Standards resilience through diversification. It offers a nearly unlimited ability to scale horizontally by adding additional trust chains, It is possible to federate technically and cryptographically as is demonstrated by its ability to scale to the level of the 27 independent PKIs into a common trust framework based countries of the European Union (see Case Study 4 below). on common standards. By assuring effective governance Scaling does not require expanding capacity of any one of the operational, policy, and organizational elements of institution, providing further flexibility. all participating PKIs, such a trust framework enables trust Case Study 4: European Union The EU trust framework, eIDAS, federates independently operated public and private sector operated PKIs across the EU into a common trust framework based entirely on adherence to common standards and oversight mechanisms. • Legal Framework: The Regulation (EU) 910/2014 on electronic identification and trust services for electronic transactions in the internal market, commonly known as eIDAS, provides the overarching legal framework for the scheme. In EU terminology, regulations are essentially the equivalent of national laws: they apply automatically to all EU countries, without needing to be transposed into national law, and are binding in their entirety on all EU countries. For this reason, any CA qualified under eIDAS procedures in any EU member country is automatically trusted in every other EU country. • Governance: • The eIDAS governance framework is grounded in several EU-level institutions: the European Commission (EC) is the executive enforcing the regulation, the European telecommunications Standards Institute (ETSI) helps set the standards, and the EU Agency for Cybersecurity (ENISA) provides guidance on implementing those standards. • In order to be recognized under eIDAS, CAs must demonstrate compliance with a detailed set of standards. The process by which a CA demonstrates compliance with eIDAS standards is called “qualification” in eIDAS terminology. Such “qualified trust service providers” are thus able to provide certification services in any of the 27 countries in the EU, allowing trusted verification across borders. Trust can also be extended outside of the EU bloc through the Third Country Trust List (TCTL) program, which ensures mutual recognition of trust services with certain non-EU jurisdictions. Appendix 4: eIDAS Governance Model provides a detailed case study of the eIDAS qualification process including the TCTL program. • Root CAs: Each participating PKI in the eIDAS scheme has its own root of trust. There is no hierarchical relationship between PKIs under eIDAS. • Intermediate CAs and RAs: Each PKI participating in the eIDAS scheme manages their own subordinate hierarchical levels in compliance with eIDAS standards. PUBLIC KEY INFRASTRUCTURE 73 IMPLEMENTING HIGH-TRUST ELECTRONIC SIGNATURES However, reliance on adherence to common standards In such cases, the bilateral key exchanges needed for cross- raises the premium on good governance. Clear policies certification can be replaced by introducing a central trust and compliance mechanisms, while important in any PKI anchor to manage public keys. Such a central broker effectively implementation, provide the sole basis of shared trust. vouches for the trustworthiness of the PKIs in the system. On Inconsistencies in application of common standards, for a national level, such a model is discussed in the context of example due to inadequate controls or regulatory capacity, The Netherlands (see Case Study 10). In the Dutch model, a could undermine trust in the overall PKI scheme. government entity, Logius, federates trust in the four private sector PKIs collectively providing root CA services to the Central Broker national PKI system. Logius federates trust without bridging trust cryptographically, but rather by (a) providing a regulatory In cases where trust needs to be federated across a large and compliance function to provide trust in adherence to number of PKIs, mesh models cannot scale. The problem standards, and (b) providing the central directory function for becomes apparent when considering applications where the four PKIs in the ecosystem and managing a centralized cross-border interoperability is required. The EU, for example, trust revocation list to simplify verification for relying parties. has opted for a standards-based model for eIDAS, which Logius, a trusted third party, acts as a central broker, vetting avoids the complexity of 27 member states cross certifying PKIs participating in the system and anchoring trust through each other’s certificates. To illustrate the complexity, for 27 the provision of two of the most critical systems to support member states to implement a fully meshed PKI, this would security signature verification: the certificate directory and require 702 keys to be exchanged, with public keys exchanged revocation list. using existing secure channels out of band90 of the PKI. This problem is even greater if the issue is taken from the regional This model on federating trust through a central broker to the global level. For example, in order for 191 countries can also be implemented to anchor trust across borders. globally to facilitate interoperability between their PKIs, The prime example is interoperability of passports used at assuming one root CA per country, this would require an border crossings as described in Case Study 5. This model, entirely unfeasible 37,830 keys to be bilaterally exchanged. although developed by ICAO for international collaboration, This problem was illustrated visually for eight countries in could also be applied to federate trust between multiple CAs Figure 16 earlier in the document. within a single country, allowing them to contribute their digital certificates and revocation data to a central repository accessible by multiple relying parties for signature validation. Case Study 5: International Civil Aviation Organization The International Civil Aviation Organization (ICAO) is the United Nations specialized agency that enables international cooperation in air transport. ICAO’s mission includes helping relevant authorities worldwide identify travelers. This includes facilitating interoperability between the country-level PKIs used to sign the electronic chipsa on travel documents, such as international passports (ePassports).b Modern passports encode the data of the traveler in a digital chip, which is digitally signed using the PKI of the issuing authority in the traveler’s home country. Digital validation of the passport chip at a border crossing at the traveler’s destination requires trust in the issuing PKI. This validation helps border-crossing authorities determine whether a travel document issued by a foreign state is valid. Without a mechanism to federate trust over the various national PKIs, the ePassport would have no advantage over a traditional, paper passport, regardless of the digital features of the document itself.c 90 To maintain integrity, out of band communication usually integrates non-electronic transport mechanisms. To provide security for such out-of-band communication, it may be required that the “key ceremony,” as such exchanges are called, be personally witnessed by senior officials of institutions participating in the key exchange. The procedures for such key ceremonies are highly regulated to ensure security. For a representative example, see ICAO (2020), “ICAO Public Key Directory (PKD): Key Ceremony Procedures,” https://www.icao.int/security/mrtd/lists/faq/faq.aspx https://www.icao.int/ Security/FAL/PKD/Documents/ProceduresandRegulationsfortheICAOPKD/ICAO%20PKD%20Key%20Ceremony%20Procedures_Version_May2020.pdf 74 • Governance: ​ In 2007, the ICAO PKD was created by the ICAO Council at the request of ICAO Contracting States.d The system is governed by the ICAO PKD Board whose fifteen members are nominated by governments participating in the PKD scheme.e In Document 9303,f ICAO regulates the PKI used to verify ePassports.g • Central Directory. The ICAO Public Key Directory (PKD) service was developed in 2007 to create a central directory to be used as a mechanism for validating international travel documents issued by foreign states. The PKD overcomes the limitations of bilateral exchange of information between states and provides an efficient means for States to upload their own information and download that of other States. The PKD stores PKI objects in a directory, including certificates,h CRLs and Master Lists, from PKD participants, and makes them accessible to all receiving States.i The PKD content is vetted and pre-validated by ICAO to provide additional trust in the system. • ICAO Root CA: Although ICAO does operate a limited Figure 17: ICAO PKD as a trust anchor between Root CA function, this is purely for the purpose of national PKIs signing the lists distributed through the PKD and does not sign the root certificates of any participating PKIs.j Trust in the federation is provided by the PKD itself and the adherence to common standards. • Country Root CAs and RAs. Each participating state Country A Country B is responsible for designating a CA, referred to as a Country Signing Certification Authority (CSCA), that manages the PKI used for signing travel documents issued by that state. The CSCA also issues periodic Country H Country C Certificate Revocation Lists (CRL) indicating whether IKAO any of the issued certificates have been revoked. PKD By playing the role of central broker for information on public keys and revocation, as seen in Figure 17, the ICAO PKD ensures that information adheres to the technical Country G Country D standards required to achieve and maintain interoperability. In addition, the ICAO PKD ensures that information can be exchanged reliably, in a timely manner and on an open- ended, indefinite basis. As of 2023, there are 93 countries Country F Country E participating in the PKD scheme, representing most countries issuing ePassports.k a The “chip” is an electronic integrated circuit that can store and process data. b Because ICAO’s mandate encompasses not only interoperability between international passports but also some other types of less-common travel documents, much ICAO documentation uses the generic term Machine Readable Travel Documents (MTRD); when equipped with an electronic chip, the term eMRTD is used. For simplicity, the above discussion above looks at the specific case of electronic passports. c “Public Key Directory Secure Cryptograhpic Authentication of Chip-Based Traveller Information,” ICAO, https://www.icao.int/Security/FAL/PKD/ Pages/default.aspx d The ICAO PKD operates under the authority of the “Memorandum of Understanding (MoU) Regarding Participation and Cost Sharing in the Electronic Machine Readable Travel Documents ICAO Public Key Directory” (MoU). e ICAO, “ICAO / Security and Facilitation / Facilitation