Too Late For Digital Certificates?

Last year, the federal government couldn't move fast enough to pass a digital signatures law, which it finally did in October.

But almost a year later, it appears that all of the hullabaloo has turned out to be little more than smoke, as many companies have managed to make do without state-of-the-art authentication and security technologies.

Prior to the legislation, it was believed that the electronic identifiers were needed to support the online business-to-business explosion that appeared to be just around the corner.

At the same time, many companies were being told they had to put a public-key infrastructure (PKI) cryptography and authentication system in place to be sure they weren't doing business with cyberpirates.

However, business-to-business e-commerce didn't boom as quickly or as broadly as anticipated. Meanwhile, those companies that are dabbling in the e-commerce arena have managed to do so without digital certificates.

"What we learned is you don't have to have these things in place to start electronic commerce," said Jan Sundgren, an analyst at Giga Information Group Inc. in Chicago.

However, a second-generation PKI standard that embeds authentication processes into e-commerce applications and smart cards that are enabled for digital certificates have evolved during the past year, pushing online authentication closer to viability.

Not So Fast

The main hurdles to adoption are cost and difficulty of implementation.

For instance, a November survey of 1,026 executives at U.S. companies with revenues of more than $1 billion revealed that only 16% of the firms had completed work on digital certificate infrastructures, according to Frank Prince, an analyst at Cambridge, Mass.-based Forrester Research Inc., which conducted the survey.

In 1999, half the companies in Forrester's annual e-commerce poll said they would have working PKI systems in place by the end of this year. But when Forrester conducted the poll again last year, only one-third of the respondents said they believed they could achieve that goal in the next two years.

"The expectations fell off after they had the experience with the implementation and expense of digital certificate technology," says Prince. "What they discovered is that this isn't as easy as they thought."

One of the chief hurdles to the adoption of digital certificates is that most PKI software has been developed along proprietary lines. Authentication services that might work well to support internal expense reports or personnel evaluations don't necessarily translate in a business-to-business format.

PKI allows companies to send encrypted messages through a public registry, which is then decrypted by a private key that the receiver holds.

As it turns out, many companies that are capable of issuing PKI certificates rarely use them.

Jurgen Leijdekker, U.S. managing director at Denver-based eCredible Ltd., a transaction risk-management subsidiary of Amsterdam-based credit insurance company NCM NV, says it's rare for companies to ask for digital certificates when they do business online.

"We can issue them, but many companies feel a password in their hands is somehow more secure," he says.

Even though risk management often involves the most sensitive financial aspects of online trading, few companies are able to perform the decryptions. As a result, executives at eCredible view digital certificates as a perk service, not something central to its business, Leijdekker says.

A proposed standard called XML Key Management Specification (XKMS) may help solve this dilemma. Submitted in April to the World Wide Web Consortium standards body, XKMS is based on Web services protocols such as Web Services Description Language and Simple Object Access Protocol. The standard was designed with the goal of providing interoperability between PKI systems.

XKMS incorporates authentication services inside of e-commerce applications. Currently, desktop and e-commerce applications must be enabled to handle digital keys for authentication.

As a result, no longer would both the buyer and seller need fully implemented PKI infrastructures to exchange certificates or signatures.

For Web resources on this topic, head to our Digital Certificates Research Links page.

For information on vendors, head to our Security Vendors page.

Special Report

Security Risk and Reward

Stories in this report:

Related:

Copyright © 2001 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon