Submission to the National Office of the Information Economy (NOIE)
regarding NOIE's Discussion Paper of 19 August 1998
relating to 'Establishment of a National Authentication Authority'

Roger Clarke

Principal, Xamax Consultancy Pty Ltd, Canberra

Visiting Fellow, Department of Computer Science, Australian National University

© Xamax Consultancy Pty Ltd, 1998

Version of 24 September 1998

This document is at

Addressed to Mr B. Stewart, General Manager - Legal and Regulatory, National Office for the Information Economy, Locked Bag 8461, Canberra ACT 2601

I refer to the Discussion Paper of 19 August. I apologise for the lateness of these comments, but hope that you will be prepared to consider them nonetheless.

I make these comments firstly as a consultant in strategic and policy aspects of electronic commerce and information infrastructure; and secondly as a public interest advocate, with particular reference to consumer and privacy matters. My company is a member of both AIIA and APSCF, and I am generally aware of those organisations' stances on some of the issues.

My comments below range from mild to quite serious expressions of concern about various aspects of the Discussion Paper and the proposal it contains.

I would be pleased to clarify any of the comments made, but draw to your attention that I will be absent from Canberra between Saturday 26 September and Monday 5 October, and am likely to have limited email contact during that time.

1. Policy Considerations

Public confidence in EC and ESD is seriously lacking. Among the reasons for this are the quite apparent potential for governments and large corporations to utilise public key technology to consolidate current power relationships over individuals and small enterprises, and to create new sources of power.

These matters are discussed in a number of my papers, indexed at

I draw particular attention to the position statement I've published at

That this is increasingly appreciated, at least within the Commonwealth public sector, is evidenced by a series of consultancy assignments I've been asked to perform, and by an invitation to address a PSMPC conference at Mt Macedon next week on the topic of `Public Confidence in ESD: Can Citizens' Trust be Earned?'

With a few minor qualifications, however, the Discussion Paper is silent on the topic of public policy issues. It is vital that the charter of any such body explicitly include public policy issues, and expressly refer to consumer concerns and privacy protections. It would be beneficial to all concerned if the wording clearly encompassed individuals, unincorporated enterprises and small and medium incorporated enterprises. (Privacy is relevant only to individuals and unincorporated enterprises, whereas consumer issues are relevant to all of these entities).

I further suggest that the constitution of relevant committees and working groups needs to refer to " representatives of public interests", and then to expressly include at least both consumer and privacy advocates. There may also be a need for representation of some additional interests on working parties, such as those of lower socio-economic groups (e.g. ACOSS) and of small business (e.g. COSBOA).

2. Technology Neutrality

It is vital that all expressions used in this context avoid any preference among technologies. One matter of particular importance is the question of a single-national-hierarchy in comparison with multiple-hierarchies that may operate within or across jurisdictional boundaries. Both what the Discussion Paper refers to as `closed' systems and `open' systems need to be supported, and indeed multiple schemes of each kind.

Beyond that, it is vital that the interests of major IT providers not be pandered to through an implicit preference for hierarchical over web-of-trust approaches. Both AIIA and AEEMA are dominated by early movers in the supply of products and services relevant to hierarchical approaches, and their comments to NOIE and MMV are (of necessity) tainted by that domination.

In addition, there seems to be no real need for the scope of the body to be constrained to public key authentication. Many other forms exist and are feasible; and it would be valuable to have a forum in which standards for authentication techniques of all kinds can be examined and discussed, and policy issues arising in relation to them can be debated.

3. Absolute cf. Risk-Management Approaches to Authentication

The Discussion Paper uses the terms "prove" and "certainty". It is naive to believe that proof and certainty are feasible, and usually only marketing and national security interests ever suggest that they are. It is also inimical to the emergence and survival of CAs to imply such a high standard, because their liabilities would be assessed on that basis.

It is urged that all documents on this matter use terms that imply relative rather than absolute degrees, "evidence" rather than "proof", and "degree of confidence" rather than "certainty".

4. Commercial Realities

Nothing in this proposal addresses the fundamental issue that a CA faces uncertain, probably very high, and possibly unlimited financial risks. Contra the ECEG Report conclusions, unless and until liability exposure is addressed through some mechanism such as liability-capping, compulsory insurance, and/or insurer-of-last-resort arrangements, it is unlikely that an effective market will emerge.

In the meantime, it appears likely that a swing back toward risk-management will occur. Many kinds of transactions can be structured to avoid the need for authentication, or even identity. Modest levels of asset and information security can be achieved through userid/password-pairs without authentication of the identity (or pseudonym) of the organisation or individual concerned. The proportion of transactions that `go bad' (variously because they were fraudulent in the first place, and because a party acts opportunistically in order to avoid liabilities) may be able to be absorbed through third-party insurance or self-insurance. In short, the conventional approaches applied in conventional commerce may prove to be satisfactory in e-commerce as well, notwithstanding the challenges of extra- and supra-jurisdictionality.

5. The Body's Title and Functions

A title that includes the word `Authority' is forbidding, and may in any case overstate the organisation's functions and powers. The term `Forum' may be too gentle, so something with connotations mid-way between the two might be the most appropriate. Alternatively, the excessive softness of `forum' could be complemented by a firmer term such as `standards'; hence perhaps `Australian Authentication Standards Forum'. In line with suggestions made above, it would be valuable to include the term `Policy', to produce, say, `Australian Authentication Standards and Policy Forum'.

Similarly, concern is expressed about the verb used to describe what the body does in relation to standards and codes of practice. The term "approve" implies that the body would impose standards as a condition of CA registration, which is a function of a peak certification body. Alternative words should be considered such as "endorse" or "recommend".

Serious concern is expressed about the proposal that the body "aim to reassure" consumers and industry. Such a limited aspiration would be likely to produce little improvement in the level of public confidence. Words need to be used that imply a clear intention that participants' interests are to be protected.


Go to Roger's Home Page.

Go to the contents-page for this segment.

Send an email to Roger

Created: 8 October 1998

Last Amended: 8 October 1998

These community service pages are a joint offering of the Australian National University (which provides the infrastructure), and Roger Clarke (who provides the content).
The Australian National University
Visiting Fellow, Faculty of
Engineering and Information Technology,
Information Sciences Building Room 211
Xamax Consultancy Pty Ltd, ACN: 002 360 456
78 Sidaway St
Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 1472, 6288 6916