Privacy and the security of healthcare information have been hot issues this year. The enthusiasm of patients for the recently granted access to medical records has been tempered by growing concern over the security of that information online. This hasn't stopped Melbourne startup eClinic from realising its vision of delivering an online interface that the medical community can use to access to patient information sources.

Since going live at the beginning of the year, eClinic has been working with leading testing laboratory Gribbles Pathology to allow doctors to retrieve patients' medical test results, which are crucial to evidence-based medicine, through the Web. Access to the system is carefully managed with digital certificates issued by PKI provider eSign.

Each participating clinic is given a digital certificate. This guarantees that people accessing the system are doing so from that clinic. Individual doctors -- over 500 are already registered -- then use a unique userid and password to verify their identity. In collaboration with partners such as pharmaceutical and medical supply companies Livingston, Novartis, CSL and Beare, eClinic is also allowing doctors to order supplies and drug samples online.

"Doctors were looking for something meaningful to use the Internet for," said eClinic joint managing director Saurabh Mishra. "This provides a lot of convenience and efficiency to doctors, since patients' results are available to them when they're finished, instead of being mailed, couriered or faxed as in the past. Each digital certificate tells us who the doctors in that clinic are. It's still too costly to issue certificates to each doctor individually, but hopefully at some point take-up will be strong enough for that to happen as well."

Everywhere, but nowhere

This steady process of adoption by eClinic is one of just a few success stories behind PKI technology, which facilitates encryption and decryption of information to send it securely across the Internet. It is an extension of standard public key/private key technology, which allows people to transmit information securely, without having to reveal their secret keys for decryption. In PKI, the public key is combined with a unique digital signature issued by a certification authority (CA). This produces a single digital certificate that contains all the information needed to confirm that the public key belongs to the sender.

When a person receives digitally signed information, their software uses the information in the certificate to contact the CA that issued the certificate. That CA checks that the received key belongs to the person who sent the message, and then looks up the certificate to make sure it's not on the certificate revocation list, a constantly updated list of expired or revoked certificates. If all is well, confirmation of the certificate's validity is returned to the message recipient, who can then proceed with the transaction confident of the other party's identity. PKI support has been built into Web browsers and applications such as Lotus Notes for years. It is used to authenticate Web servers as part of the universally used SSL (secure sockets layer) encryption technique for securely transmitting credit card details and other sensitive information between Web site and visitor.

According to IDC senior software analyst Natasha David, Australian awareness of PKI is growing, but widespread corporate adoption remains elusive. "Drivers for trust don't go away, but PKI has been held back thus far because of scalability issues and the need to deploy it for single apps," David said.

"Integrating and managing multiple applications was often left for end users to do, and when you leave integration to them, they're left feeling that the technology was supposed to help but it's only made life more complicated. But over the next two years we're going to see a real critical mass developing within the server certificate market as companies look to create that trusted environment."

Many companies have also been deterred by the fact that setting up a CA costs millions of dollars, much of which is dedicated to ensuring that the CA's invaluable private key is not compromised. The investment is so substantial that few companies have been able to justify doing so.

Even outsourcing CAs has not been entirely successful. Several years ago, Australia Post launched its KeyPOST PKI service, but last year it pulled the plug after dismal certificate sales and a lack of compelling applications for them. Australia Post has opted to act as a registration authority only, checking paperwork to verify the identity of a digital certificate applicant. In doing so, it has left the heavy lifting to third-party CAs such as eSign (a joint venture between Com Tech Communications and major CA VeriSign) and Baltimore Certificates Australia (a spin-off of PKI stalwart Baltimore Technologies).

Both companies issue certificates to a small number of Australian users from secure, multimillion-dollar facilities. Initially, business was slow as the corporate community waited for the government to take a definitive stand on the technology. In 1998, the National Office for the Information Economy (NOIE) released Gatekeeper, a broad set of standards and strict criteria necessary for digital certificates to be acceptable for use when interacting with government departments.

"You can't do normal commerce, 'e' or otherwise, unless things like authentication, confidentiality and nonrepudiation are in place," general manager of NOIE's Government PKI Branch Peter Anderson said. "The 1996 Investing for Growth report sets out a blueprint for where the Commonwealth Government will use its position as a purchaser, acquirer and user of IT&T services and resources to play a leading role. The aim is not just to get this up in government, but to make it more applicable in the economy."

