The ATO has established the myGovID system and associated myGovID Machine Certificates to facilitate internet based electronic transactions between Organisations and participating agencies. The ATO is the Certification Authority (CA) for the myGovID system. The myGovID Machine Certificate forms part of the digital authentication credential referred to as a Machine Credential which permits machine-to-machine interactions.
Where an Organisation wishes to use (and appoints a Machine Credential Administrator (MCA) responsible on its behalf for) the myGovID Machine Certificate issued under the Certificate Policy (CP) – Machine, then;
- The Organisation means the entity identified by its Australian Business Number (ABN) in the application for that myGovID Machine Certificate and as the Organisation in that Certificate.
- The MCA means the individual nominated in the application as the MCA for that myGovID Machine Certificate and associated with that Certificate as its Certificate Holder.
Conditions Associated with the myGovID Machine certificate
Use of the myGovID Machine Certificate
The MCA and the Organisation are jointly and severally responsible for the storage and use of the myGovID Machine Certificate including all transactions and communications carried out under or using it.
The Organisation and the MCA must ensure that the myGovID Machine Certificate is not used for any unlawful or improper purpose.
The Organisation represents and warrants that the MCA has full authority to manage the use of the myGovID Machine Certificate on the Organisation’s behalf.
The Organisation and the MCA permit the myGovID CA to (and to authorise others to) publish information relating to the myGovID Machine Certificate, the Organisation and the MCA for the purposes of myGovID System and as indicated in the CP – Machine and CPS.
Responsibilities in relation to the myGovID Machine Certificate
The MCA and the Organisation must not:
- disclose the password for the myGovID Machine Certificate to any other person
- store the myGovID Machine Certificate in a keystore to which any person may have unauthorised access
- otherwise allow, grant, permit or enable any person to use the myGovID Machine Certificate other than under their authority.
The MCA and the Organisation must promptly advise the myGovID CA if:
- the MCA is no longer authorised to manage the use of the myGovID Machine Certificate on the Organisation’s behalf
- it becomes aware of any unauthorised use of the myGovID Machine Certificate
- the security of the myGovID Machine Certificate or its password has been compromised.
Cancellation of the myGovID Machine Certificate
The circumstances under which the myGovID CA may revoke the myGovID Machine Certificate are described in the CP – Machine and the CPS.
The myGovID Machine Certificate must not be used for any purpose after it has been cancelled.
Warranty and Indemnity
The Organisation indemnifies the myGovID CA against any loss arising from:
- any failure by it (or the MCA) to ensure the safety and integrity of the myGovID Machine Certificate and its password
- any wilful, negligent or unlawful act or omission by it (or the MCA) in relation to the use of the myGovID Machine Certificate.
The Organisation’s liability under this indemnity is reduced to the extent that any wilful, negligent or unlawful act or omission by the myGovID CA has contributed to its loss.
A reference in this clause to the myGovID CA includes a reference to the myGovID CA, the myGovID Root Certification Authority, myGovID Registration Authority, the Registrar, the Commonwealth, and their respective officers, employees and agents.
|ABN||See Australian Business Number.|
|Australian Business Number||An Australian Business Number issued in accordance with the A New Tax System (Australian Business Number) Act 1999.|
|Certificate||An electronic document, signed by the Certification Authority which:
|Certificate Holder||The individual who manages the use of a Digital Certificate on behalf of the Organisation identified in that certificate. The Certificate Holder is the MCA.|
|Certificate Policy (CP)||A named set of rules applying to, and providing policy and operational guidance on the deployment and use of a Certificate issued by a Certification Authority (CA).|
|Certification Authority (CA)||An entity that issues and digitally signs Certificates using the entities Private Key.|
|Certification Practice Statement (CPS)||
A statement of the practices that a Certification Authority (CA) employs in managing the digital Certificates it issues (this includes the practices that a Registration Authority employs in conducting registration activities on behalf of that Certification Authority).
These statements will describe the PKI certification framework, mechanisms supporting the application, insurance, acceptance, usage, suspension/revocation and expiration of digital Certificates signed by the CA, and the CA’s legal obligations, limitations and miscellaneous provisions.
|Certificate Store||Storage location for certificates on a computer or device.|
|Credential||Refers to the Machine Certificate.|
|Machine Certificate||A Machine Certificate that identifies a Machine in its Subject Distinguished Name field.|
|Machine Credential Administrator (MCA)||The individual responsible for managing the use of a given myGovID Machine Certificate on behalf of the Organisation Entity identified in that certificate. To be a MCA the individual must be the Certificate Holder of a myGovID User Certificate. The MCA is also the Certificater Holder.|
|myGovID Machine Certificate||The name given at the time the certificate was issued by the Certificate Authority.|
|Organisation||A legal entity that has, or is entitled to have, an ABN.|
|Private Key||The Private Key in asymmetric Key Pair that must be kept secret to ensure confidentiality, integrity, authenticity and non-repudiation, as the case may be.|
|Public Key Infrastructure (PKI)||The combination of hardware, software, people, policies and procedures needed to create, manage, store and distribute Keys and digital Certificates based on public Key cryptography.|
|Subject Distinguished Name||A field in a digital Certificate that uniquely identifies the individual (or, in the case of a Machine Certificate, the Machine) associated with the Private Key for that certificate.|