Gatekeeper PKI Framework – Have Your Say
The Gatekeeper Public Key Infrastructure (PKI) Framework is currently being reviewed.
A discussion paper has been released to encourage feedback from stakeholders and the public. It outlines key issues and invites ideas to help shape the future of the Framework.
Feedback is open until 21 October 2025.
While the review is underway, annual audits of accredited providers and new accreditations are on hold.
How to provide feedback:
- Read the discussion paper
- Send your submission by email to: gatekeeper.pki@finance.gov.au
- If you want your submission to remain confidential, clearly mark it as a ‘private submission’
Submissions may be published unless marked as ‘private submission’.
The Gatekeeper PKI Framework (the Framework) outlines the accreditation requirements for organisations that issue digital certificates.
Policy background
Developed in the 1990s, the Framework supported the Government’s electronic authentication strategy. This included the following now-defunct policies:
- National e-Authentication Framework
- Third Party Identity Services Assurance Framework
As part of a historical policy decision, agencies are required to utilise digital certificates issued by Gatekeeper-accredited organisations.
Purpose of the Framework
The Framework defines the policies and standards for issuing digital certificates used by agencies to authenticate devices such as applications and computers. The Framework sets out the requirements for organisations to become accredited to issue digital certificates for use in government for PKI-based authentication.
Gatekeeper accreditation covers the issuing of digital certificates to subscribers that need to work in:
- open environments, such as the internet
- closed environments, such as communities of interest
- hybrid communities.
Assessors from the Information Security Registered Assessor Program (IRAP) assess providers. They also audit them annually to make sure they comply with the Gatekeeper PKI Framework.
If a service provider contracts you to carry out an IRAP assessment you can get in touch with us to ask for a list of their approved documents.
Accredited service providers
The Gatekeeper Competent Authority has granted accreditation to the following services:
| Provider | Service type | Accreditation date |
|---|---|---|
| DigiCert (formally Symantec) | Certification and Registration Authority | September 2015 |
| Cogito Group | Registration Authority, Certification Authority and Validation Authority | 11 October 2021 |
| Department of Defence | Certification and Registration Authority | 17 May 2007 |
| Department of Industry and Science | Validation Authority | 6 January 2011 |
| Medicare Australia | Certification Authority | 29 June 2011 |
| Verizon Australia | Certification Authority | 16 February 2012 |
| Australian Taxation Office | Certification Authority | 30 April 2013 |
| Registration Authority | June 2019 | |
| Property Exchange Australia Limited | Certification Authority | 1 October 2014 |
| Registration Authority | June 2019 |
More information about the Framework
Download the following documents to find out more about the Framework:
- Gatekeeper PKI Framework (V3.1 — December 2015)
- Gatekeeper PKI Framework (V3.1 — December 2015)
- Information Security Registered Assessors Program (IRAP) Guide (V2.1 — December 2015)
- Information Security Registered Assessors Program (IRAP) Guide (V2.1 — December 2015)
- Compliance Audit Program (V2.1 — December 2015)
- Compliance Audit Program (V2.1 — December 2015)
If you have any questions you can get in touch with us at gatekeeper.pki@finance.gov.au.