Programme / PKD / PKD Governance” Accessed 17 November 2023, https://www.icao.int/ Security/FAL/PKD/Pages/Panels.aspx f Machine Readable Travel Documents, Eighth Edition, 2021. Part 12: Public Key Infrastructure for MRTDs. ICAO. https://www.icao.int/publications/ Documents/9303_p12_cons_en.pdf g “Basic Concepts of MRTD and EMRTD – Two Page Factsheet,” May 2014. ICAO. https://www.icao.int/Meetings/TAG-MRTD/TagMrtd22/ TAG-MRTD-22_WP24-rev-2.pdf h CSCA certificates are not stored individually as part of the ICAO PKD service. However, they may be present in the PKD if they are contained on Master Lists. i ICAO, “ICAO / Security and Facilitation / TRIP / FAQ,” Accessed 17 November 2023, https://www.icao.int/security/mrtd/lists/faq/faq.aspx j ICAO, “ICAO / Security and Facilitation / Facilitation Programme / PKD / Download the ICAO CA certificate and CRL,” Accessed 17 November 2023, https://www.icao.int/Security/FAL/PKD/Pages/The%20ICAO%20CA%20certificate%20and%20CRL.aspx k ICAO, “ICAO PKD Participants,” Accessed 17 November 2023, https://www.icao.int/Security/FAL/PKD/Pages/ICAO-PKDParticipants.aspx PUBLIC KEY INFRASTRUCTURE 75 IMPLEMENTING HIGH-TRUST ELECTRONIC SIGNATURES Case Study 6: EU Digital COVID Certificate Established in 2021, the European Union implemented the EU Digital COVID Certificate (DCC) to facilitate free movement within the EU during the COVID-19 pandemic. It allowed citizens to present proof of vaccination, negative test results, or recovery from COVID-19 in a secure, interoperable manner, ensuring mutual recognition of these certificates across EU member states. The DCC system relied on federation of the national PKIs of EU members states using the central broker model. As of 2023, all EU Member States and several non-EU countries participate in the DCC scheme. • Governance. The EU Digital COVID Certificate system was governed by Regulation (EU) 2021/953,a which provides the legal framework for issuing, verifying, and accepting certificates across EU Member States. The system is supervised by the European Commission in collaboration with Member States to ensure interoperability and consistency. The regulation was supplemented by Commission Implementing Decision (EU) 2021/1073,b which outlines the technical requirements, including the trust framework and cryptographic standards. Data protection is ensured through compliance with the General Data Protection Regulation (GDPR)c and related EU laws. • Central Directory. The EU Digital COVID Certificate Gateway (DCCG) is the central mechanism federating trust across the PKIs of EU member states. Acting as a central directory at the EU level, the DCCG stores public keys of the national authorities responsible for issuing COVID certificates and makes these available for verification. To comply with stringent EU data protection regulations, including the GDPR, the DCCG does not store any personal data. The only data contained in the system are the public keys used to verify certificates, which pertain solely to the signing authorities and cannot be used to identify individuals. • CAs and RAs. Each EU member state designates its own CAs involved in issuing their own Digital COVID Certificates, which operate under existing national PKI frameworks. a Regulation (EU) 2021/953 of the European Parliament and of the Council of 14 June 2021 on a framework for the issuance, verification and acceptance of interoperable COVID-19 vaccination, test and recovery certificates (EU Digital COVID Certificate) to facilitate free movement during the COVID-19 pandemic. http://data.europa.eu/eli/reg/2021/953/2022-06-30 b Commission Implementing Decision (EU) 2021/1073 of 28 June 2021 laying down technical specifications and rules for the implementation of the trust framework for the EU Digital COVID Certificate established by Regulation (EU) 2021/953 of the European Parliament and of the Council. http://data.europa.eu/eli/dec_impl/2021/1073/2022-09-15 c Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). http://data.europa.eu/eli/reg/2016/679/2016-05-04 HYBRID MODELS only constraints being the increasing management and cost overhead of growing complexity. Deploying a hybrid model can be an effective way to optimize an overall PKI system It is possible to combine elements of the various models against multiple constraints. described above to yield hybrid models with different design elements to accommodate the needs of legacy Case Study 7 shows that South Korea is an example hybrid systems, regulatory constraints, sectoral applications, types model that relies on both cryptography and standards for of users, or other differences in use cases. Technically, the guaranteeing cross-certification of digital certificates issued possibilities to mix and match models are endless, with the by two independent PKIs. 76 Case Study 7: South Korea South Korea has two independently operated PKIs for public and private sectors, respectively. The Government PKI issues certificates only to public servants, while the National PKI provides services to firms and individuals under the applicable electronic transactions legislation. National PKI certificates are widely used in internet banking, online stock trading, online shopping, and e-government (G2C) services.a • Legal Framework: The National PKI (NPKI) was established by the 1999 Electronic Signature Act, while the Government PKI (GPKI) was created by the 2001 e-Government Act. • Governance: The competent authority for the NPKI is the Ministry of Science and ICT, while the competent authority for the GPKI is the Ministry of Interior and Security. • Root CAs: There are two root CAs in South Korea. The Root CA serving the NPKI is the Korea Internet & Security Agency (KISA), which reports to the Ministry of Science and ICT. Public sector use cases are served by the Root CA of the GPKI managed by the Government Certification Management Authority (GCMA).b • Intermediate CAs and RAs: South Korea has a vibrant ecosystem of intermediate CAs, many operated by private sector companies. These CAs provide digital certificates for various applications, including online banking, e-government services, and electronic signatures for business transactions.c The choice to maintain two parallel PKIs allows optimization of each to the needs of public and private sector use cases, respectively. The independence of the two PKIs facilitates compliance with regulatory requirements and institutional mandates. Operational aspects of the PKI are outsourced to other entities including the private sector. South Korea’s approach exemplifies a mesh model where interoperability between two independently implemented sectoral PKIs is assured through cross certification between the two root CAs. Interoperability between the NPKI and the GPKI follows a hybrid approach. On the cryptographic side, this occurs through each PKI’s issuance of their respective Certificate Trust List (CTL) and their signature by the other PKI’s Root CA.d On the standard and policy side, because each Root CA is based on a sound legal and regulatory framework, entities in each PKI can trust a CTL issued by the other PKI and signed by its own Root CA. a FIDO Alliance and Asia PKI Consortium White Paper: FIDO UAF and PKI in Asia – Case Study and Recommendations. https://fidoalliance. org/white-paper-fido-uaf-and-pki-in-asia-case-study-and-recommendations/ b KISA, “Public certification system / Public certificate / Certificate trust list,” https://www.rootca.or.kr/kor/accredited/accredited03_03.jsp c KISA, ”Public certification system > (old) public certificate > Certificate list,” https://www.rootca.or.kr/kor/accredited/accredited03_01List.jsp d Each PKI in South Korea publishes its CTL. A CTL is signed cryptographic data that contains a list of trusted CAs and other elements, such as policy identifiers, and supports the use of extensions. A “trusted CA” is identified within the CTL by a hash of the public key certificate of the subject CA. PUBLIC KEY INFRASTRUCTURE 77 IMPLEMENTING HIGH-TRUST ELECTRONIC SIGNATURES APPENDIX 7: INSTITUTIONAL GOVERNANCE ARRANGEMENTS Table 14: Common institutional arrangements for PKI governance Function Description Typical Institutional Selected Global Examples Profile Law Establishes the legal basis for National legislature Indian Parliament recognition of PKI-based digital Korean National Assembly signatures as legally equivalent to handwritten signatures. Congress of Mexico Regulation Develops and enforces rules Digital Ministries Ministry of Electronics and Information and regulations specific to the Technology (India) operation of PKI systems and the Digital Agencies Information System Authority (RIA, Estonia) issuance of digital certificates. Telecommunications Telecommunications Control Commission Regulators (Austria) National Cybersecurity National Information System Security Agency Authorities (ANSSI, France) National Information Technology Authority (NITA, Uganda) Communications Authority of Kenya Supervision Ongoing monitoring and Digital Ministries Ministry of Electronics and Information oversight of PKI operators to Technology (India) ensure compliance with legal and Digital Agencies Information System Authority (RIA, Estonia) technical standards. Telecommunications Telecommunications Control Commission Regulators (Austria) National Cybersecurity National Information System Security Agency Authorities (ANSSI, France) Standards Sets technical and operational Standards organizations International Telecommunications Union (ITU) standards for PKI, ensuring International International Organization for Standardization interoperability and security. (ISO) Regional ETSI National South African Bureau of Standards (SABS) European Telecommunications Standards Institute (ETSI) Brazilian National Standards Organization (ABNT) British Standards Institute (BSI, UK) 78 Function Description Typical Institutional Selected Global Examples Profile Guidance Provides detailed instructions Cybersecurity authorities European Union Agency for Cybersecurity and best practices for securely (ENISA) implementing PKI in compliance Technology standards Controller of Certifying Authorities with established standards. organizations (CCA, India) National Institute of Standards and Technology (NIST, USA) Accreditation Accredit auditors that are National accreditation National Accreditation Board for Certification responsible for assessing bodies Bodies (NABCB, India) conformity of CAs with applicable French Committee for Accreditation standards and regulation. (COFRAC, France) Audit Conducts audits to assess Professional services firms KPMG Liechtenstein (Germany) conformity of CAs with applicable Industrial testing, TÜV Austria Cert GmbH (Austria) standards and regulation. inspection and certification firms Specialized datenschutz cert GmbH (Germany) cybersecurity firms Standards organizations Associação Portuguesa de Certificação (Portugal) Policy Publish key policy documents