Gaining Gatekeeper accreditation is no easy matter, and it was 1999 before Baltimore's UniCERT solution achieved entry-level certification to the system. Last year, eSign reached the same milestone, and these days both companies are fully accredited issuers of digital certificates. Baltimore also achieved accreditation under the defence-level ITSEC E3 certification last year, and in May the Defence Signals Director awarded eSign EAL4 (Evaluation Assurance Level 4) accreditation under the ISO's 14-nation Common Criteria security assessment program.

The latest entrant into Australia's PKI market, Entrust, is working furiously towards Gatekeeper certification after it and local partner KeyTrust spent $3.5 million to open a secret-grade data centre in Canberra this year.

Government driving the PKI bus

Government projects account for the lion's share of certificate deployments so far. The first was the Australian Taxation Office (ATO), which uses Baltimore's UniCERT platform to issue and manage digital certificates used by companies to lodge business activity statements over the Net. About 95,000 businesses (about 3% of all Australian businesses) now use the certificates.

With wrinkles in the system largely smoothed out and take-up growing steadily -- if not quickly -- the ATO's experience with PKI has encouraged other government bodies to follow suit. For example, the Health Insurance Commission is going ahead with plans to use certificates to improve online access to medical records, and other government authorities are using PKI to move hundreds of thousands of documents online.

Next year, Land Information New Zealand will begin a pilot program using PKI services to secure and authenticate changes to property-related information made by more than 2000 lawyers, government authorities, surveyors and other interested parties. "We were adding shelving space at the rate of one kilometre per year, but now we're bringing together all the records that were in five separate land districts into one national database," CRS2 development manager Richard Bloor explained. "We've chosen PKI as the best-practice security mechanism that we can identify at the moment and are building it into our system."

Victoria's Transport Accident Commission (TAC) also needs to authenticate employees who access critical information. It uses eSign digital certificates to encrypt and digitally sign the contracts, emails, documents and other communications generated by its 400-plus employees.

Climbing the learning curve

As these public sector early adopters work their way through the policy issues and practical complexities of moving traditionally paper-based processes online, private enterprise is gradually warming to the concept. Many are now using PKI in a limited way, or planning pilot projects in the near future.

Several PKI companies are taking a higher-level approach in an attempt to make implementation easier. They also hope to win customers by saving companies the massive cost of running their own secure CA facility.

"People realise the importance of trust and PKI has always been associated with trust," KeyTrust managing director Charles Greatrex said. "But generating a digital certificate without an application is like selling someone a pet rock. The federal government has got the right vision for where this should go, but because it isn't an application developer, companies are left with the obvious problem of making the environment operate."

KeyTrust offers tools for secure PKI-based email, policy and document management; authentication of remote users over encrypted virtual private networks; and highly secure forms management and processing. Greatrex believes the service-based approach will encourage experimentation and eventual adoption in online applications where trust is central.

Other PKI providers have recently jumped on the services bandwagon. In February, eSign opened a PKI Training Centre in Melbourne to promote development of PKI-based applications. At the same time, it announced it would extend its alliance with security developer SecureNet to include the Sun--Netscape Alliance venture iPlanet E-Commerce Solutions. The three now plan to integrate their technologies and market the result to banking and financial services organisations.

Another recent entrant is PricewaterhouseCoopers (PwC), which is selling PKI-based services through its beTRUSTed subsidiary. According to Stephen Wilson, director of PwC policy and strategy, and chair of the Certification Forum of Australia, PwC's investment in the technology is valued at about $US100 million. Its Australian data centre will join similar sites in the US and UK.

"Building a CA really is rocket science," Wilson said. "We've done that work and we offer it through economies of scale to save our clients costs, which could run to over $US5 million and take 12 months or more if a company tried to do it themselves."

Policies quelling uncertainty

However, the TAC's executive general manager of information technology, Tony Marxsen, warned that simplifying customers' implementation of PKI technology is only a small part of the total solution. "We exchange information on paper with various law firms, hospitals, police and so on," he explained, adding that the TAC's massive case load means it has been collecting paper at a rate of more than 10,000 pages per employee per year.

