Introduction

Kenya’s connection to the internet was greatly enhanced with the connection of the SEACOM cable in the summer of 2009 and the connection of the EASSy cable in 2010. Even with current investments by the government, banking and telecommunications sectors, there are still in general serious security loopholes hindering the growth of e-commerce brought about by the increased connectivity leading to the rise of cyber crime in Kenya in both public and private domains

With mounting evidence of increasing vulnerabilities, the Government of Kenya (GoK) has embarked on the Implementation of the National Public Key Infrastructure (NPKI) to help create trust for online transactions. Widely recognized as the most secure platform for e-commerce transactions, the Public Key Infrastructure (PKI) is also by far the most matured solution that addresses all four key elements of security: authentication, non-repudiation, confidentiality and integrity. A PKI refers to the whole system of policies, processes and technologies including digital certificates, certificate servers and Certification Authorities (CAs) working together to enable users to exchange information over open networks securely and confidentially.

The functional framework mainly consists of a Root Certification Authority (RCA), a Certificate Authority (CA) and a Registration Authority (RA). The role of the CA is to issue digital certification services to subscribers whose identity has been validated by a Registration Authority (RA), a function that is usually performed by a CA. The RCA acts as a digitally notary by authenticating the certificates issued by a CA.

A CA is a trusted third party that verifies the identity of an applicant registering for a digital certificate and issues that person a digital certificate binding his or her identity to a public key. It also provides certificate management services such as publications and revocation of digital certificates. A CA acts like a trusted electronic notary public, telling everyone who the valid users are and what their digital signatures should look like. In the Kenya Information and Communications Act CAP411A (KICA) CAs are referred to Certification Service Providers (CSPs).

The Kenya Information and Communications Act CAP411A (KICA) and the Kenya Information and Communications (Electronic Certification and Domain Name Administration) Regulations, 2010, provides for a legal and regulatory framework for electronic certification services and empower the Commission to license and regulate the activities of Certification Service Providers (CSPs) in Kenya. As CSPs perform a trusted role in verifying the identities of parties in electronic transactions, the Commission seeks to provide the assurance that the CSP's responsibilities are met and that these services are made available with high integrity, security and service standards.

With the provision of a local Public Key Infrastructure (PKI) framework, local users will benefit from services offered by locally licensed Root Certification Authorities (RCAs) and Certification Service Providers (CSPs) and therefore enjoy the following:

Benefits of a local RCA
  • Cheaper digital certification verification services;
  • Operations and services that are within our local/national laws (jurisdiction); and,
  • Easily accessible services given that the RCA will have local presence
Benefits of a local CSP
  • Cheaper digital certificates;
  • Operations and services that are within our local/national laws (jurisdiction); and,
  • Easily accessible services given that the CSPs will have local presence.