Certificate authorities (CAs) such as Certificate Policy Telecoms operators Saudi Telecom Company (Saudi Arabia) (CP) and Certificate Practice Statement (CSP), outlining the Government entities State Tax Service of Ukraine procedures and controls for Information Systems and Digital Agency of certificate management, and Benin (ASIN) assure compliance with any Banks Danske Bank (Denmark) downstream actors involved in PKI implementation. Specialist firms e-Mudhra (India) PUBLIC KEY INFRASTRUCTURE 79 IMPLEMENTING HIGH-TRUST ELECTRONIC SIGNATURES APPENDIX 8: SOURCING STRATEGIES MAKING SOURCING DECISIONS expertise, particularly in industries like finance, where the need for compliance with international requirements such as BY PKI FUNCTION those designed to prevent money laundering and terrorism financing (AML/CFT). Such specific requirements, as well While it is possible to outsource the entire operation of as the need to push strategic financial inclusion objectives, a PKI, in many cases it may be optimal to outsource only as well as the unusually varied set of transaction risk levels, various functions in a PKI, making the sourcing decision on a means that financial sector signature schemes may have component-by-component level. This section considers the more specific requirements than some schemes with fewer relative benefits of outsourcing some key PKI components. users or simpler use cases. This approach also allows for scalability and innovation, adapting more swiftly to market It is important to maintain the distinction between accountability and technological changes. and responsibility when defining the roles and responsibilities within a PKI; this will help determine the exact structure of any Registration Authority outsourcing agreement. Responsibility refers to the specific tasks, duties, or obligations assigned to an entity based on An RA undertakes the day-to-day operation within the CA their role or position, while accountability is the obligation to trust chain; it has to deal with users’ requests for certificates explain, justify, and take ownership of their actions, decisions, as well as contribute to the lifecycle management operations, and their resulting outcomes. The inherent trust established such as revocation and renewal. The RA acts as a trusted as part of the PKI is predicated on these specific roles and intermediary between the end user and the issuing CA in responsibilities. A PKI can only be effective and responsive the certificate issuance process. if each party understands their own responsibilities. For a RA function to operate effectively, it must be trusted by users. Users may be more inclined to trust institutions Root CA and firms that they are already familiar with and who they For the Root CA, the choice often revolves around the balance already have experience interacting with. User experience between maintaining sovereign control over a national security may also be improved if the RA function is managed by an asset and leveraging the technological and security expertise actor with experience in citizen- or customer-facing retail of private sector providers. Outsourcing the Root CA can offer operations. RA functions may be outsourced or delegated access to advanced security infrastructure and reduce the to those organizations that have public facing functions such substantial investment required for its operation. However, as in person branches, call centers, and physical artefact insourcing retains full control over the PKI's foundational trust distribution facilities. These might include national postal or level, a crucial aspect for many governments. bank service providers with country wide branch networks. Table 15 provides a stylized list of signing use cases as well Intermediate CAs as an institution that might be well suited to offer RA services When it comes to Intermediate CAs, the decision typically to the PKI. involves evaluating the specific requirements of different sectors or use cases. Governments might opt to insource Policy Functions Intermediate CAs for critical infrastructure or sensitive If a government outsources some or all CA functions, it may sectors, ensuring direct oversight and alignment with national still want to retain control over some non-technology elements policies. In contrast, outsourcing these functions to sectoral to ensure that the PKI is adequately secure by maintaining ministries or private sector entities can bring in specialized control over the framework of PKI policies. The government 80 Table 15: Stylized illustration of RA sourcing strategies for a selection of typical use cases Use Case Users Certificate Example Registration Strategy Official Government Civil Servant ID The ministry responsible for managing civil servant onboarding Documents Officials issues a certificate to those civil servants who would be expected to sign official government documents during the regular employee onboarding process. Electronic General Public National ID The government entity responsible for issuing the national ID card transactions must verify an applicant’s identity before issuing them a national ID card. Integrating digital certificate issuance into this existing process would be an efficient way to operationalize the PKI’s RA function. Electronic General public Mobile ID (SIM based) If a digital certificate is integrated to the SIM card of a mobile phone, transactions the telecom company that issues the SIM card to subscribers would be a natural partner to provide RA services. Some strengthening of the identity verification procedures used by the telecom company—at least for those SIM cards featuring the digital certificate—may be required to assure the required level of trust. Financial General public Mobile banking Banks already undertake robust identity verification for their customers transactions smartphone app as part of their Know-Your-Customer regulatory obligations. Credit/Debit card with Chip/PIN Electronic General public Dedicated document Some providers of electronic signatures seek to provide a seamless transactions signing software interface for electronic signing, for example, by integrating digital signing into desktop software that people use to read legal documents, such as Adobe Acrobat. To provide a seamless user experience, a firm may choose to provide an online onboarding option for a digital certificate using an innovated remote identity verification process. In this case, the firm offering this service would provide RA services to the PKI. Real estate Notaries Notary ID card If notaries are regulated by the Ministry of Justice (MoJ), certificate transactions issuance could be integrated into the licensing and registration process. In this case, MoJ would perform RA functions for the PKI. Accessing Employees Employee ID card As part of employee onboarding, organizational ID cards or other company tokens may be distributed by the relevant HR function. This HR systems function may also de-activate those ID cards when an employee leaves the organization to revoke access to facilities and systems. If PKI certificates are integrated into these employee ID cards, HR could perform the RA function in the PKI and integrate certificate issuance into the onboarding process. can also own the Certificate Policy Framework at the national actors. This is the option taken by The Netherlands (see level. A well-defined certificate policy framework helps in that Case Study 10). it outlines the requirements and rules for certificate issuance, usage, and revocation, ensuring consistency and security However, centralizing control over policy could potentially across the CAs and trust chains making up the PKI system. deter participation by increasing costs of market players who might have to alter their usual practices to fit the government Having this kind of granular control over certificate policy certificate policy or create parallel PKI environments that ensures a very tight-knit control over all levels of PKI operations, could be compliant. It is important that certification policies even if the operations themselves are outsourced to private be defined in consultation with the different relevant actors PUBLIC KEY INFRASTRUCTURE 81 IMPLEMENTING HIGH-TRUST ELECTRONIC SIGNATURES and consider any particular strategic aims of the specific PKI down to the front-line workers doing registration. Such implementation, such as maximizing coverage and adoption. vertical integration centralizes this trust within government, There is a risk that poorly defined policies could also reduce allowing the government to maintain complete oversight innovation by the actors operationalizing the PKI. of the entire PKI, perhaps while delegating specific roles to different government departments. Estonia in Case Study 8 Standards and Compliance illustrates this approach. Alternatively, CAs can implement their own certificate policies It bears mentioning that even in countries with PKI deployment that are aligned with established standards (such as the EU models that prioritize a high level of government control, the eIDAS model, detailed in Appendix 4). In such arrangement, trend is still toward outsourcing some components of the the government can focus on assuring CAs in the PKI and hierarchy to private sector actors. To take again the example their policies comply with the established standards. of Estonia, the government opted to entrust a private firm93 to issue certificates used for the mobile and smartphone In this model, CAs would be free to set policy, while versions of the national ID card. The government-operated demonstrating the compliance of those policies with the PKI used for the traditional national ID card, distributed by the standards set by government. Such a model emphasizes the police in physical registration centers, may not have scaled importance of the compliance apparatus to provide trust in effectively to these mobile form factors which are distributed the PKI and allow interoperability across the system. either by telecom companies, which distribute the SIM card on which the Mobile-ID is based, or electronically, in the case However, the government may choose not to intervene of the Smart-ID app. Inserting a government-operated CA even at this minimal standards and compliance level, or it into such private sector led workflows may not be efficient. may choose to limit its intervention to a subset of use cases. By outsourcing such downstream activities for this particular Electronic signature frameworks increasingly adopt risk-based use case, the Estonian government retains tight government approaches, based on various United Nations Commission control over the root of trust as well as the overall PKI policy, on International Trade Law (UNCITRAL) 91 model laws and while also outsourcing key functions to improve cost efficiency. models like eIDAS, which deliberately avoid regulating PKIs for signatures under a certain level of assurance. Allowing markets to function without strict regulation can foster Benefits innovation, scalability, cost-efficiency, and adoption while • Centralized control can facilitate enforcement of PKI maintaining a level of security adequate for low- or medium- policies and standards, and help ensure a consistent risk use cases. approach across the PKI. For more information on risk-based approaches to electronic • Operations can be streamlined by limiting dependencies signature regulation, including non-PKI-based approaches on external entities. Management of security incidents to signing electronic transactions, see the companion note can be made more efficient by reducing the need for to this guide, called Electronic Signatures: Enabling Trusted coordination between entities and institutions. Digital Transformation.92 • There is clear accountability due to direct lines of respon- sibility and reporting. INSOURCING • With a single authority overseeing the entire PKI, it may be easier to maintain a consistent security posture and policy enforcement, since internal enforcement mecha- Government Operation nisms can be used. A government may choose to manage and operate all or Challenges near-all hierarchical levels of the PKI trust chain, including both technology and operations. In such a model, all functions are • Managing a vertically integrated PKI can be resource- performed in-house, from the root CA policy and management intensive, requiring a significant investment in human, 91 UNCITRAL. 