Public Key Infrastructure (PKI) today is the most secure method for providing authenticity and integrity to electronic communications on the web. For all the countries who have adopted Information Technology Act (based on the UNCITRAL model), the non-repudiation function for PKI is very well taken care of.

PKI essentially can be split into the following components:

1) Root Certification Authority (RCA)
2) Certification Authority (CA)
3) Repository of the certificates issued
4) List of certificates revoked (CRL)
5) Archiving and time stamping
6) Registration Authority (RA)

The legal requirements vary for each country. PKI is therefore to be regulated as per the legal environment and other national needs of the country. Regulatory Authority to regulate all aspects of PKI is therefore necessary to safeguard the national interest.

These six components of PKI require infrastructure (hardware/software) and security procedures to operate successfully. A country can decide to have these components in-house (within the country) or outsource the operation of these components to outside agencies or some combination of these two. This depends on the commercial viability considering the volume of PKI certificates likely to be issued in the country. For determining the components to be outsourced the country should review the requirements, commercial viability and availability of trained technical manpower to operate and maintain.

Objectives for PKI model for Mauritius are:

1) Operations within legal and regulatory framework of Government of Mauritius (ICTA);
2) Global acceptance of Mauritius PKI for global e-commerce and other activities in finance sectors;
3) Low cost and affordability.

Root CA is always an off-line operation for safety requirements. It is normally owned by Government agencies or a very reputed organization in the private sector. This is required for generating trust in the Root CA at the highest level.

Certification Authority (CA) is an on-line operation and therefore requires strict security measures and tools for safeguarding unauthorized intrusions and cyber attacks. The proposed model envigages outsourcing of RCA and CA operation to a reputed agency. The major requirement is the commitment of the outside agency to operate strictly as per legal and regulatory needs of Mauritius. The Root and CA will be exclusively for the use of Mauritius authorities.

The RA is responsible for interfacing between the certificate holder and the CA, and RAs are based in Mauritius. No certificates would be issued by the CA unless authorized by the RA. The operation of RAs can be monitored locally to safeguard against the violation of local laws and regulations. The entire PKI operation would be required to abide by international technical standards for facilitating interoperation of Mauritius PKI with PKIs of other countries. This will provide global acceptance of Mauritius Certificates.

PKI Operational Framework

Mauritian PKI Model