The Communications Authority of Kenya together with the ICT Authority of Kenya held an inclusive status update in March 2023 on the implementation of the National Public Key Infrastructure. The stakeholders included government organs, civil society, business interests, and academia.
What is the Kenya National Public Key Infrastructure?
The National Public Key Infrastructure (NPKI) is a system used for the creation, storage, and distribution of digital certificates, which are used to verify that a particular public key (online/virtual identity) belongs to a certain entity. Digital signatures identify transacting parties to confirm whether the transaction has been changed or not and to prove the fact of the transaction.
The Kenya National Public Key Infrastructure (NPKI) is a system that provides a secure and trusted environment for electronic transactions and communication within the Kenyan government and between the government and its citizens, businesses, and other organizations.
The NPKI is managed by the Communications Authority of Kenya, which is the regulator of the communications industry in Kenya. The NPKI uses digital certificates and encryption technology to secure electronic transactions, including online payments, online voting, and secure communication between government agencies.
The NPKI is designed to improve the security and reliability of electronic transactions in Kenya and to enable the government to provide better services to its citizens and businesses. It is also intended to promote e-commerce and e-government initiatives and to help Kenya become a leader in the digital economy in East Africa.
Overall, the Kenya NPKI is an important initiative that is helping to advance the development of a secure and trusted digital infrastructure in Kenya, which is critical to the country’s social and economic development.
Why the need for a Government PKI?
Governments may develop their own certificate of authority (CA) for several reasons, even though there are functioning global public key infrastructure (PKI) operated by private entities.
Firstly, governments may develop their own CA to ensure that they have control over the issuance of digital certificates that are used to authenticate and secure communications within their own networks or with other government entities. This can be important for national security or other sensitive government operations.
Secondly, some governments may choose to develop their own CA to promote trust and security in their own digital services and transactions, as the use of a government-issued digital certificate can provide an additional layer of assurance to users that the service is legitimate and secure.
Lastly, some governments may not fully trust the global PKI operated by private entities and may develop their own CA as a way to maintain greater control over the issuance and management of digital certificates within their jurisdiction.
Government certificates of authority are necessary for legal and regulatory compliance purposes. The decision for a government to develop its own CA is often based on the specific needs and priorities of that government and may vary depending on factors such as national security, trust, and control.
Kenyan Legislation of NPKI.
The legislation related to National Public Key Infrastructure in Kenya as per the current laws and regulations is the Kenya Information and Communications Act (KICA) of 1998 CAP 411 revised under the Electronic Certification and Domain Name Administration Regulation 2010.KICA 83C. Functions of the Commission in relation to electronic transactions. (1) The functions of the Commission in relation to electronic transactions and cyber security shall be to:
(a) facilitate electronic transactions by ensuring the use of reliable electronic records;
(b) facilitate electronic commerce and eliminate barriers to electronic commerce such as those resulting from uncertainties over writing and signature requirements:
(c) promote public confidence in the integrity and reliability of electronic records and electronic transactions;
(d) foster the development of electronic commerce through the use of electronic signatures to lend authenticity and integrity to correspondence in any electronic medium;
(e) promote and facilitate efficient delivery of public sector services by means of reliable electronic records;
(f) develop sound frameworks to minimize the incidence of forged electronic records and fraud in electronic commerce and other electronic transactions; (g) promote and facilitate the efficient management of critical internet resources; and
(h) develop a framework for facilitating the investigation and prosecution of cybercrime offenses.
Benefits of the NPKI to the government of Kenya.
(a) Authentication: Guarantees an entity’s identity and attributes and establishes who sends or receives data.
(b) Integrity: Detects any changes that may have taken place accidentally or intentionally while data is stored or transmitted over the Internet. Authentication and integrity services are the basis of electronic signatures, which can be compared with hand-written signatures, thus removing the need for paper and ink.
(c) Non-repudiation: Ensures all parties to a transaction cannot convincingly deny having participated in the transaction.
(d) Confidentiality: Enables electronic data to be protected, and controls access to the data by applying authentication mechanisms.
Some examples of public PKI service providers.
These providers offer various types of PKI services, including SSL/TLS certificates, code signing certificates, email encryption certificates, and document signing certificates. Each provider may have different features, pricing, and certificate types, so it’s essential to research and compares with other providers before choosing one. Examples are Let’s Encrypt, Digicert, GlobalSign, Entrust Datacard, Comodo CA, Symantec (now part of DigiCert), GoDaddy, Trustwave, SSL.com, and Sectigo (formerly Comodo CA).
Which governments have their own national Public Key Infrastructure?
Many governments around the world have their own Public Key Infrastructure (PKI) for various purposes, including secure communications, digital signatures, and authentication. Some examples include:
- United States – The Federal Bridge Certification Authority (FBCA) is the U.S. federal government’s PKI system.
- Canada – The Government of Canada PKI (GCPKI) is the national PKI system for Canada.
- United Kingdom – The UK Government Gateway is the national PKI system for the UK.
- China – The China Public Key Infrastructure (CPKI) is the national PKI system for China.
- Japan – The Japanese Government PKI (JPKI) is the national PKI system for Japan.
- Germany – The German Federal Network Agency’s PKI (BNetzA PKI) is the national PKI system for Germany.
- France – The French government operates a national PKI system called the Infrastructure de Gestion de Clés (IGC).
- India – The Indian PKI is a national PKI system developed and operated by the Indian government.
- Spanish Government PKI (Cl@ve).
- Australian Government PKI (AGPKI).
- Singapore National Authentication Framework (NAF).
Organisation of NPKI in Kenya.
The Governments NPKI scheme consists of four envisaged independent organizational structures and agencies. These are;
(a) Steering committee: Supervise, manage, and make strategic decisions on NPKI.
(b) Root Certification Authority (CA): Role played by Communications Authority. Supervises and regulates Certification Authorities (CAs).
(c) A Government Certification Authority (GovCA): Role played by ICT Authority. Issues digital certification to subscribers. As the GCA, the ICT Authority offer Digital Certificates services to various government agencies among them the Kenya Revenue Authority, the National Transport and Safety Authority, the Ministry of Lands and Physical Planning, and the National Treasury just to mention a few. The GCA issues the Digital Certificates to end-users who in turn use them as per the applications that need protection, validation, and non-repudiation
(d) Registration Authority (RA): The ICT Authority, an E-Government service provider, will play the role. They identify and register subscribers of digital certificates to Government Certification Authorities (GovCAs). (.e.g. Ministries and other user agencies).
Some of the use cases for NPKI digital certificates in Delivering Government Services
- Ministry of Lands, Housing and Urban Development – Authentication of users (internal or external), and signing property title.
- Kenya Revenue Authority
- Judiciary of Kenya – Fecord filings and case records
- Integrated Financial Management Information System (IFMIS)
- ICTA – Accreditation system for ICT service providers
- Kenya Trade Network Agency (KenTrade)
- Communications Authority of Kenya – email signatures
The Legal & Regulatory Framework Supporting the use and adoption of digital certificates in is need of streamlining to enable businesses, public procurement, and land registration to recognise and use electronic means of authenticating and signing documents or property titles. This should be done in close collaboration with all stakeholders including the Law Society of Kenya, the Attorney General’s office, the Judiciary, ODPP, businesses, academia, and civil society. This means several laws like the Business Laws Act, The Public Procurement and Asset Disposal Regulations, and Land Registration Act will have to be streamlined.
Mwendwa Kivuva leads the Tatua Digital Resilience programs at KICTANet.