2001. Model Law on Electronic Signatures. Vienna: UNCITRAL. https://uncitral.un.org/en/texts/ecommerce/modellaw/electronic_signatures 92 https://openknowledge.worldbank.org/entities/publication/d56f94c3-c1c8-4b17-b479-fd68f9551b1c 93 SK ID Solutions. https://www.skidsolutions.eu/resources/certification-practice-statement/ 82 Case Study 8: Estonia Estonia implements a true national PKI, in which the management and operation of core PKI functions is primarily the responsibility of the state. Although some PKI-related services, such as issuing certificates, providing certificate validity information, and distributing public keys to users are outsourced to private sector companies, key elements remain under state control.a • Governance: The Department of State Information Systems, part of the Ministry of Economic Affairs and Communications, sets the quality and reliability standards for PKI services. The Ministry of the Interior is tasked with creating the legislative framework that defines the types and standards for digital identity documents.b • Root CA: The root CA in Estonia’s PKI is managed by the Information System Authority (RIA), the autonomous government agency mandated to develop, manage, and protect the country’s digital infrastructure and e-governance systems. • Intermediate CAs: There are relatively few intermediate CAs in Estonia, primarily a small set of public entities operating at the whole-of-government level.c These include the RIA itself, as well as the Police and Border Guard Board (PPA), which is the government authority responsible for issuing digital identity credentials, such as the national ID card. • RAs: The PPA is the principal RA in Estonia, as it issues the national ID card and thus the digital certificate it contains.d A significant security breach occurred in 2017 with far-reaching consequences for the Estonian PKI. This breach was linked to a software vulnerability in the Estonian eID card, estimated to affect nearly 800,000 cards (all issued since 2014), corresponding to over 60 percent of the country’s population.e The vulnerability could have allowed attackers to infer the user’s private key from their public key, fatally compromising any digital signatures generated by them. As a mitigation measure, Estonia had to revoke all affected cards and conduct a mass re-issuance program. This incident underscores the risks associated with centralized PKI models, since a single vulnerability can affect the security of the entire PKI. The Estonia case highlights a model where most aspects of the PKI, particularly those concerning security, are retained within the purview of a small number of specialized public institutions. a OECD (2019), Digital Opportunities for Better Agricultural Policies, OECD Publishing, Paris, https://doi.org/10.1787/571a0812-en.Commission Implementing Decision (EU) 2021/1073 of 28 June 2021 laying down technical specifications and rules for the implementation of the trust framework for the EU Digital COVID Certificate established by Regulation (EU) 2021/953 of the European Parliament and of the Council. http:// data.europa.eu/eli/dec_impl/2021/1073/2022-09-15 b Sandra Roosna, Raul Rikk (2016), “e-Estonia: e-Governance in Practice,” e-Governance Academy Foundation, https://ega.ee/wp-content/ uploads/2016/06/e-Estonia-e-Governance-in-Practice.pdf c There are a small number of exceptions to this rule. A notable case is a private firm involved in the implementation of the Mobile-ID and Smart-ID, the SIM-card and smartphone-app versions, respectively, of the national ID card. The certificate policy for the Mobile-ID project creates space for a private sector CA qualified under the EU-wide eIDAS scheme to operate a CA for the Mobile-ID solution. See: Republic of Estonia Police and Border Guard Board (2022), “Estonian eID scheme: Mobile-ID 2022 Technical specifications and procedures for assurance level high for electronic identification,” https://ec.europa.eu/digital-building-blocks/wikis/download/attachments/668543236/Estonian%20eID%20 scheme%20%20%20Mobile-ID%202022.pdf?version=1&modificationDate=1683118045581&api=v2 d In the case of the Mobile-ID, Estonia’s SIM-card-based national ID card alternative, it is the telco providing the SIM card that plays the role of RA. e e-Estonia (2018), “What we learned from the eID card security risk?” (accessed 15 January 2024). https://e-estonia.com/card-security-risk/ PUBLIC KEY INFRASTRUCTURE 83 IMPLEMENTING HIGH-TRUST ELECTRONIC SIGNATURES technological, and financial resources which may not • Different layers can innovate independently and within be readily available. Implementation requires the avail- their area of specialization, potentially improving overall ability of specific skills, profiles, IT equipment, software PKI service quality. systems, and facilities. Expansion into all of these areas • Security risks are spread out among different entities, at all levels of the PKI may not be in the comparative helping reduce the impact of a single compromised actor. advantage of any one institution. • Centralizing all PKI functions in one entity can create a Challenges single point of failure, potentially increasing security risks. • Effective coordination between layers of the PKI is • Scalability may be limited, as meeting increased demand required, which can be complicated if interinstitutional requires expansion of internal capacity. communication is not smooth. • A monopolistic approach may lack the flexibility to • Unless security standards are harmonized across the quickly adapt to changing technological landscapes various entities in the PKI, there is a risk that varying or user needs or to accommodate diverse user needs practices could lead to security vulnerabilities. due to lack of competition, especially if implemented at the national level. • The introduction of multiple parties could make it difficult to establish clear accountability for the parties involved. Outsourcing • There is some contractual and legal overhead involved to govern the relationships between entities. Due to the challenges of managing and operating all aspects • Technical and operational integration between layers of a national PKI ecosystem, it is common for governments to can be challenging, potentially leading to inefficiencies. outsource some or most of their PKI operations to the private sector. In principle, any PKI function can be outsourced. Upstream components, including the root of trust itself, may Outsourcing Downstream Tiers be outsourced to minimize risks associated with government In many cases, it may be desirable to distribute PKI functions operation of sensitive and technically complex cryptographic between various institutions or entities. This type of flexibility material. Downstream components, such as registration, can can allow each actor in the PKI to specialize in areas related be outsourced to allow the PKI to scale by taking advantage to its mandate, competence, and comparative advantage. of private sector customer relationships to expand the PKI For example, a central authority may retain control of the user base. Hybrid sourcing strategies are also possible, with root CA while outsourcing other functions, like certificate government and private sector operated options to coexist, issuance and RA functions, to other entities or institutions. each perhaps specialized in use cases in different sectors of the economy. A concrete example of this could be seen in a model where the central bank operates the root CA, while a set of private This section summarizes some common outsourcing strategies sector banks are responsible for operating issuing CAs and with specific examples given from national-level implementation. providing the RA function for their clients. Another example could be a government that outsources the root CA function Benefits to a specialized private firm with the required capacity, but still capitalizes on the existing network of local government • Different PKI layers can be managed by entities that officers to provide the RA function to register citizens and specialize in those specific functions, allowing the various distribute certificates to them. actors involved in the PKI to work within their compara- tive advantage and preventing any one institution from The Saudi Arabian example in Case Study 9 below offers an needing to rapidly add new capacity, functions, or example of a hierarchical PKI where private CAs are leveraged business units. at lower PKI levels to scale the volume of certificates the PKI • The burden on any one entity is reduced, as outsourcing can manage to cover demand from the general population. functions reduces resource demands of running the PKI. 84 Case Study 9: Saudi Arabia Saudi Arabia’s National PKI is a classic hierarchical three-tier model with a government-operated Root CA providing trust in multiple subordinate trust chains specialized in different use cases. The government provides the root of trust and policy environment while facilitating the participation of private sector actors for implementation. • Governance: The Digital Government Authority (DGA) is the regulator of Digital Trust Services in the Kingdom of Saudi Arabia. The National Information Center (NIC), under the Saudi Data and AI Authority, is created and mandated by the Saudi e-Transactions Act. Standards are set by the National Cybersecurity Authority (NCA).a • Root CAs: The Saudi National Root CA