13th Subregional Telecommunication Meeting
for Cambodia, Lao P.D.R, Myanmar and
Vietnam
Yangon, 4-6 October 2006
Addressing Challenges to the
Information Society
Building Trust and Security
Alexander NTOKO
Chief, E-Strategies
ITU Telecommunication Development Bureau (BDT)
! "
#
$!
Agenda
As Developing Countries
work on their policies,
strategies, legislation and
infrastructure deployment,
security and trust must be
part of the initial design
stages …
! "
#
$!
A Transaction-based E-government Infrastructure
But how do we get governments, businesses and citizens
to conduct critical government transactions online?
1. Threats
2. Framework
3. Strategies
4. ICTs @Work
5. CA Challenges
! "
#
$!
! "
#
$!
As many countries embark on the e-government
bandwagon, governments, citizens and businesses are
asking many questions – Can we trust these systems?
• Receiving online submissions to renew
national identity cards:
G: Am I dealing with the owner of the identity card?
C: How do I know this is really a government site?
• Submitting confidential bids for government
procurements:
G: Is the bid from a registered company?
B: Can my competitors see my bid?
• Transmitting sensitive government documents
online.
G: Can an unauthorized person view the document?
G: How can access control be ensured?
! "
#
$!
• Issuing birth certificates and land certificates
via the Internet:
G: Can a citizen modify his or her date of birth?
G: What if she changes the size of her land or uses this
to make another land certificate?
• Conducting online elections via the Internet –
e-voting:
C: Can someone know whom I voted for?
G: How do we guarantee that a citizen votes only
once?
G: Is this vote from a registered voter?
! "
#
$!
Overview of the challenges
Unsolicited Communications
Online Fraud
Unauthorized Access to Information
Destruction of Critical Information
Identity Theft
Invasion of Privacy
Some Challenges
to Users
! "
#
$!
! "
#
$!
AGENDA
MALWARE
PHISING
SPAM
TRENDS
! "
MALWARE
#
$!
! "
Viruses
o
$!
Viruses
Are Viruses new? The Brain Virus.
What is a virus?
o
#
o
Virus (n.) Code written with the express intention of
replicating itself. A virus attempts to spread from
computer to computer by attaching itself to a host
program. It may damage hardware, software, or
information.
Just as human viruses range in severity from Ebola
to the 24-hour flu, computer viruses range from the
mildly annoying to the downright destructive. The
good news is that a true virus does not spread
without human action to move it along, such as
sharing a file or sending an e-mail.
! "
#
$!
The first computer virus for Microsoft DOS was
apparently written in 1986 and contains unencrypted
text with the name, address, and telephone number
of Brain Computer Services, a store in Lahore,
Pakistan. This virus infected the boot sector of
5¼ inch floppy diskettes with a 360 kilo byte
capacity. Robert Slade, an expert on computer
viruses, believes the Brain virus was written as a
form of advertising for the store in Pakistan.
A variant of the Brain virus was discovered at the
University of Delaware in the USA during Oct 1987
where the virus destroyed the ability to read the
draft of at least one graduate student's thesis.
! "
#
$!
Worms
What is a worm?
o
o
Trojans
What is a Trojan?
Worm (n.) A subclass of virus. A worm
generally spreads without user action and
distributes complete copies (possibly
modified) of itself across networks. A worm
can consume memory or network bandwidth,
thus causing a computer to stop responding.
Because worms don't need to travel via a
"host" program or file, they can also tunnel
into your system and allow somebody else to
take control of your computer remotely.
Recent examples of worms included the
Sasser worm and the Blaster worm.
! "
#
o
o
o
Remember the Trojan horse appeared to be a
gift, but turned out to contain Greek soldiers
who overtook the city of Troy.
Trojan (n): A computer programs that
appear to be useful software, but instead
compromises your security and cause a lot of
damage.
A recent Trojan came in the form of an email message that included attachments
claiming to be Microsoft security updates,
but turned out to be viruses that attempted to
disable antivirus and firewall software.
$!
! "
#
$!
! "
#
$!
How do worms and other viruses spread?
By Executing the Code.
