Unlocking Secure Online Commerce

Computerworld |

Public-Key Infrastructures (PKI) that create the ability to maintain privacy, authenticate users, protect the integrity of data and execute transactions without the risk of repudiation have long held the promise that they could make online transactions safer.

But corporations need to have a clear understanding of what they want to do with the technology and be prepared to face up to thorny integration, interoperability and legal issues if they are to see any of that promise fulfilled, users and analysts say.

"PKI in and of itself means nothing," says Steve Ellis, executive vice president of San Francisco-based Wells Fargo & Co.'s Wholesale Internet Solutions group.

For PKI to be relevant, "you have to first think through what identity management means for the way your business operates," says Ellis. "You need to know what your critical [information] assets are and figure out when to implement a digital authentication strategy as opposed to [another means of authentication]."

A PKI infrastructure consists of dedicated hardware, software, data transport mechanisms, smart cards and applications, along with governing policies and protocols, that companies can use to establish a high level of trust when carrying out online transactions.

The following components lie at the core of PKI-enabled services:

• A certificate authority (CA) that verifies an applicant's identity and issues a digital certificate, or electronic identification, containing a public key to encrypt and decrypt messages and digital signatures.

• A registration authority that checks the credentials of individuals applying for digital certificates.

• Data repositories for storing the certificates.

If deployed successfully, such infrastructures can provide the basis for securely conducting a wide range of online activities using electronic IDs, electronic signatures and encryption.

Wells Fargo, for instance, has begun testing a new PKI-enabled business-to-business service that lets businesses negotiate, purchase and pay for goods online in real time, in a nonrepudiable manner using digital IDs. The company acts as a CA and issues digital certificates that customers use as electronic IDs while conducting business-to-business transactions.

But formidable challenges stand in the way, users and analysts say.

For one thing PKIs are costly and complex to implement. They provide a mechanism for secure online transactions, but a lot of their success depends on human processes.

For example, just because someone has an electronic ID doesn't mean that person is who he claims to be. A lot depends on the rigor applied by the CA in identifying and authenticating users and in controlling their access to services based on their user profiles.

The U.S. Postal Service, for instance, offers a PKI-enabled service called NetPost.Certified for secure government-to-government and government-to-consumer transactions.

NetPost.Certified uses the Postal Service's 38,000 branch offices as stations at which consumers can present the identification that some federal agencies require before issuing individual digital certificates.

Without this kind of rigor, the whole concept of electronic IDs can quickly become meaningless.

The technology also raises many legal questions, says Eric Kossen, global head of project management at a PKI-enabled service from ABN Amro Holding NV, the Amsterdam-based financial services giant.

Like Wells Fargo, ABN Amro acts as a CA that issues electronic IDs for a new business-to-business purchase and payment service aimed at large businesses.

"If you operate as a certificate authority, you take on a certain level of responsibility for that role," Kossen explains.

A lot of the questions surrounding PKI have to do with the way certificates are issued, verified, revoked and checked. There are also uncertainties about the level of trust assigned to digital IDs issued by other CAs. And there are even questions about such fundamental issues as the legal validity of electronic signatures and the manner in which they are stored, says Kossen.

Despite major vendors' claims that their products are mature, many PKI technologies are still evolving. Many vendors claim to offer the entire range of technologies needed to build a PKI service. Often though, it's best to choose best-of-breed products from a variety of vendors, say users and analysts. But that raises issues of interoperability and standards. Putting up a PKI framework, therefore, means dealing with a hodgepodge of technologies that seldom work with one another and are constantly evolving, say users.

Few applications are enabled out-of-the-box to take advantage of PKI services. This means users must integrate them into PKI networks. A growing number of vendors offer tool kits that snap into applications and make them PKI-ready. But these tool kits don't easily interoperate.

Resolving interoperability issues means addressing them at the application level, at the component level and between multivendor PKI domains, according to a recent white paper published by the PKI Forum, a Wakefield, Mass.-based consortium of vendors established to address the issue.

Application-level interoperability deals with PKI services, such as encryption, authentication and nonrepudiation, between peer applications, such as two e-mail clients, according to the PKI Forum.

Component-level interoperability relates to the manner in which devices that provide and consume PKI services, such as a CA, interact with other similar devices.

Interdomain interoperability deals with how to link multiple PKI domains that are based on technologies from different vendors.

Interoperability is also important in the long term because it lowers the risk of customers being tied to a single vendor or technology, while offering them a greater choice among vendors, says Laura Rime, a director at New York-based Identrus LLC.

Identrus is a for-profit company established by eight leading global banks. Since 1997, it's been building a PKI-based global system that assures businesses of the identity of their trading partners.

Financial institutions that are part of the Identrus network issue digital certificates to conduct online transactions with certified trading partners.

Identrus has a prescribed interoperability test process and baseline standards that PKI vendors have to meet in order to be able to sell to Identrus' member institutions. The number of products and technologies that have qualified now exceeds 25 - more than double the number at this time last year, Rime says.

Because acceptance of PKI has been limited so far, there hasn't been a sense of urgency among vendors to advance interoperability, says Dan Hellman, a manager at Cylink Corp. in Santa Clara, Calif.

Despite the promise of PKI, most corporations still aren't quite sure what to do with it, says Wells Fargo's Ellis. One of the reasons is that there are other readily available authentication alternatives, ranging from basic passwords to biometric technologies, that companies can use, he says.

But "if PKI interoperability is what you are waiting for, then wait no more," says Peter Lindstrom, an analyst at Hurwitz Group Inc. in Framingham, Mass. "Start your deployment now, because by the time you get to a point where you want to connect external CAs, the issues will have resolved themselves."

Components of PKI

For Web resources on this topic, head to our PKI Research Links page.

For information on vendors, head to our Security Vendors page.

Security Risk and Reward

Stories in this report:

Jaikumar Vijayan is a freelance technology writer specializing in computer security and privacy topics.

It’s time to break the ChatGPT habit