provides the root of trust for all actors in the Saudi national PKI. It is owned and operated by the NIC.b • Intermediate CAs and RAs: There are three Policy CAs authorized by NIC in the Saudi PKI hierarchy.c • Public sector: A single Government CA is hosted and operated by NIC itself in the same facility as the Root CA, but with logical and physical separation to preserve the integrity of the hierarchy. The Government CA issues certificates directly to civil servants in a two-tier model. • Private sector: Two commercial Policy CAs are authorized for private sector use cases. One is managed by Baud Telecom Company, who partners with its own subsidiary, emdha, which manages three issuing CA instances, each for a different use case.d The other is implemented by Saudi Telecom Company, which also operates two addition Issuing CAs in house to serve its Sitar brand.e • RAs: The commercial Issuing CAs operate their own in-house RA functions built on their network of retail outlets, as part of their telecommunications business, and can outsource RA functions to other commercial entities if need be.f a Saudi National Cybersecurity Authority, “The National Cryptographic Standards (NCS),” https://nca.gov.sa/en/regulatory-documents/ frameworks-and-standard-list/198/ b Saudi Data and Artificial Intelligence Authority (2023), “Saudi National Root-Ca Certificate Policy,” Version Number: 3.4, https://sdaia.gov. sa/en/Sectors/Nic/ca/Documents/Saudi%20National%20Root-CA%20CP%20v3.4.pdf c Saudi Data and Artificial Intelligence Authority, “Sectors > NIC > CA,” Accessed 17 November 2023. https://sdaia.gov.sa/en/Sectors/Nic/ ca/Pages/default.aspx d emdha, “About Baud Telecom Company,” https://www.emdha.sa/baud-telecom-company e Saudi Telecom Company (2023), “Sirar Qualified CA (QUCA) Certificate Policy,”https://solutions.com.sa/wp-content/uploads/2021/04/STCS- INTERMEDIARY-CA-CERTIFICATE-POLICY.pdf f Saudi Telecom Company (2020), “STCS Identity CA (IDCA) Certificate Policy,” Version Number: 1.4, https://solutions.com.sa/wp-content/ uploads/2020/02/STCS-IDCA-CP_v1_4_20200104-Final.pdf Outsourcing Upstream Tiers also spreading the implementation risk over four entities to eliminate single points of failure. Other countries have taken the opposite approach, opting to entrust the private sector with operationalizing the sensitive Governments may opt to outsource upstream components, components at the top of the PKI hierarchy, such as the including the root of trust, to the private sector to leverage root CA function itself. The Dutch, as seen in Case Study 10 the expertise, technological advancements, and efficient below, outsource the root of trust for their national PKI to not management practices of private entities specialized in one but four private firms, capitalizing on the comparative cybersecurity and PKI solutions. Leveraging this expertise can advantage of the private sector in maintaining the secure lead to enhanced security and reliability of the PKI system if environments needed to manage cryptographic keys, while the private sector is able to implement cutting-edge security federating the four PKIs through government oversight, and measures more rapidly than government actors. Additionally, PUBLIC KEY INFRASTRUCTURE 85 IMPLEMENTING HIGH-TRUST ELECTRONIC SIGNATURES Case Study 10: The Netherlands The Dutch government PKI system, called PKIoverheid, is designed for trustworthy electronic communication within and with the Dutch government. This model showcases a strategic approach where critical PKI functions, like root CA management, are effectively outsourced to specialized private companies. Simultaneously, government bodies retain control over identity verification processes through their roles as RAs. • Governance: Logius, the digital government service of The Netherlands Ministry of the Interior and Kingdom Relations (BZK), is mandated to maintain government-wide ICT solutions and common standards. The role of Logius includes establishing standards and policy, including publishing the CP and CPS governing the entire PKI.a • Root CA: The root CA function in the Dutch PKI system is outsourced to four different private sector companies, one of which signs the certificates of all subordinate CAs in the PKI. These companies are accredited and regulated to ensure compliance with national and international standards for security and reliability.b The root CAs cross certify each other’s certificates in a mesh arrangement. • Central Directory: Although each root CA operates its own certificate database and related certificate management infrastructure, the central directory function that relying parties use for verification is operated centrally by Logius, who maintains and manages the Certificate Revocation List for the entire PKI.c • Intermediate CAs: Multiple domain CAs (sub-CAs of one of the four roots) each issue Trust Service Providers (TSP) CA certificates. The TSPs are responsible for issuing certificates to end users.d • RAs: Various government departments and agencies in The Netherlands serve as RAs. TSPs may also perform the RA function themselves or outsource to other firms.Saudi National Cybersecurity Authority, “The National Cryptographic Standards (NCS),”e a Certification Practice Statement Policy Authority PKIoverheid Unified v5.1 https://cps.pkioverheid.nl/pkioverheid-cps-unified-v5.1.html b PKIoverheid: Public Key Infrastructure for the Dutch government https://www.logius.nl/english/pkioverheid c PKIoverheid Certificate Revocation Lists https://crl.pkioverheid.nl/ d Overzicht PKIoverheid certificaten https://cert.pkioverheid.nl/ e https://nca.gov.sa/en/regulatory-documents/frameworks-and-standard-list/198/ outsourcing can be cost-effective, reducing the burden on into banking products and transactions, while allowing public resources and potentially leading to quicker deployment signing products to be tailored to the financial sector's and updates of the PKI system. This approach also requires specific regulatory environment and unique security needs. strong regulatory oversight and clear guidelines to ensure In parallel, for use cases involving official documents or inter- that security and privacy standards are rigorously upheld by ministerial communications, the government could manage a the entities involved. CA implementation directly. This hybrid model could allow for the government to implement a explicit set of requirements Outsourcing Specific Trust Chains for a specific and relatively small set of critical use cases, while leveraging other actors to help scale to other sectors Implementation of trust chains in a PKI ecosystem can be split of the economy where transactions volumes are higher and between different actors, including private sector entities. priorities, such as user experience and cost efficiency, are Such an approach can offer a way to promote scalability and at a premium. Such a division of responsibilities can lead to customize PKI implementation for the needs of specific use a more robust and responsive PKI ecosystem, where each cases, leveraging the domain expertise of sectoral actors. entity contributes its expertise to different segments of the For instance, banks could act as CAs for financial-sector use trust chain, thus optimizing overall security and functionality. cases, leveraging their existing customer relationships for This model is common in Europe, where the ecosystem of efficient registration, facilitating integration of PKI services private sector CAs mutually recognized at the EU level for 86 electronic transactions coexists with government-implemented Case Study 7, an example of how such arrangements are PKI trust chains dedicated to certain use cases, e.g., public implemented in the EU can be found in the case study on sector ones. In addition to the case of South Korea seen in France in Case Study 11 below. Case Study 11: France The French national PKI ecosystem includes multiple interlocking layers which interact at the technical, institutional, and governance levels. Although the National Agency for the Security of Information Systems (ANSSI) operates a hierarchical government PKI for use cases within the public administration (called IGC/A),a general use cases related to electronic transactions and communications are managed by an ecosystem of public and private sector CAs under a standards-based model with independent roots of trust. • Governance: IGC/A operations for government communications are overseen by ANSSI, which reports to the Secretariate-General for Defense and National Security, itself attached to the Office of the Prime Minister. Other PKIs that support the digital economy are regulated by applicable electronic transactions legislation in France as well as eIDAS for cross-border interoperability within the EU. ANSSI also plays a dual role here since it is also designated as France’s appointed Supervisory Body overseeing qualified CAs in the eIDAS scheme. • Root CAs: ANSSI operates the Root CA for the Government PKI to facilitate inter-ministerial communications within the French public sector. There are multiple PKIs operating in France providing services across the digital economy, with their own inde- pendent Root CAs. As of 2023, there were 28 different CAs operating separate PKIs qualified in France under eIDAS. While these are generally private firms, the number also includes 5 public-sector actors. Of these, 3 public entities also participate in the IGC/A scheme, having also sought qualification under eIDAS to extend interoperability within the EU.b • Intermediate CAs and RAs: Within government, several ministries and agencies operate their own Interme- diate CA signed by the IGC/A root CA, allowing them to manage certificates in their sector. Specific sub-PKIs include the ministries of Interior, Foreign Affairs, Agriculture, as well as the Gendarmerie.c The National Agency for Secure Documents (ANTS), which produces the national ID card and passport, operates its own dedicated Intermediate CA. The CAs participating in the IGC/A scheme must be public sector actors by law.d RA functions are provided by the public administration within the relevant sector. PKIs not federated into the IGC/A scheme can delegate responsibilities to subordinate CAs and RAs as they see fit, in compliance with applicable regulation. This model reflects an example where the government retains full control over the PKI for government entities and applications, while entrusting over 20 private sector PKIs to issue certificates to private citizens for use cases related to electronic transactions in the general digital economy. a ANSSI, “IGP/A,” Accessed 17 November 2023. https://cyber.gouv.fr/igca b eIDAS Dashboard, Trusted List France, https://eidas.ec.europa.eu/efda/tl-browser/#/screen/tl/FR c ANSSI, “Certificats émis par l’IGC/A (RSA 4096),” Accessed 17 November 2023, https://cyber.gouv.fr/certificats-emis-par-ligca-rsa-4096 d ANSSI, “IGC/A : Politique de