Lack of PKI laws hinders national competitiveness

Expert urges GITS be single root CA

DON SAMBANDARAKSA

Electronic documentation and public key infrastructure (PKI) will be the next hot topic for Thai exporters soon after they come to terms with issues of food traceability. The European Union guidelines on export documentation will need electronic signatures that are legally binding in both countries and without a proper PKI infrastructure in place soon, Thai exports will suffer, according to a cryptology expert who is a member of the PKI forum.

Jay Busari of software company Cryptograph explained how the PKI Forum was initially established with Nectec but, as with many other Nectec projects, had suffered from lack of funding and recently was handed over to the Bank of Thailand.

Public Key Infrastructure is the system of managing public and private keys used for encryption of documents and signing documents. Unlike a simple password that is used for both encryption and decryption, the public key can be, as its name suggests, transmitted publicly and put on a public key server. Someone can then download this key and use it to encrypt a document that can only be decrypted by the owner of the private key. The public key can also verify that a signature, signed by the private key, is genuine, but cannot sign documents. Managing these keys and signing (counter-signing) these keys requires Certificate Authorities (CAs). Some countries have only one single official root CA. Others, most notably the United States, has a federation of root CAs that counter-sign and recognise each other.

Jay explained that today there are three organisations in Thailand vying for the position of national root CA: Government IT Services (GITS), an autonomous body established by the National IT Committee, TOT Corporation and CAT Telecom (both under the ICT Ministry).

"GITS are the best and the only ones who seem to know what they are doing, however. CAT and TOT do serve a useful function as they have a nationwide reach in every province and district," he said.

"Exporters are not crying out for a PKI because they don't realise it yet, but when these EU directives come into force for certain products or for dealings with EU governments, that's when we will lose competitiveness," he warned.

Shrimp or chicken exports to the EU will face a lot more paperwork if Thailand's PKI law is not passed. Bypassing Thailand and using, for instance, US-based CAs is not an option as export documentation needs to be legally binding in both countries.

Another major problem was raised in a recent PKI Forum meeting by the Anti Money Laundering Office (AMLO). Today, because of the lack of PKI legislature, when AMLO sends a request to an anti-money laundering operation overseas, they have to do it via paper. Worse, they cannot consider documents returned to them via email, even with a digital signature as they are not legally binding under Thai law.

This means that AMLO's overseas partners need to send back paper documents, and this is something that not every partner is willing to accommodate.

Today GITS has a cross-certification agreement with one of Japan's root CAs. This means that a digital certificate (signature) issued by GITS can be legally verified in Japan and vice-versa. Thus, for those doing business with Japan, this would be extremely useful. "If your fresh seafood exports are delayed, you lose money. It's that simple," he said.

Nectec is pushing debate and development of a draft CA law in the PKI forum. Some of the expected outcomes of the PKI forum are a draft Certificate Policy (CP) and draft Certificate Practice Statement (CPS).

A CP is basically the constitution that all CAs in each country will have to adhere to. Then it is up to each CA to issue their CPS, which is a promise of the level of services and reliability they will provide to their customers, in other words, a Service Level Agreement (SLA).

Jay feels that it would make sense for Thailand to have only one root CA, GITS, rather than federalised system as we are starting afresh and do not have the legacy of multiple root CAs to cater for.

It is worth noting that the latest draft terms of reference for the next batch of smart ID cards includes references to all three - GITS, TOT and CAT - and that the new cards will have to be able to function with certificates issued from either.

Further work that needs to be addressed includes how to apply PKI to e-auction documents and time-stamping services.

Jay also said that Nectec clearly had the passion but not the budget while MICT only sent junior officers to the PKI Forum.

He hoped that the BoT will be able to give the PKI Forum the importance and financial backing it deserves.

Bangkok Post

Last Updated : Wednesday April 11, 2007