|
| Digital
Certificate Authorities:Authentication of Documents, Transactions and People |
|
| Imagine being
able to buy an offshore property simply by sending digital documents back
and forth between lawyers and financial institutions. That beachfront
property you saw on the last visit to your favorite tropical island could
be yours in a matter of hours, rather than months. |
|
| Such
widespread use of digital signatures, the experts assure us, is just around
the corner. Everyone will soon be able to do business on line, and
still be able to sleep soundly at night. Investors will move their
assets around the globe via the Internet, and do so knowing their financial
data and transactions are completely secure and confidential. |
|
| Most
important, all of these transactions will be legally binding. Naturally,
the system will also guarantee that the people or organizations we are
dealing with actually are who they say they are. It may sound like
just another Internet pipe dream to some, but proponents of global e-commerce
are convinced the dream will be reality. |
|
|
|
|
|
| "In
five years, every government, company, organization, Web site and even
individual is going to have a digital certificate or digital identity,"
says Carrie Liddy of Torus Corporation, a global e-commerce business services
company based in Toronto. |
|
| What
is a digital certificate? |
|
| A
digital certificate consists of basic information about your digital identity.
It contains elementary personal information such as your individual or
company name, your e-mail address and your digital signature. The
digital signature is nothing more than a series of numbers called a public
key which forms the basis of all encryption algorithms. Unlike a
written signature, a digital signature has two functions: it not only authenticates
who you are legally, it also allows your messages to be mathematically
encoded. |
|
| Secure communications
generally require five key elements to work. Two of them, confidentiality
and authorization, are supplied by encryption systems. The three
others–authentication, integrity (no tampering guarantee) and non-repudiation–depend
on the digital signature. |
|
|
|
| Until now,
the use of digital signatures has been quite limited. Most business-to-business
e-commerce has consisted of electronic data interchange (EDI), whereby
companies exchange data through proprietary networks not linked to the
Internet. Consumers are less sophisticated than businesses when it comes
to security. Most credit card purchases done on the Net now average
less than $50 and most consumers don't even bother to use their browser's
basic encryption feature when ordering, never mind trying to get a digital
certificate. |
|
| However,
technology is changing rapidly. The US is setting the pace, with
46 out of 50 states having already enacted some type of digital signature
legislation. Of the 46 states with legislation, 28 have laws
covering most types of communications while 17 focus primarily on communications
with government agencies. Only five states–Delaware, Massachusetts,
Michigan, New Jersey and South Dakota–have no legislation at all. |
|
| Liddy says
a huge shift is starting to take place in the way business, consumer and
financial transactions are handled. More and more companies are starting
to move away from intranets (proprietary information networks) and extranets
(linked proprietary networks such as EDI) to the concept of a globalnet,
where all business-to-business and business-to-consumer transactions will
take place on the Internet. The security and business assurance needed
for these transactions will require all parties to have a valid digital
certificate. |
|
| Already, one
credit card company has leapt into the fray. AMEX currently offers
a blue card embedded with a smart chip containing a digital certificate.
"Smart chip technology is very flexible, and we specifically designed the
blue card on a multi-application platform," says AMEX spokesperson Molly
South. |
|
| The card is
inserted into a free smart card reader plugged into the user's computer.
The card, together with a PIN number, allows consumers to buy on the Net
using their certificate. The card allows access to an online wallet,
which contains information such as shipping and ordering preferences. |
|
|
|
|
|
|
| This information
is automatically transmitted to the merchant's online order forms.
The system provides instant user-friendly security for both consumer and
merchant. AMEX officials are hoping it will encourage more widespread
consumer acceptance of online shopping. Initiatives like this could,
however, eventually become the thin edge of the wedge for developing a
universal digital signature for individuals. |
|
| The changes
should have a major impact on the offshore finance industry. But
Liddy says this sea of change in transaction systems won't happen overnight.
"The transition has already started, but the global expenditures for business
and government are huge," she says. |
|
| Certificate
authorities |
|
| The current
problem is a lack of standardization. In the chaos which now reigns
in this brand new technology, virtually anyone can set themselves up as
a digital certificate issuing authority (CA). Currently the major
players include retail-oriented certificate authorities such as Entrust,
Verisign, Thawte and Cybertrust, among others. Consumers are increasingly
aware of the role played by these companies. When it comes to making
a credit card purchase on the Internet, many consumers will only buy from
a merchant who displays a digital certificate issued by one of these certificate
authorities. |
|
|
| Some certificate
authorities focus aggressively on the offshore financial market.