certification concernant les Autorités de certification racines Gouvernementales,” Version 2.2, OID : 1.2.250.1.223.1.1.2. PUBLIC KEY INFRASTRUCTURE 87 IMPLEMENTING HIGH-TRUST ELECTRONIC SIGNATURES Outsourcing the Entire PKI an operational expenditure basis, instead of making a large capital investment that may not be justified. A government may choose to outsource an entire PKI implementation to the private sector, focusing instead on Turning to the private sector can also help with market supervision and compliance. This option can be attractive development by providing demand to spur private investment, in various situations. If government implementation capacity and allowing competition that can lead to better service is low—for example, due to lack of skilled technical staff or quality, innovation, and cost-effectiveness in the long run. secure facilities—a secure PKI implementation may not be If multiple providers are leveraged, it can enhance system feasible. If a PKI is meant to support a limited set of use resilience and scalability. Case Study 12 below illustrates cases, small user base, or transaction volume, the government this approach. way wish to opt for procuring PKI as a service (PKIaaS), on Case Study 12: United Kingdom GOV.UK Verify was the first high-trust digital identity to be issued by the UK government and was in service from 2016–2021. Although Verify did not issue a cryptographic credential to verified individuals, it was reliant on an underlying PKI infrastructure to ensure the integrity and confidentiality of data passed from the private sector identity providers that participated in the scheme to relying parties during identity verification. • Governance: The UK government, driven by the UK Cabinet Office, made the decision to engage a commercial provider to provide infrastructure for the root CA rather than the root CA being managed and operated within government systems. The operational management of the PKI remained with the Cabinet Office, but the root CA resided in a commercial provider’s infrastructure. • Root CAs: The root CA function in the Verify system was outsourced to a single firm offering a managed PKI as a service. This service, provided by the British Telecom Assure PKI platform, operated from two data centers in the UK and was based on Symantec (Verisign) technology. • Intermediate CAs: The issuing CA was signed by a Private Root CA created by the vendor specifically for the UK Cabinet Office. • RAs: The GOV.UK Verify operations team managed the day-to-day RA functions, managing the issuance of certificates to certified identity providers. This model reflects an example where a government retains policy control over the PKI and operationalizes some functions, while outsourcing other components, in particular the root CA function, to the private sector to reduce the technical and operational burden on government to manage this complex infrastructure and minimize security risks. 88 Case Study 13: Lebanon • Governance: Lebanon’s legislative framework for electronic transactions and personal data is established under Law 2018/81, which enables the legal recognition of electronic signatures and, for high-trust signatures were PKI is used, mandates the Lebanese Accreditation Body (COLIBAC) to regulate. Implementation of high-trust signature of official electronic documents is governed by a recent decree proposed by the Ministry of Justice and adopted by Council of Ministers on 02/10/2024, which outlines two distinct pathways for PKI governance. The first pathway permits COLIBAC to oversee CAs operating within Lebanon. Simultaneously, a second pathway legally recognizes EU-based CAs who have been “qualified” under the eIDAS regulation.a • Root and Intermediate CAs: Both Lebanese CAs, pending accreditation by COLIBAC, and EU-based CAs, recognized as “qualified” under the eIDAS Regulation, are authorized to provide high-trust PKI-based signature services to Lebanese government entities signing official documents. • RAs: The approach to registering signers varies based on the CA and the specific governmental or use case requirement. For example, Lebanon-based CAs may manage signer registration directly, while EU-based CAs may opt to deploy remote solutions for registration. Alternatively, the RA function can be outsourced to trusted partners, such as the government entity whose staff will need to securely sign official documents. a At the time of writing, only the cross-border pathway is operational, awaiting COLIBAC’s full functionality. Additional information on the EU process for qualification of CAs can be found in Annex 4: Case Study: eIDAS Qualification of Certificate Authorities. PUBLIC KEY INFRASTRUCTURE 89 IMPLEMENTING HIGH-TRUST ELECTRONIC SIGNATURES APPENDIX 9: PKI SOURCING CHECKLIST Table 16: Assessment tool for defining a PKI sourcing strategy Theme Consideration Observations For each PKI component, does the government have the internal resources and expertise to effectively manage it, given demands on infrastructure and human resources? Does the government have the ability to attract and retain the specialized IT profiles required to implement the Institutional various aspects of the PKI? Capacity Would operating components of the PKI be a way to develop digital skills within government? Given current institutional capacity and resourcing, are there infrastructure or skills gaps that are barriers to secure PKI operation? Are there private actors with the requisite capacity? Are Market those services well established? Offerings How does the capacity available on the market compare to government capacity? Does the government have a strategic interest in enabling Market the development of CA markets? Development Can involving private sector actors in PKI operationalization help build markets for PKI services? Is the chosen sourcing strategy sustainable at the chosen scale given budget constraints? Financial Sustainability Could economies of scale be generated by leveraging existing infrastructure, capacity, or skills in other organizations, whether in the public or private sector? Does the projected demand for the PKI use cases under consideration justify the planned expenditures? Are the estimates of number and type of projected users, Demand transactions, use cases, and relying parties realistic? Analysis Does PKI-based digital signature provide a genuine value proposition to these users, or could alternative electronic signature technologies be a better choice? How sensitive are the use cases served by this PKI (or PKI branch)? Are there any specific regulatory or compliance requirements that must be considered? How important is it for government to maintain full control over the infrastructure, policies, and operations? 90 Theme Consideration Observations Would a standards-based model, in which the central authority focuses on setting standards and assuring Security compliance, offer a similar level of security? Requirements Does the government have any specific needs that are not met by current market offerings? What is the population of eligible users? Are there any accessibility or usability requirements? Can signing and verification services be seamlessly Usability integrated into the workflows required for key use cases? Requirements Is the user experience intuitive or does it create barriers to adoption? Can users generate signatures from multiple device types, such as desktop computers and mobile devices? Can the approach to registration effectively cope with an Scalability increasing user base? Requirements Can the PKI scale to cope with increasing demand for certificates and/or verification services from relying parties? Is the PKI flexible enough to account for the different requirements of different use cases? Can it evolve in the Flexibility face of evolving requirements? Requirements Can the PKI adapt to new types of users and use cases that may arise in the future as the digital economy matures? Can the PKI effectively evolve to integrate new innovations? Innovation Does the PKI sourcing strategy incentivize innovation and user-centricity, or would increased competition be beneficial? Does the chosen design and sourcing strategy ensure Resilience resilience? Requirements Would redundancy of key components spreading functions between entities reduce single points of failure? Legacy Are there any legacy PKI implementations or technologies Constraints that need to be integrated? Are there regulatory constraints or compliance Regulatory requirements that preclude or force certain design decision Constraints or sourcing options? What is the main goal of the PKI (reach universal coverage of digital certificate, promote the adoption of trusted services, generate revenues, etc.)? PKI mission Is the PKI aimed at being a source of revenue? Has the and business economic model for this been studied? Would such a modelexpectation strategy crowd out private investment? What are the fixed and recurring direct fees that CAs would bear to be part of the PKI? What’s the cost of individuals to register in the PKI and obtain a valid certificate? PUBLIC KEY INFRASTRUCTURE 91 IMPLEMENTING HIGH-TRUST ELECTRONIC SIGNATURES APPENDIX 10: KEEPING PRIVATE KEYS PRIVATE: SECURE SIGNATURE CREATION DEVICES Because it is critical to maintain full confidentiality of private keys in order to maintain the integrity of digital signatures, private keys are stored and used from within secure “devices” that maintain full security of the keys even during access and use. Even during signing, the key never leaves the device. The data flow used to enable this is: 1. The content to be signed (such as a document or transaction data) is sent to a secure storage device where the private key is held. 2. The private key, stored securely and never leaving its storage, encrypts the data, creating a digital signature. 3. The signed content, along with the digital signature, is then sent back to the originator or intended recipient. A variety of device types, including both locally managed and remotely accessed devices, can be used to securely store and access private keys used for digital signing. These include: Table 17: Devices used for digital signing Coming in form factors such as smart cards and USB tokens, these inexpensive, portable devices can securely store private keys on a device that is in the user’s possession. While this removes some security issues, usability can be a challenge due to the need to carry Dedicated and learn to use an additional device. Also, additional security issues can be introduced if devices users do not practice adequate digital hygiene. In the case of smart cards, an additional device, such as a card reader, may be required to access and use the digital certificate. In such implementations, the private key never leaves the dedicated device. It is possible to store private keys used for signing at the software level in a smartphone application. Usability of such solutions is excellent, with the user experience being as Smartphone seamless as any other smartphone app. However, the software-only nature of such applications implementations has security limitations that can be difficult to overcome; software-only solutions may therefore be most appropriate for low- or medium-trust use cases. Many modern smartphones and computers include a secure area within a processor that is designed to handle sensitive data and cryptographic operations in an isolated and protected hardware environment, allowing for secure local storage of private keys Secure enclaves on an existing device. While this provides secure key storage, there can be challenges to developers making use of these secure enclaves, which may be locked to external non-native applications, or may be implemented in proprietary ways by device manufacturers. In such implementations, the private key never leaves the secure enclave. 