Virtually all viruses and many worms
cannot spread unless you open or run
an infected program.
o Many of the most dangerous viruses
were primarily spread through e-mail
attachments—the files that are sent
along with an e-mail message.
o The virus is launched when you open
the file attachment (usually by doubleclicking the attachment icon).
o
! "
#
PHISING
$!
Phishing
What is Phishing?
o
o
o
o
Phishing (also called brand spoofing or carding)
is a technique for acquiring your personal
information and subsequently committing fraud
in your name, including stealing your identity.
About 10 years old but attacks are increasing
more sophisticated.
It's a form of cyber-crime growing faster than
the ability of the police or courts to deal with it.
"phishing" originated from the word “fishing”.
Like in real fishing, scammers lure victims
using baits to divulge information that is used
for fraudulent purposes.
! "
#
$!
Phishing
How is phishing perpetrated?
o
o
o
Authentic-looking - In a typical phishing attempt,
you will receive an authentic-looking email message
that appears to come from a legitimate business.
Mostly via Email - The majority of phishing
currently is conducted by email, but it is also possible
for you to be phished by mail, telephone or even in
person.
But spreading to other applications - Instant
Messaging -The latest and most rapidly growing
threat is through the use of Instant Messaging (IM),
which can also be used for identity theft as well as
spreading viruses and spyware.
! "
#
$!
Phishing
Who perpetrates it?
Phishers are scam artists. They send out
millions of emails, realizing that even if only
a few recipients give them enough
identifying information, they can profit from
the resulting fraud.
Who is affected by phishing?
o Popular targets are users of online banking
services and auction sites. Any Internet
Users who’s email has been made availeable
on any public forum. But it does not end
there..
o
! "
#
$!
What is SPAM?
Unsolicited e-mail.
o Unsolicited e-mail, often of a commercial
nature, sent indiscriminately to multiple
mailing lists, individuals, or newsgroups;
junk e-mail.
o To indiscriminately send unsolicited,
unwanted, irrelevant, or inappropriate
messages, especially commercial advertising
in mass quantities. Noun: electronic "junk
mail".
o
! "
#
SPAM
! "
#
$!
Some methods used by Spammers
The battle for combating spam is an ongoing
one with an increasingly sophisticated level of
finding ways to send unsolicited messages to
recipients worldwide. Some of the common
spammer tactics include:
• Dictionary attacks
• Email and DNS Spoofing
• Social Engineering and Urban legends/Hoaxes
• Message Board and Chat Room Mining
• Open Proxies and Mail Relaying
• Chain Letters
• Always-On Broadband connections
$!
! "
#
$!
! "
#
$!
SPAM – Constantly Evolving
TRENDS
Spam is not only growing, but is evolving to
become broader threat to Internet security
! "
#
$!
General TRENDS
General TRENDS
Increasing and becoming more malicious
Exploiting Current Fears and Events
Spammers exploit bird flu fears
through offers for online purchases
of Tamiflu the only know medicine
that deals with the human version of
the avian flu.
Victims of Katrina also experienced
an increase in identity theft
! "
#
$!
Number of Attacks – Reports show increasing
number of new viruses and variants. A global
pandemic.
Nature of Attacks - This indicates a trend
toward more malicious use of such software by
criminals.
Use of Spy ware for ID Theft - Growing % of
Spyware now reported to be aimed at stealing
identity.
Adapting to Security Strategies - Worms that
exploit security strategies based on
"impenetrable firewall" and e-mail filtering to
protect an otherwise insecure internal network.
! "
#
$!
General TRENDS
As it expands to other platforms, it’s more difficult to detect
Expansion to Mobile - New type of phishing could hit
mobile phone users. Mophophishing is where hackers
send out fake banking applications to unsuspecting
mobile phone users. The users then type their account
details into the application thinking they were accessing
their accounts when they were actually sending their
personal details back to the hacker.
Difficulties in Spotting Attacks - Spotting a phishing
email is relatively straightforward, the user need only
examine the source code of an HTML email and inspect
the domain name and path of any link to verify its
authenticity.
! "
#
Not specific to a Particular OS.
