Embed Size (px)
Citation preview
Intra-ASEAN Secure Transactions FrameworkPitinan Kooarmornpatana
Director of IT Infrastructure Office of ETDAJun 2015
Background
• What is Intra-ASEAN Secure Transactions Framework ?– Funded Project by ASEAN ICT – Part of the ASEAN ICT Masterplan 2015
Initiative 2.4 “ Building Trust and promote secure transaction within ASEAN”
• Objective1. Provide guideline, technology-neutral framework, and legal consistency
in secure transaction approaches across ASEAN member states2. Increase trust and promote secure and efficient electronic transactions
through proper selection of e-authentication mechanism3. Initiate sharing of online identity and authentication across cross-
border systems
1. Guideline for technical-neutral framework
• Legal Framework for secure transaction is almost ready
• A Little reminder: Legal is the supporting framework, but Business Framework or Existing Flow is the main actor.
• Methodology for selecting the proper e-authentication mechanism
2. Increase trust by proper e-authentication
1.AssuranceLevelsandRiskAssessments
• ISO/IEC29115:2013• OMBM‐04‐04• NeAF
2.IdentityProofingandVerification
• ISO/IEC29115:2013
3.AuthenticationMechanism
• NISTSpecialPublication800‐63‐1
2.1 Level of Assurance and Mechanisms1.AssuranceLevelsandRiskAssessments
Source: ISO/IEC29115:2013
2.IdentityProofingandVerification
3.AuthenticationMechanism
3. Initiating Shared Online Identity
National Contact Information System
DP
Info Out
In
Mapping Level of Assurance Smart form will
distribute data to related agency
GOV.C
GOV.B
GOV.A
Communication via email to separate security domain
Response from sending back to requester’s Inbox
User can manage who (service provider) to share what information with
User
User can Register And Upgrade Level of Assurance by providing more information (Authoritative of Corroborative)
Control Accessibility Based on LoA
3. Initiating Shared Online Identity
Mapping with the Framework
NCIS Key Feature: Perform online identity regular ch
Pilot Project – B2G e-Filing for exporter
Cert.
Exporter
staff
Review Request and the corroborative document
Submit to NSW
e‐CustomE‐Permit1
Request Form1
NSWGovernment Agency1
Ministry of Commerce
Req.
Cert.
Request for business registration certificate
Business registration certificate
AS‐IS
Pilot Project – B2G e-Filing for exporter
Cert.
Exporter
staff
Review Request and the corroborative document
Submit to NSW
e‐CustomE‐
Permit1
Request Form1
NSWGovernment Agency1
Ministry of Commerce
Req.
Cert.
Request for business registration certificate
Business registration certificate
To‐be
NCIS(Authen.)
Response form in data schema format- Signed by PKI
certificate of authorized government staff(Secured Message)
- Sharing Information over https (Secured Channel)
Finding: We also care the ‘function’ of that identity
• It’s not only I know to know he is Mr. John• But we also wants to know what Mr. John can do
Exporter
Ministry of Commerce
Req.
Cert.
Request for business registration certificate
NCIS(Authen.)
School
ProfessionalAssociation
Financial Institute
- Signed by PKI certificate of authorized government staff(Secured Message)
- Sharing Information over https (Secured Channel)
How PKI can help complete the jigsaw
• Maintain the liability chain • Keep integrity of data • Non‐ repudiation • Not only human to server but also server to server
Recommendations
• ASEAN should adopts the risk-based approach to define the Level of Assurance requied for each application
• ASEAN should define identity proofing and verification for each LoA based on ISO29115:2013
• Credential management should include the corroborative information and Authoritative information
Key Points
• Legal is there to support the business process
• Authentication Framework should consider the
‘functional’ information from other entities
• PKI plays the big role to make the trusted
ecosystem in Thailand