92 Most modern smartphones have a capability to read a chip of a hardware device using contactless near field communications (NFC) protocols. When implemented together, smartphones and NFC-enabled hardware devices—such as smart cards—can Smartphone help overcome the limitations of either device in isolation. The NFC token can be used plus dedicated for secure hardware-level storage of private keys and processing of cryptographic device transactions, while the smartphone improves usability through a relatively intuitive and familiar use interface without the need for card readers or other dedicated devices. In a smartphone-plus-device implementation, the private key never leaves the dedicated device, as the cryptographic operations used for signing are carried out on the HSM. These dedicated stationary hardware devices, usually deployed in secure data centers, are purpose built to securely store and manage cryptographic keys. HSMs are used to store Hardware and maintain keys for very high security applications, including sensitive commercial and security national-security applications. HSMs provide strong security by physically isolating the modules (HSMs) keys from adjacent systems. Implemented in isolation, HSMs cannot be used for managing keys for individual end users; however, they can be used by CAs for managing keys at the issuer level. In such implementations, the private key never leaves the HSM. It is possible to deploy HSM-managed keys in a cloud environment, offering scalability and remote access while maintaining a high level of security. This architecture obviates the need to store a key locally on a user-managed device entirely. The security comes from the secure communication channel between the cloud datacenter containing the HSM and the HSM plus cloud device used for signing (such as a smartphone or other computer), as well as the digital ID used to authenticate the user of those devices. In a cloud-plus-HSM implementation, the private key never leaves the HSM, as the cryptographic operations used for signing are carried out on the HSM. PUBLIC KEY INFRASTRUCTURE 93 IMPLEMENTING HIGH-TRUST ELECTRONIC SIGNATURES APPENDIX 11: INDICATIVE COSTING The discussion below presents an overview of key elements and auditing of certificates, reducing the administrative burden required for deploying and operating a PKI. The first subsection and minimizing the risk of certificate-related security incidents. looks at the typical stages of a PKI implementation project and gives a high-level overview of the main types of capital Required hardware includes: network infrastructure such and operational expenditures. The second section provides as firewalls, routers, and load balancers; data infrastructure an indication of typical costs associated with each component such as servers and storage units; and auxiliary hardware of a PKI implementation. such as laptops, management consoles, and authentication tokens. Depending on the type of facilities in which the PKI is implemented, there may also be investments needed ELEMENTS OF A to reinforce the physical security of the data center, for PKI DEPLOYMENT example, physical partitions, biometric access controls, and surveillance systems. In addition to this general hardware, a PKI typically requires Initial Design and Planning HSMs to securely store and manage cryptographic keys. The first step in establishing a PKI is the design and HSMs are critical for ensuring the security of the private planning phase. This involves defining the architecture of keys used in the PKI and can range in cost from $10,000 the PKI, determining the hierarchy of CAs, and outlining to $50,000 per device, depending on scale and capacity. the certificate policies and practices that will govern PKI Depending on the PKI scale, as well as redundancy and operations. Engaging with security consultants during this security requirements, multiple HSMs are typically necessary. phase is crucial to ensure that the PKI is tailored to the An indicative cost range of a cloud-based HSM is $1.60—2.50 specific needs of the organization while adhering to industry per hour, leading to a cost of $14,000—$22,000 per year of standards. Organizations must develop a Certificate Policy continuous usage.94 Population scale PKIs will likely require (CP) and a Certification Practice Statement (CPS), which are multiple HSM instances. highly technical documents requiring specific skills sets to write. In addition to policy development, organizations may Implementation and Integration need technical assistance to prepare for regular compliance audits and to ensure their PKI meets all applicable national This phase involves integrating the PKI with both internal and industry standards. systems (e.g., Active Directory, VPNs) and external systems (e.g., external CAs, cloud services). With the hardware and software in place, the PKI must be implemented and Hardware and Software Acquisition integrated into the organization’s existing IT environment. Once the design is in place, the necessary hardware and This phase involves the installation and configuration of the software must be acquired to implement the PKI. Central CA software, HSMs, and supporting infrastructure. It also to this is the CA software suite that is used to create, issue, includes integrating the PKI with enterprise systems and other manage, and revoke digital certificates, as well as manage services that will use digital certificates for authentication revocation lists. To manage the lifecycle of these certificates, and encryption. Such systems integration can be done by a organizations often invest in a Certificate Management System third-party systems integrator, by existing vendors, or using (CMS). A CMS automates the issuance, renewal, revocation, in-house software-development capacity. Cost will vary depending on the number and complexity of the integrations. 94 See, for example, “AWS CloudHSM Pricing,” https://aws.amazon.com/cloudhsm/pricing/ 94 Training, Maintenance, Support electricity, cooling for hardware, and routine management tasks, are typically local dependencies based upon climate IT and securit y personnel need to be trained on the and environment. management and maintenance of the PKI, including how to handle certificate requests, manage the CA, and respond to Additionally, a robust disaster recovery plan is essential for security incidents. Ongoing training and technical support are ensuring the continuity of the PKI in the event of hardware essential for the effective operation of a PKI, including regular failure or other catastrophic events. updates to staff knowledge, new compliance requirements, and evolving PKI technologies. INDICATIVE COSTING (INSOURCED) In addition to training, ongoing technical support is necessary to ensure that the PKI continues to function smoothly. The analysis assumes that the IT infrastructure used is This includes support for software updates, patches, and owned and maintained by the PKI operator—i.e., that an troubleshooting issues that may arise. on-premises (or colocation) deployment model is used. The costing should be considered indicative: additional elements Routine maintenance is a critical ongoing cost for any PKI might be necessary based on each national context and deployment. Maintenance includes regular system checks, sourcing strategy, in particular when cloud-based or hybrid software patches, hardware upgrades, and security updates deployment models are used (licensing costs of PKIaaS to ensure the PKI continues to operate securely and reliably. certification services is out of scope of this appendix). Capital expenditures in PKI hardware investments should be amortized Ongoing Operations and Management over a period not exceeding 5 to 10 years due to changes in technology, evolution of cryptographic algorithms, security The ongoing operation of a PKI involves several routine requirements, organizational needs, regulatory changes, and activities, including monitoring the CA’s performance, operational efficiency. managing the certificate lifecycle, and ensuring the security of the PKI infrastructure. Operational costs, which include Table 18: Key cost drivers for implementing and operating a PKI Low Estimate High Estimate Component Purpose Cost (USD) Cost (USD) CAPEX Ensures availability and redundancy for both the Root CA and Servers for CAs 50,000 200,000 Intermediate CAs. Hardware Provides a secure environment for cryptographic key generation, Security Modules storage, and management, with more robust solutions for the Root 60,000 360,000 (HSMs) CA due to its critical role. (Costing for 3+3 devices, with redundancy.) Manages the issuance, renewal, revocation, and lifecycle of PKI Software certificates, requiring more complex solutions to handle the two-tier 300,000 1,500,000 structure. Operating Supports the PKI infrastructure's operational needs (database Systems and management, monitoring tools, intrusion detection systems, 10,000 120,000 Auxiliary cybersecurity tools, backup software, log management, etc.). Software Network Ensures reliable and secure communication within the PKI (firewall, 30,000 150,000 Infrastructure switch, router, load balancer, security tools, etc.). Ensures accurate and secure timekeeping by synchronizing with Time stamp reference time sources and providing a reliable time service to 30,000 60,000 hardware networked computers and security systems. PUBLIC KEY INFRASTRUCTURE 95 IMPLEMENTING HIGH-TRUST ELECTRONIC SIGNATURES Auxiliary Enables PKI supervision and configuration (e.g., laptops, 4,000 10,000 Hardware authentication tokens, external drives, or management consoles). Custom Tailors the PKI to specific organizational needs and integrates it with Development 100,000 500,000 existing systems. and Integration Consulting and Professional Offers expertise in planning, deploying, and optimizing PKI. 20,000 200,000 Services Training Ensures that staff can effectively manage and operate the PKI. 10,000 40,000 Physical Security Protects critical hardware from physical threats. 