Not limited to any Platform
Affects services across all Sectors
Knows No Geographical or Time barriers
More and more Sophisticated
Everyone is Concerned and Affected
They are all Related
$!
! "
e-security threats… Spam, Phishing etc
o
The battle for combating spam is an ongoing
one with an increasingly sophisticated level of
finding ways to send unsolicited messages to
recipients worldwide. Some of the common
spammer tactics include:
1.
2.
3.
4.
5.
6.
7.
Dictionary attacks
Email and DNS Spoofing
Social Engineering
Message Board and Chat Room Mining
Open Proxies and Mail Relaying
Chain Letters
Random Strings of Text and characters
! "
$!
$!
e-security threats…Spam, Phishing etc
o
o
o
#
#
Reliance on filters using databases of known
spammers, string processing of email headers, reverse
look-ups and similar solutions will not scale as
spammers will continue to look for and find backdoor solutions through the refinement of their tactics.
Spam does not only cause loss of revenue and time
for email recipients and companies but also reduces
trust and confidence in email transactions.
One element common to spam is that spammers try to
hide their identities using some of the tactics already
enumerated above. The issue of establishing the
identities of parties to email transactions should be a
key component of any strategy aimed at combating
spam and enforcing anti-spam and cyber crime
legislation.
! "
#
$!
Knowing whom you are dealing with…
Having firm integrity in something or somebody
e-security threats… Spam, Phishing etc
•
An entity A, can be said to trust another entity B when A makes
the assumption that B will behave exactly as A expects.
"One of the core problems with spam is
we don'
t know, Yahoo doesn'
t know, the
user doesn'
t know ... if it really came
from the party who it says it came from,"
Brad Garlinghouse, vice president for
communication products at Yahoo, said.
"What we'
re proposing here is to reengineer the way the Internet works with
regard to the authentication of e-mail."
In addition to privacy, security and policies, knowing
whom you are dealing with is vital for building trust.
! "
#
$!
What TRUST is NOT
! "
#
$!
Technology Framework for Trust and Security
Five (5) Key Requirements – The big 5!
This list is NOT exhaustive and but constitutes vital elements for trust.
o
o
o
o
o
Not transitive (cannot be passed from
person to person)
Not distributive (cannot be shared)
Not associative (cannot be linked to
another trust or added together)
Not symmetric (I trust you does not
equal you trust me)
Not self-declared (trust me – why?)
Data Confidentiality
o
•
•
#
No information added, changed, or taken out.
Strong Authentication
o
•
Parties are who they pretend to be.
Non-repudiation
o
•
Originator cannot deny origin or transaction.
Infrastructure of trust
o
•
! "
Information accessed only by those authorized.
Data Integrity
o
Automating the verification of digital credentials.
$!
How can we enhance security and trust?
! "
#
$!
Technology Framework for Trust and Security
Symmetric Encryption - Data Confidentiality
Confidentiality
Encryption
Who am I dealing with?
Authentication
Message integrity
Message Digest
Non-repudiation
Digital Signature
Third party evidence of authenticity
Certificate
Trusted certificate
Certification Authorities
)
*
) +% ,
!
/
! "
#
$!
! "#$$
-
!
%& '
(
*
.
Technology Framework for Trust and Security
Digital Envelope – Data Confidentiality
Technology Framework for Trust and Security
Public Key Encryption System – Data Confidentiality
4
3
0 12)
3
0 1 !
“ *
!
3
12)
3
Combines the high speed of symmetric encryption (e.g., AES
Rijndael) and the key management convenience of public key
encryption encryption. Includes PSE (Smartcards, Mega-brid, USB
tokens), biometrics, Hardware Security Modules etc
Technology Framework for Trust and Security
Digital Signature – Non-Repudiation
Technology Framework for Trust and Security
Message Digest – Data Integrity
*
160, 256, 384 or 512 bit
representation (thumb
print) of document
5
.
*
”
’
Each user has 2 keys: what one key encrypts,
only the other key in the pair can decrypt.
Public key can be sent in the open.
Private key is never transmitted or shared.
0 1 !
3
.
