Gavan Duffy is senior research developer of security and biometric technologies within Scientific Generics Limited, a leading integrated technology consulting, development and investment organisation, with an international reputation for successfully commercialising emerging science and technology.
He has worked across a broad spectrum of technologies within the field of information technology and security and remains actively involved in the architecture, design and delivering of complex software sytems across a wide range of technologies and markets. He is the principal inventor of a number of published patents relating to the effective integration of biometrics and cryptography. Broader assessment of the markets for these technologies has also led to involvement in additional research relating to the use of secure server architectures to support privacy enablement of multiple identity enrolment detection systems and secure management of biometric escrow processes.

Title of the IWWST 2005 keynote
"Securing collaborative workflow over mobile networks"

Abstract
Much of the discussions regarding security over mobile networks is focused on protection or locking down of the device and creation of secure channels that enable safe exchange of encrypted data between authenticated parties.

There is however a wider issues of trust in the context of reliance on the outcomes of a business process that is enacted as a collaboration of actions executed by a group of individuals connected by a network. Examples of such processes are the invocation of extraordinary privileges, permitting access to classified data or the invocation of any certification action that either creates a liability or represents a statement that should be taken as trustworthy.

When we examine trust in these terms our assessment of security moves beyond the digital domain and we necessarily need to consider how technical security mechanisms interact with the actions of people in the context of a shared group activity involving multiple participants. Furthermore it can be shown that such domains of trust are hierarchical where a distinction should be made between internal trust relationships that are specific to how a business operates and external trust relationships that impact its commercial interactions with other organisational entities.

Therefore whilst an organisation may rely on a local community of trust between multiple parties, the external view of the organisation will more commonly view it as a single collective identity.

Within public key infrastructures (PKI) the intersection between the digital domain and the real world domain has traditionally been managed by certification authorities (CA). The traditional role of a CA is that the certification processes of the CA are charged both with the establishment of identity and the creation and management of digital certificates. We argue that the CA model in isolation is insufficient for the effective establishment of local communities of trust within a hierarchical model of domains of trust.

We further show that self-management of internal certification processes can be more widely extended to enforcement of a security policy in respect of any business process that encapsulates security sensitive operations. Generalisation of a certification process also extrapolates the concept of a certification practice statement (CPS) or certification policy to the application of a security policy to any security critical business process.

To be useful and easy to develop the formulation of such a security policy and the specification of the business process to which it applies must be encapsulated in an easy to generate form that is both human readable and machine enforceable. We describe the kind of technology that can meet these objectives which we notionally refer to as a secure workflow engine.

We furthermore describe the particular form of PKI technologies on which such an implementation would depend and how these can themselves be implemented using the secure workflow engine that they support.