10,000 120,000 Enables the physical storage and cooling of the hardware within the Rack cabinet 8,000 20,000 data center. SUB-TOTAL CAPEX 632,000 3,280,000 OPEX (annual) Ongoing staff training to ensure personnel are skilled in managing Training and operating the PKI. This includes periodic refreshes, certifications, 50,000 150,000 and updates as new PKI features or requirements emerge. Ongoing maintenance costs for PKI hardware and software. This Maintenance includes routine system checks, patches, firmware updates, security 50,000 400,000 fixes, and refreshing hardware as it reaches end-of-life. Contracted support services for troubleshooting, bug fixes, and Technical support 20,000 150,000 incident handling. SUB-TOTAL OPEX (for 5 years of operation) 600,000 3,500,000 TOTAL (USD), 5 years of operation 1,232,000 6,780,000 96 APPENDIX 12: MANAGING LIABILITY Security of a PKI and the associated liabilities are paramount Human security considerations are equally important and considerations when developing, deploying, and operating should be detailed within the CPS. These considerations include a PKI. In the event of a security breach, the liabilities can be background checks for all staff involved in PKI operations to significant, typically falling into two main areas: the hosting ensure they are trustworthy and competent. Additionally, the infrastructure for PKI and the operational responsibilities CPS should specify access restrictions to sensitive operations, of various participants, including the CAs and Registration limiting who can issue or revoke certificates, and who has the Authorities (RAs). authority to manage key security controls. Such measures help prevent insider threats and reduce the risk of human The role of a CPS in mitigating liability error, both of which can lead to significant liabilities. Given the sensitivity of these operations, all personnel should be A CPS is a critical document that outlines the policies and thoroughly trained not only in the technical aspects of PKI procedures a CA follows in managing digital certificates. It but also in security protocols that are critical to maintaining serves as a legal contract between the CA and its stakeholders, the integrity of the infrastructure. The CPS might specify defining the roles, responsibilities, and limitations of liability that only certain authorized personnel can access the root for each party involved. A well-defined CPS provides legal CA’s cryptographic keys, a practice that protects against protection in the event of a breach by clearly establishing the unauthorized access and potential breaches. standards and practices that were followed, thereby reducing the likelihood of successful legal claims against the CA. PKI Processes: The CPS must thoroughly define the processes that govern the issuance, management, and revocation of Each country’s legal system and constitution play a significant certificates. This includes detailed procedures for identity role in how liability is addressed in these contracts. It is verification to prevent fraudulent certificate issuance, which essential to understand the nuances of local contract law is a critical risk area in PKI operations. The processes should and how government entities may or may not be held be aligned with international standards and best practices, accountable under specific legal frameworks. For instance, ensuring that they are robust enough to withstand scrutiny in some jurisdictions, the government might be immune to in the event of a legal challenge. certain types of legal action, while in others, the government could be held liable for breaches of contract or negligence. The CPS should also outline incident response procedures, specifying how the CA will react to security breaches or other incidents that could compromise the integrity of the Key components of a CPS PKI. These procedures should include steps for immediate Human factors: A CPS must encompass a comprehensive containment of the breach, communication protocols with framework that integrates the various elements involved in PKI affected parties, and remediation strategies to prevent future operations, focusing on people, processes, and technologies. occurrences. A well-documented response plan is essential for limiting the impact of a breach and demonstrating due The effectiveness of a PKI depends significantly on the diligence, which can be crucial in mitigating liability. competencies and trustworthiness of the personnel involved. The CPS should detail the roles and responsibilities of Technical considerations: The CPS should describe the all individuals engaged in PKI operations, from the CA’s technical infrastructure used to support PKI operations. administrators to the RA’s identity verifiers. These roles include This includes the physical security of data centers, such those responsible for certificate issuance, management, as controlled access to facilities and protection against and revocation, as well as those tasked with responding to environmental threats, as well as cybersecurity measures, security incidents. such as encryption, firewalls, and intrusion detection systems. These technological safeguards are vital in protecting the PUBLIC KEY INFRASTRUCTURE 97 IMPLEMENTING HIGH-TRUST ELECTRONIC SIGNATURES PKI from external threats, ensuring that the infrastructure Failure to adhere to a CPS remains secure and reliable. If a CPS is not correctly implemented, the consequences can be significant for a CA. An incorrectly implemented CPS may The importance of certification of a CPS lead to a failure in maintaining the security and integrity of Certification of a CPS by recognized bodies can significantly the PKI, resulting in the issuance of fraudulent certificates or enhance the credibility and legal standing of a PKI. Certification inadequate responses to security breaches. demonstrates that the CPS meets established standards and that the CA operates according to best practices. Much of For example, GlobalSign, a major CA, temporarily suspended the liability issues can be mitigated through accreditation of the issuance of certificates after a hacker claimed to have staff, certification of services (e.g., ISO/IEC 27001 and ISO/ compromised their systems.96 While there wasn't direct IEC 2118895), and similar measures. litigation against GlobalSign, the incident raised concerns about the security of digital certificates and the liability of Certification requires a thorough audit of the CA’s operations CAs if their trust anchors are compromised. This incident to ensure compliance with the CPS and adherence to stringent illustrates the importance of maintaining stringent security security protocols. Achieving this certification can increase practices and the potential liability a CA could face if its trust in the CA’s operations and reduce the likelihood of legal systems are breached, emphasizing the need for robust challenges. One model of PKI governance that illustrates security measures. Another example is DigiNotar,97 a Dutch this certification process can be found in Appendix 4, which CA that was hacked in June 2011, resulting in the issuance details the eIDAS Governance Model containing the European of hundreds of fake certificates, some of which were used example of the governance and certification model set out for man-in-the-middle attacks on Gmail users. in the eIDAS regulations. This can expose the CA to substantial legal liabilities, including claims of negligence or breach of contract. The CA could be Operating without a certified CPS held responsible for any damages incurred by relying parties due to the compromised trust in the digital certificates issued The certification process can be resource-intensive and, for under its authority. Moreover, failure to adhere to the CPS organizations in developing countries, access to certification could invalidate the CA's defenses in legal disputes, as the bodies may be limited. In such cases, organizations might CA would struggle to demonstrate that it followed industry need to seek international certification, which could involve best practices and standards, thereby amplifying its liability. additional costs and logistical challenges. The absence of certification might also impact the availability and cost of liability insurance, as insurers typically favor certified entities Risks in outsourcing and tiered architectures due to the reduced risk profile. The hierarchical structure of a PKI introduces various levels Even without formal certification, a well-documented and of risk, from the root CA to subordinate CAs and RAs. The rigorously implemented CPS can still provide substantial root CA, being the trust anchor of the entire PKI, carries legal protection. In the event of a breach, demonstrating that the highest level of responsibility. A breach at the root CA the CA followed established processes and procedures can level could have catastrophic consequences, potentially be critical in defending against liability claims. Certification invalidating the entire PKI. This level of risk necessitates the offers an added layer of legal protection, but the adherence strictest security measures and the most detailed processes to the CPS itself is what fundamentally supports the CA’s within the CPS. defense in a legal context. Subordinate CAs and RAs are also critical points of risk. The RA responsible for verifying the identities of certificate applicants must follow rigorous verification processes to prevent the issuance of fraudulent certificates. If an RA fails in 95 ISO 21188:2018, "Public key infrastructure for financial services — Practices and policy framework," https://www.iso.org/standard/63134.html 96 Whittaker, Zack. "Unpatched server led to GlobalSign breach." ZDNET, April 25, 2012. https://www.zdnet.com/article/unpatched-server-led-to- globalsign-breach/ 97 “DigiNotar,” Wikipedia, last modified September 20, 2024, https://en.wikipedia.org/wiki/DigiNotar 98 this duty, the resulting certificates could be misused, leading For organizations considering an outsourced model for PKI to significant legal and reputational damage. operations, contracts with service providers become critical in managing liability. These contracts must explicitly incorporate The CPS should address these risks by detailing the verification the obligations outlined in the CPS, ensuring that the service processes and controls in place to prevent such incidents provider adheres to the same standards and procedures. The across the whole of the PKI hierarchy. A single CPS may not contract should also address potential trickle-down liability, be appropriate, therefore, consideration should be given to where the primary organization could be held liable for the a set of inter-linked CPSs specific to a role or organization. actions of its service provider. PUBLIC KEY INFRASTRUCTURE 99 IMPLEMENTING HIGH-TRUST ELECTRONIC SIGNATURES