• Used to determine if document has changed.
• Currently based on FIPS 180-2 approved algorithms
(SHA-1, SHA-256, SHA-384 and SHA-512).
• Produces 160, 256, 284 or 512 bit “digests”.
• Infeasible to produce a document matching a digest
• A one bit change in the document affects about half the
bits in the digest.
Verifying the Digital Signature
for Authentication and Integrity
5
*
*
.
*
.
*
2
Combines Hash Algorithms (FIPS-180), Key Exchange,
Public Key Encryption to provide Data integrity, Nonrepudiation and Certificate-based Authentication. Digital
credentials are established using ITU-T X.509 Digital
Certificate Standard based on FIPS 186-x standards.
Digital Signature
Guarantees:
o Integrity of document
One bit change in document changes the digest
o
Authentication of sender
o
Non-repudiation
Signer’s public key decrypts digest sent and
decrypted digest matches computed digest
Only signer’s private key can encrypt digest that
is decrypted by his/her public key and matches
the computed digest. Non-repudiation
prevents reneging on an agreement by
denying a transaction.
! "
#
$!
Technology Framework for Trust and Security
Digital Certificates - Establishing Digital Credentials
Industry Solutions for Online Trust and Security
ITU-T X.509 creates the framework for establishing digital
identities – A key component for establishing security and trust for
ICT applications in public networks (such as the Internet)
! "
#
$!
! "
#
$!
#
$!
Public Key Infrastructure (PKI)
and Industry Solutions for Security & Trust
It’s Not about waging a technology war (PKI vs Non-PKI) but
combining technologies and policies for total solutions.
o Combines various industry solutions and standards – PKCS,
PSE (Smart Cards, tokens, Megabrid), OCSP Transponders,
HSMs, CA, RA and Content Validation Software.
o Enables security and trust to be built on comprehensive and
interoperable solutions with appropriate policies ensuring
national sovereignty and enforceable legislation.
o Most highly rated e-government countries have PKI as an
important component of their e-government strategy.
o
! "
#
$!
ICTs@Work:e-government
E-government Project in
Bosnia & Herzegovina.
Other operational projects have
been implemented in countries
in Latin America, Asia and
Europe.
ICTs@Work
! "
Cybersecurity - Solutions implemented in projects:
Certificate-based authentication using ITU-T X.509 V.3
o
Using ICTs to increase
efficiency and enhance
business processes.
o
Addressed rather
complex needs in
business flow-processes
(e.g., license issuing,
work-flow automation
and information
processing).
o
Implemented using
local expertise and the
strong commitment of
CRA management and
technical Team.
! "
#
$!
ITU-T X.509 creates the framework for establishing digital
identities – A key component for establishing security and trust for
ICT applications in public networks (such as the Internet)
! "
#
$!
Cybersecurity - Solutions implemented in projects:
Automating identity verification and management
CA-2
Root
CA-1
RA
RA
Certification
Authority
(A)
Certification
Authority
(B)
[Certificate]
Valid
Revok
ed
(CRL)
Certificate Request
Registration
Authority
Registration
Authority
Registration
Authority
Registration
Authority
Certificate Request
o
PKI including Certificate Authority, Registration Authorities
and related policies and procedures (CPS and CP) for
identity verification and management taking into account
national policies and national sovereignty issues.
! "
#
$!
Cybersecurity - Sample Project – Georgia
Securing communication within government networks
Challenge: Government of Georgia
embarks on a project to convert paper
documents (including restricted ones)
into digital format to facilitate
dissemination of government
information to citizens. Senior officials
plan to electronically sign official
correspondences. How can access to
these documents be controlled? How is
the integrity of these official electronic
correspondences ensured?
Solution: Implementation of public key infrastructure providing strong
certificate-based authentication including fingerprint biometrics, data integrity
using FIPS-approved digest algorithms, e-signature and data confidentiality
based on both public key and symmetric encryption. Solutions built on
existing infrastructure to ensure seamless integration. Funding and
implementation by ITU.
! "
#
$!