For example, Private Messenger, a Bahamas-based company, offers a Global
Citizen Private Certificate Authority. This is a digital certificate
tied to a confidential numbered account at a financial service provider
(offshore bank, wealth management company, etc.). Private Messenger licenses
their software (a licensed version of the Entrust software) to both the
financial institution and the end user for an annual fee. The company
also has secure servers based offshore to send and store data. Private
Messenger does not know the contents of the data transmissions covered
by the certificate. |
|
| With the
current focus on Internet privacy, other companies have sprung up to offer
a plethora of privacy solutions. They include Anguilla-based
Hushmail, a free Web site for sending encrypted e-mail, and Zero-Knowledge
Systems, a Canada-based company selling software for encrypted and anonymous
Internet activities. Ziplip.com, a free software that scrambles and
locks messages via shared and changeable passwords, and Pretty Good Privacy
from Network Associates are also in the game. |
|
| It's important
to realize that digital certificates don't confer absolute privacy or confidentiality.
Like any national or international set of norms, they are subject to political
pressures. The US Government in particular is currently testing its
legal ability to demand access to encryption keys. This would affect
any business offering encryption services, whether certificate based or
not. |
|
|
|
|
|
|
| "Governments
will always want control–they are all looking for a back door into encrypted
transactions," says Lynwood Bell of Anguilla-based Hansa.net Global Commerce
Inc. |
|
| The biggest
problem now is compatibility. The catch is that none of the certificates
are interchangeable. AMEX blue card clients, for example, can only
use their digital certificates to buy goods on the Internet from merchants
who accept AMEX cards. They cannot use their AMEX digital signature
to access Florida state government services, for example, or make transactions
offshore using the Private Messenger network. |
|
| Offshore
recognition of digital signatures |
|
| The vast majority
of international jurisdictions have no legislation in place to accept digital
signatures as legally binding. There is also a lack of international
standards and no credible professional body to oversee certificate authorities.
Some jurisdictions require licensing or bonding for certificate authorities,
but most do not. This means a certificate is only worth as much as
the reputation of the issuer or of the major partners allied with the issuer. |
|
| "It is up
to the trading parties to satisfy themselves on the efficacy and trustworthiness
of the certificate authority being used in their transaction," says Larry
Zanger, head of the Information Technology and Electronic Commerce division
of Chicago law firm McBride, Baker & Coles. |
|
|
| Bermuda has
enacted the Electronic Transactions Act, which legitimizes digital signatures
for all types of communications. Anyone wanting to issue digital
certificates and operate as a certificate authority in Bermuda must have
permission from the Bermuda Ministry of Telecommunications. |
|
| "It's just
a simple, straightforward application," says Don Donovan, a Bermuda government
consultant. "Bermuda is strong on due diligence but we don't want
to overdo it." |
|
| Perhaps the
best indication of things to come lies in the business-to-business e-commerce
sector. Just last year, eight of the largest international banks
banded together to form Identrus, a global digital identity verification
network for business transactions. Identrus partners include the
Bank of America, Chase Manhattan Bank, Barclay's Bank, CIBC, Deutsche Bank
and the Industrial Bank of Japan, among others. Identrus will function
as a "root" certificate authority. It will verify the digital certificates
issued or used by the various financial institutions in the network. |
|
| Businesses
using Identrus will benefit from a uniform system of rules, operating procedures,
contractual obligations and business practices. Transactions will
leave a clear audit trail and businesses will have recourse when a transaction
or identity dispute arises. Best of all, an individual company's
digital certificate will allow it to interact securely with literally millions
of other businesses on the network, as long as they are clients of one
of the financial institutions. Far from being an elite club, Identrus
is hoping to attract as many small and medium-sized financial institutions
as possible. If this model is successful, it may only be a matter
of time before a similar system is introduced at the consumer level.
Perhaps we will say goodbye forever to that avalanche of passwords and
PIN numbers currently threatening to bury us in bits and bytes. |
|
|
 |
|
|
