< Magazine Index > < Index For This Edition > < Subscribe >

Such widespread use of digital signatures, the experts assure us, is just around the corner.  Everyone will soon be able to do business on line, and still be able to sleep soundly at night.  Investors will move their assets around the globe via the Internet, and do so knowing their financial data and transactions are completely secure and confidential.

Most important, all of these transactions will be legally binding.  Naturally, the system will also guarantee that the people or organizations we are dealing with actually are who they say they are.  It may sound like just another Internet pipe dream to some, but proponents of global e-commerce are convinced the dream will be reality.

"In five years, every government, company, organization, Web site and even individual is going to have a digital certificate or digital identity," says Carrie Liddy of Torus Corporation, a global e-commerce business services company based in Toronto.

What is a digital certificate?

A digital certificate consists of basic information about your digital identity.  It contains elementary personal information such as your individual or company name, your e-mail address and your digital signature.  The digital signature is nothing more than a series of numbers called a public key which forms the basis of all encryption algorithms.  Unlike a written signature, a digital signature has two functions: it not only authenticates who you are legally, it also allows your messages to be mathematically encoded.

Secure communications generally require five key elements to work.  Two of them, confidentiality and authorization, are supplied by encryption systems.  The three others–authentication, integrity (no tampering guarantee) and non-repudiation–depend on the digital signature.

Until now, the use of digital signatures has been quite limited.  Most business-to-business e-commerce has consisted of electronic data interchange (EDI), whereby companies exchange data through proprietary networks not linked to the Internet. Consumers are less sophisticated than businesses when it comes to security.  Most credit card purchases done on the Net now average less than $50 and most consumers don't even bother to use their browser's basic encryption feature when ordering, never mind trying to get a digital certificate.

However, technology is changing rapidly.  The US is setting the pace, with 46 out of 50 states having already enacted some type of digital signature legislation.  Of the 46 states with legislation, 28 have laws covering most types of communications while 17 focus primarily on communications with government agencies.  Only five states–Delaware, Massachusetts, Michigan, New Jersey and South Dakota–have no legislation at all. 

Liddy says a huge shift is starting to take place in the way business, consumer and financial transactions are handled.  More and more companies are starting to move away from intranets (proprietary information networks) and extranets (linked proprietary networks such as EDI) to the concept of a globalnet, where all business-to-business and business-to-consumer transactions will take place on the Internet.  The security and business assurance needed for these transactions will require all parties to have a valid digital certificate.

Already, one credit card company has leapt into the fray.  AMEX currently offers a blue card embedded with a smart chip containing a digital certificate.  "Smart chip technology is very flexible, and we specifically designed the blue card on a multi-application platform," says AMEX spokesperson Molly South.

The card is inserted into a free smart card reader plugged into the user's computer.  The card, together with a PIN number, allows consumers to buy on the Net using their certificate.  The card allows access to an online wallet, which contains information such as shipping and ordering preferences.  This information is automatically transmitted to the merchant's online order forms.  The system provides instant user-friendly security for both consumer and merchant.  AMEX officials are hoping it will encourage more widespread consumer acceptance of online shopping.  Initiatives like this could, however, eventually become the thin edge of the wedge for developing a universal digital signature for individuals.

The changes should have a major impact on the offshore finance industry.  But Liddy says this sea of change in transaction systems won't happen overnight.  "The transition has already started, but the global expenditures for business and government are huge," she says.

Certificate authorities

The current problem is a lack of standardization.  In the chaos which now reigns in this brand new technology, virtually anyone can set themselves up as a digital certificate issuing authority (CA).  Currently the major players include retail-oriented certificate authorities such as Entrust, Verisign, Thawte and Cybertrust, among others.  Consumers are increasingly aware of the role played by these companies.  When it comes to making a credit card purchase on the Internet, many consumers will only buy from a merchant who displays a digital certificate issued by one of these certificate authorities.

Some certificate authorities focus aggressively on the offshore financial market.  For example, Private Messenger, a Bahamas-based company, offers a Global Citizen Private Certificate Authority.  This is a digital certificate tied to a confidential numbered account at a financial service provider (offshore bank, wealth management company, etc.). Private Messenger licenses their software (a licensed version of the Entrust software) to both the financial institution and the end user for an annual fee.  The company also has secure servers based offshore to send and store data.  Private Messenger does not know the contents of the data transmissions covered by the certificate.

With the current focus on Internet privacy, other companies have sprung up to offer a plethora of privacy solutions.  They include Anguilla-based Hushmail, a free Web site for sending encrypted e-mail, and Zero-Knowledge Systems, a Canada-based company selling software for encrypted and anonymous Internet activities.  Ziplip.com, a free software that scrambles and locks messages via shared and changeable passwords, and Pretty Good Privacy from Network Associates are also in the game.

It's important to realize that digital certificates don't confer absolute privacy or confidentiality.  Like any national or international set of norms, they are subject to political pressures.  The US Government in particular is currently testing its legal ability to demand access to encryption keys.  This would affect any business offering encryption services, whether certificate based or not.

"Governments will always want control–they are all looking for a back door into encrypted transactions," says Lynwood Bell of Anguilla-based Hansa.net Global Commerce Inc.

The biggest problem now is compatibility.  The catch is that none of the certificates are interchangeable.  AMEX blue card clients, for example, can only use their digital certificates to buy goods on the Internet from merchants who accept AMEX cards.  They cannot use their AMEX digital signature to access Florida state government services, for example, or make transactions offshore using the Private Messenger network.
 

Offshore recognition of digital signatures

The vast majority of international jurisdictions have no legislation in place to accept digital signatures as legally binding.  There is also a lack of international standards and no credible professional body to oversee certificate authorities.  Some jurisdictions require licensing or bonding for certificate authorities, but most do not.  This means a certificate is only worth as much as the reputation of the issuer or of the major partners allied with the issuer.

"It is up to the trading parties to satisfy themselves on the efficacy and trustworthiness of the certificate authority being used in their transaction," says Larry Zanger, head of the Information Technology and Electronic Commerce division of Chicago law firm McBride, Baker & Coles.

Bermuda has enacted the Electronic Transactions Act, which legitimizes digital signatures for all types of communications.  Anyone wanting to issue digital certificates and operate as a certificate authority in Bermuda must have permission from the Bermuda Ministry of Telecommunications.

"It's just a simple, straightforward application," says Don Donovan, a Bermuda government consultant.  "Bermuda is strong on due diligence but we don't want to overdo it." 

Perhaps the best indication of things to come lies in the business-to-business e-commerce sector.  Just last year, eight of the largest international banks banded together to form Identrus, a global digital identity verification network for business transactions.  Identrus partners include the Bank of America, Chase Manhattan Bank, Barclay's Bank, CIBC, Deutsche Bank and the Industrial Bank of Japan, among others.  Identrus will function as a "root" certificate authority.  It will verify the digital certificates issued or used by the various financial institutions in the network. 

Businesses using Identrus will benefit from a uniform system of rules, operating procedures, contractual obligations and business practices.  Transactions will leave a clear audit trail and businesses will have recourse when a transaction or identity dispute arises.  Best of all, an individual company's digital certificate will allow it to interact securely with literally millions of other businesses on the network, as long as they are clients of one of the financial institutions.  Far from being an elite club, Identrus is hoping to attract as many small and medium-sized financial institutions as possible.

If this model is successful, it may only be a matter of time before a similar system is introduced at the consumer level.  Perhaps we will say goodbye forever to that avalanche of passwords and PIN numbers currently threatening to bury us in bits and bytes.