Cybersecurity -Sample Project – Bulgaria
Building Security and Confidence in Government Services
Challenge: Securing communication
between government officials and
providing security for IP-based
interconnection of three (3) government
agencies. Main cyber security challenges
included providing solutions for
authentication, data integrity, data
confidentiality and non-repudiation.
Solution: Now in its third phase, Phase I provided solutions for
certificate-based authentication of government officials,
confidentiality in the transmission of sensitive documents and nonrepudiation through e-signatures. In Phase II three government,
agencies were interconnected using PKI-enabled Virtual Private
Networks as a cost-efficient way to use the Internet for sensitive egovernment services. Project funding and coordinating the design and
implementation was provided by ITU/BDT. Phases I and II are
operational and Phase III is expected to be operational in Q2 2005
! "
#
$!
ICTs@Work:e-Trust
• Global
Asymmetrical
Trust Model and
technology
strategy based on
Public Key
Infrastructure
(PKI), Privilege
Management
Infrastructure and
related PMI and
PKI-enabled
applications.
! "
#
$!
Cybersecurity - Sample Project – Paraguay
Securing the transmission of sensitive documents
Challenge: Clients of CONATEL
needed secure IT solutions to transmit
confidential data (reports) to
CONATEL. To address this
requirements, the solutions should
ensure the integrity of data, preserve
the confidential nature of the
documents, ensure that both sender and
receiver are certain of the identities of
each other.
Solution: After a careful assessment of the security and trust requirements and
discussions with the management and IT professionals of CONATEL,
ITU/BDT assisted in the design and development of a public key infrastructure
providing solutions for identity management, non-repudiation, data integrity
and strong encryption. Technology components including digital signature,
biometric authentication, cryptographic token interfaces were built on the
existing infrastructure for a seamless integration. Funded and implemented by
ITU/BDT this project has increased the efficiency in the business processes of
CONATEL and provides security and trust solutions for communicating with it
clients (operators and service providers).
! "
#
$!
Cybersecurity - Sample Project –Turkey
Building security and trust for the Health Sector
Challenge: 81 provinces, 90,000 doctors, 1200 hospitals and 70+ million
inhabitants to be connected through an ICTs health platform as part of
national the health transformation project. In addition to several other
technological, policy, regulatory and institutional challenges, there are
security and trust issues to be addressed. e.g., Transmission of sensitive
medical records, authenticating doctors, patients, healthcare professionals and
institutions, ensuring patient-doctor confidentiality, integrity, privacy and
ownership of EPRs and protecting critical infrastructure and data.
Solution (First Phase): Secure health information system enabling citizens,
medical institutions, health insurance and health care professionals
participating in Phase I to use information technologies to store, access and
disseminate sensitive health data national wide. Funding is provided by
Government of Turkey. Launched at WSIS I, ITU is providing expertise for
the coordination and implementation.
! "
#
$!
ICTs@Work:e-government
ICTs@Work:e-business
o
Assisting countries in the design, development
and implementation of e-business solutions.
o
Operational projects in Africa, Asia, Europe,
Latin America and Arab Region.
Increasing government transparency, enabling transaction-based egovernment services, secure document transmission between
government agencies, online payment based on e-currency for
government services, PKI-based e-signatures and digital
certification. Implemented by ITU and funded by European
Community and ITU.
! "
#
$!
ICTs@Work:e-payment
Assisting in the design, development and
implementation of infrastructure for credit
card-based e-payments solutions for ecommerce and e-government transactions.
o
Projects implemented in countries such as
Brazil, Morocco (US$2,5 million), South
Africa and Venezuela.
! "
#
$!
o
Providing a forum for
exchanging best practices
in the implementation of ehealth projects.
o
Developing guidelines and
elaborating strategies at
global level in fostering ehealth services.
o
Working with industry
partners, international
organizations (WHO, ESA)
and governments to assist
developing countries in ehealth projects.
ITU Experts Meeting on E-heath – June 2004 Tokai University, Japan
$!
ICTs@Work:e-medicine
o
#
ICTs@Work:e-health
o
o
! "
! "
#
$!
ICTs@Work:e-education
Using ICTs to bring
access to medical
services such as remote
diagnostics and teleradiology.
