Encryption micro group outcomes

/ UNCLASSIFIEDExternal
Issue date: / 6 September 2017 /
Venue: / Webex /
Event date: / 24 August 2017 / Start:11:00am / Finish:1:00pm
Chair: / Matt Lewis / Contact phone: / 02 4923 1060 /
Attendees: / External participants: Johnathon Samuel (SuperChoice), Andrew E Smith (MYOB), Sergio Dutra (Xero), David Field (OzEDI), Rick Harvey (Layer Security), ManasSadar (MessageXchange)
ATO: Terry Seiver, Claire Miller, James Levick, Matt Lewis, Ty Winmill, Kylie Johnston, Megan Northcott, Hosh Elavia, Ian Coulson
Key notes
  • General agreement from the group on the definition of on the wire encryption
  • While there were differences in how encryption at rest has been implemented, there was agreement that the approach shouldn’t be baked into the definition and allow flexibility for how this is implemented.
  • There was a question on whether encryption at rest included data in memory
  • General agreement that the payload needs to be agnostic of the message and standalone in its own right.
  • Agreement that it is fundamental that the solution supports signing, encryption and compression. One standard needs to handle all three of those components.
  • It was noted that triple wrapped messages are probably over the top, and an easier to implement solution would be a better outcome
  • A question was raised if Government credentials can be used for B2B transactions
  • After discussion around standards general agreement that CMS is used as a starting point. The process will be monitored and if a reason to move to S/MIME is discovered the group can work through the best way to make that transition.

Action item:1 / Due date:12 Sep / Responsibility: Focus Group
Members to provide feedback on the three encryption definitions provided in the pre reading. ieencryption at rest, on the wire and end to end encryption
Action item:2 / Due date:13 Sep / Responsibility: Hosh Elavia
Get clarity from DTA/ATO on the support of government credentials for use in b2b transaction OR the use of the federated identity framework.
Action item:3 / Due date:13 Sep / Responsibility: Hosh Elavia
The ATO will need to explore how the new standards would be transitioned (Not sure that I’ve captured this correctly)
Action item:4 / Due date: 13 Sep / Responsibility: Terry Seiver
Need to develop policies on consistency to patching across the ecosystem to respond to potential exploits.

If you have any feedback for the consultation process please email

UNCLASSIFIED External1