"But we have a formal written policy that says 'no sensitive information is to be sent by email'," Marxsen said. "We soon came to the realisation that encryption of email is essential, but we also raised many business issues; for example, does the company stand by signed email? Who is authorised to sign? What information goes on the certificate? Can we allow private use of employee certificates? What about private key management discipline? Issues with PKI are 80% policy and contractual, and 20% technology."

One of the biggest problems with PKI has been uncertainty over the legal status of documents signed using electronic rather than physical means. However, corporate hesitation has gradually been overcome by the introduction of the Commonwealth Electronic Transactions Act 1999. Section 9 of this act elevated electronic writing to the status of conventional writing in government transactions, and section 10 gave binding power to electronic signatures, as long as the method of delivering those signatures met the recipient's standards and "was as reliable as was appropriate for the purposes for which the information was communicated".

The act propelled Australia to the forefront of global PKI adoption. It came a year after Singapore's Electronic Transactions Act 1998 and laid the foundation for the Electronic Transactions (Victoria) Act 2000, which established rules about acceptability of digital certificates in the broader private sector. In its wake, a growing number of contracts are now being signed using digital certificates -- an executive of one PKI supplier even used them to sign his marriage certificate.

Improving PKI's commercial image

Clear government policies supporting digital signatures and the growing momentum of the Gatekeeper movement have been central to positioning PKI as an enabler for ebusiness initiatives moving business transactions online. But will the private sector buy it?

The answer seems to be 'yes, but slowly', if current projects are any indication. This is because companies still need to reconcile their own policies to ensure consistency between all business partners. "We want to have design teams, draughtsmen, engineers and others sharing information electronically, and you don't necessarily want to have that information crossing the public Internet in unencrypted form," AANX business manager with the Federal Chamber of Automotive Industries Klaus Jahn said.

The AANX (Australian Automotive Network Exchange) is the local affiliate of a growing worldwide network of automotive suppliers and manufacturers. Last September it began using KeyTrust certificates to allow business partners to identify 10 message-handling gateways distributed across its network. When a large order comes through, the recipient can check the digital certificate to ensure that the order was placed through an official AANX gateway.

Broader use of the certificates to identify companies and individuals "is a matter of individual companies putting certain requirements forward regarding policies, who they allow into it, and so on," Jahn said. "I think it will take some time for companies and individuals to realise PKI is the way to do this. We've done business on paper for hundreds of years, and there aren't many people who really have their head around what moving it all online involves."

One certificate for all

Gatekeeper is aiming to speed up adoption of digital certificates among companies doing business with the government. However, private-sector PKI also got a shot in the arm recently with the Australian introduction of certificates from Identrus, a global CA that is supported by 42 of the world's largest banks.

In Australia, the Big Four banks are working with Identrus to build a unified CA. Trusted by all manner of businesses and individuals, banks act as RAs to bring their customers into the global Identrus framework. Codenamed 'Project Angus', the local consortium is spearheading a push to build bridges between Identrus and Gatekeeper and, in the process, to create a common ground for government and private-sector PKI.

"Project Angus is all about banks appreciating that to enable B2B ecommerce, there needs to be some formal cooperation between participants to enable transactions to pass to other companies," according to Brian Mecklem, Project Angus chairman and general manager of global payment systems with the National Australia Bank. "We're talking about all businesses in Australia being able to do business with one certificate, and we think that's a good opportunity for our customers. Making the decision to run with Identrus opens up the door for authentication virtually immediately, because it already has the necessary rules and policies in place."

Project Angus received a major boost in April, when it was announced that eSign would be the first organisation to issue Australian Business Number Digital Certificates (ABN-DSCs). These new certificates are irrevocably tied to the ABN adopted last year as a standard form of business identification.

As they're based on the ABN, ABN-DSCs are positioned to become the de facto standard for government interaction. In March the government announced that Identrus-based Project Angus certificates will be accepted as ABN-DSC certificates. This will allow Australian businesses to interact with government agencies (through the ABN-DSC's role within Gatekeeper) and companies around the world (through Identrus's global CA network). This interoperability should complete the common framework for B2B transactions in Australia and around the world, increasing Australia's B2B capabilities.

According to Mike Jeffries, Baltimore's APAC product marketing manager for PKI, "Identrus and Gatekeeper are gradually bringing together the government sector and the private B2B sector. Up until the last couple of years, PKI has been closed user group based. But now there's a national and international infrastructure, it is easier to start embracing it in a big way."