Interconnecting
ambulatory services in
two remote areas in
Venezuela and enabling
access to medical
specialist located in the
capital city (Caracas).
ITU's e-health activities include the implementation of telemedicine projects in several countries
including Mozambique, Malta, Nicaragua, Georgia, Myanmar, Senegal, Bhutan, Uganda and Ukraine.
There are ongoing and planned projects for several countries such as Cameroon, Ethiopia, Kenya,
Haiti, Rwanda, Venezuela, Sudan, Turkey, Mauritania, Bulgaria, Zimbabwe, Guinea, Lebanon,
Tajikistan, Uzbekistan and Latvia.
! "
#
$!
I n t e rn e t@ Sc h o o l s P ro je c t in
Toumboucktu, Mali providing
Internet access to more than 700
students in a very remote areas 1000
km from the capital city (Bamako).
Ongoin g project in Senegal
launched in June 2005.
o
Enabling youths to
access a wide
range of
information via the
Internet.
o
Enhancing
knowledgebuilding and
ensuring active
participation of
youths in the
information
society.
! "
#
$!
ICTs@Work:e-agriculture
ICTs@Work:e-environment
o
Using ICTs applications
and infrastructure to
enhance agricultural
activities in Madaniyat
village in rural
Kyrgyzstan.
o
Providing solutions to
access information on
better farming methods
and up-to-date
information on the price
of produce and business
partners.
! "
#
ITU e-employment
and e-business project
for the association of
business entrepreneurs
in Africa (ASAFE).
As a supporting
organization for the
industry-led Global eSustainability Initiative
(GeSI), undertaking
activities with UNEP
aimed at addressing the
environmental effects of
telecom and ICTs.
Global e-Sustainability o Working with Member
Initiative Supply Chain
States to develop
Working Group
strategies on the use of
Benchmarking Report
telecommunications and
ICTs for the protection of
the environment.
$!
ICTs@Work:e-employment
o
o
! "
#
$!
ICTs@Work: Connecting Island Communities
o
Enabling African
business women and
youths in Cameroon to
use ICTs for eemployment.
o
Improving social
conditions by
increasing income
through the
provisioning of ICTenabled remunerated
remote translation and
document processing
services.
o
Establishing shared
access to rural and remote
communities in Pacific
Island States.
o
In June 2005 launched a
project to implement 20
Multi-Purpose
Community Centers in
Solomon Islands and
Western Samoa.
o
Providing Internet Access
(Email and Web) + ecommerce, e-agriculture
and e-government
solutions to rural
population.
With Prime Minister of Western Samoa
at Launch of Project – June 2005
Map of Guarda Canal Province, Solomon
Islands showing locations for MCTs
! "
#
$!
Legislative Framework for ICTs
#
$!
National and Regional Policies
o
Assisting Member
States in establishing
harmonized elegislation for 4 Latin
American States
(ASETA).
o
Providing assistance
to individual states
(Burkina Faso, Cape
Verde, Mauritania,
Mongolia and
Tanzania) to
elaborate national
legislation on ICTs.
! "
! "
#
$!
o
Bringing together
Member States to
address regional
policies and strategies
for ICTs (eapplications, Internet
and e-Security) (e.g., IP
Symposia for Africa,
Americas, Asia Pacific,
and Europe and Arab
Region leading to
Kigali and Moscow and
Dubai Declarations
ITU E-government and IP Symposium for 22 Arab
States in Dubai (UAE) – 22-25 November 2004
! "
#
$!
Cross Certification
Certificate
Authority
Challenges
! "
#
o
A CA issues a certificate to another CA. This
is applied to Strict Hierarchy (Root CAs)
o
Establishment of Trust Relationship between
CAs (Chain of Trust).
o
Could result in Trust Cascades (A>B and B>C
should not imply A>C).
o
Trust relationship could be Mutual
(Horizontal Trust relationship) or Unilateral
(Vertical Trust relationship – Root CAs).
$!
! "
#
$!
Bridge Certificate Authority
Cross Recognition
A CA acts as a bridge between CAs in
different PKI domains.
o Each CA establishes a Trust Relationship
with the Bridge CA.
o The absence of direct relationships
between CAs avoids overheads related to
the establishment of direct trust
relationships between co-operating CAs.
o
No trust relationship on cross certification
between CAs.
o
Requires a mutually trusted and recognized
third party.
o
CA-CA Interoperability is achieved through
the licensing or auditing by a mutually
agreed authority.
o
! "
#
$!
Accreditation Certificate
! "
#
$!
Certificate Policy – Plays an important role
in the implementation of some of these initiatives
o
A combination of cross-certification and cross
recognition.
o
Involves the creation of an accreditation CA.
o
Public Key of each CA is signed by accreditation CA.
o
Used in Australia in the Gatekeeper Accreditation CA.
o
Requires high level government structure and control
to create hierarchy (e.g., government-wide PKI).
! "
#
o
$!
Certificate Policy (CP) – A Named set of
rules that indicate the applicability of a
certificate to a particular community
and/or class of applications of common
security requirements.
! "
#
$!
ITU-T X509: CA-CA Policy Interoperability
Policy Mappings Extension
Allows a certification authority to indicate
that certain policies in its own domain can
be considered equivalent to certain other
policies in the subject certification
authority's domain.
! "
#
o
o
#
National/Regional Policies for the
Management of Public IP Resources to
ensure fair and equitable allocation of.
• Internet Protocol Addresses
• Domain Names (under ccTLDs)
Creating an Enabling Environment for EApplications (e.g.,):
• Accreditation of Certification Authorities
• Control and Enforcement Mechanisms (Spam,
Spim, P/Vhishing and Data privacy legislations).
• Harmonized Regional Framework E-Legislation
o
#
$!
Strategy for E-Signatures and CAs
Online Trust and Security for e-Government Needs to be part of a
comprehensive policy framework dealing with other e-services
$!
What could be the Role of Governments in
fostering e-government deployment and use?
o
! "
Acceptance of Digital Signatures Across MultiJurisdictional PKI Domains (at the National,
Regional and Global Levels).
Adopting Policies for Generic Identity
Certificates (PKI) and the relationship with
Attribute Certificates (Privilege Management
Infrastructures).
Elaborating Harmonized and Technology
Neutral E-Legislative Framework and
Enforcement Mechanisms.
! "
o
Policy Constraints extension
Ability for a certification authority to
require that explicit certificate policy
indications be present in all subsequent
certificates in a certification path.
Ability for a certification authority to
disable policy mapping by subsequent
certification authorities in a certification
path.
$!
Building Online Trust For E-Government
Digital Signature – Issues and Challenges
o
ITU-T X.509: Preventing Trust Cascades
Active Role in Implementing e-government.
! "
#
$!
! "
#
$!
ITU Development Activities in E-government
Activities undertaken within the past three years.
o
o
o
o
o
o
Projects using trust technologies (encryption, digital
certificates, biometrics, smart cards/USB tokens)
implemented in Bulgaria, Burkina Faso, Cambodia,
Cameroon, Ecuador, Georgia, Paraguay, Peru, Senegal,
Turkey, Vietnam and Zambia.
Ongoing Projects in Barbados, Bhutan, Kyrgyz
Republic, Jamaica and Rwanda.
Workshops/Seminars on technology policies in Africa,
Asia, Arab Region, Latin America and World.
Assistance to ASETA, Burkina Faso, Cape Verde and
Mongolia to elaborate legislation for e-signatures.
Policy analysis, guidelines and best practices.
Multi-lateral and self-regulatory framework launched World e-Trust Memorandum of Understanding.
! "
#
$!
ITU WTDC E-Strategies Programme
An Overview of Related Projects and Activities
CONCLUSION
For ICT applications to deliver services aimed at
reducing the social divide, enhancing basic
services in health, educational, commercial and
government sectors, citizens, governments and
businesses must all have TRUST in the
technologies and the solutions.
Thank You
for your attention
For further information:
Web: http://www.itu.int/ITU-D/e-strategy
Email: e-strategy@itu.int
! "
#
$!
! "
#
$!