With the rise of globalization and the Internet, e-commerce has been integrated into myriad trading activities, which has raised significant security issues. In order to ensure trust among the parties involved and to safeguard the process of electronic transactions, several security issues must be addressed: authentication, integrity, non-repudiation, confidentiality, and availability [4]. Considerable effort on both technical and policy fronts has been expended to address these five security matters in e-commerce. After many mutations, public-key cryptography is gradually emerging as the prime technology for providing very secure authentication of identity online, with the use of a Certification Authority (CA) as trust intermediary. In recent years, many countries have passed legislation to render to the electronic signature the same significance in contract formation as the traditional handwritten signature. However, as these trusted services grow, attention is turning to the regulation and supervision of CA operations, through a variety of legislative, regulatory, and market-oriented means. This column concentrates on the problem of interoperability in PKI, and recommends the use of accreditation schemes in concert with international standards as a potential solution.
A PKI provides a means for relying parties (recipients of digital certificates who act in reliance on those certificates and/or digital signature verified using those certificates) to know that another individual’s or entity’s public key actually belongs to that individual or entity [1]. Similar to the concept of passport issuance, CAs provide authentication services to clients who rely on the CAs having undertaken the proper checks before issuing the certificates. The thoroughness and accuracy of such checks are extremely important for future electronic delivery of commercial and public services.
Interoperability in PKI
At the moment most CAs are highly localized in their marketplace and operate largely within the confines of a single territory, jurisdiction, and language. Equally, the electronic communities they support with their trusted services are, in global terms, still parochial in nature. A typical PKI is still usually located inside a large commercial organization or trading community, rather than spanning diverse business and legal domains. But the logic of e-commerce must be to break out into a global, but nevertheless secure community. In this scenario, PKIs must be able to interoperate so that the digital certificates issued in one domain are accepted in a foreign domain, just as occurs with passport credentials. To achieve this, both technical and institutional obstacles must be overcome [3]. The technical obstacles refer mainly to the problem of compatibility among different PKI products, while the institutional issues comprise policy and regulatory differences that vex all CAs. Among the existing approaches for resolving the interoperability problem, such as cross-certification, cross-recognition, and the Bridge CA [2], we consider accreditation schemes, in tandem with appropriate standards, to be the way forward. Indeed, there are already a number of initiatives in different parts of the world developing such schemes, for instance the WebTrust program in Canada and the U.S., and the Controller of Certification Authorities scheme in Singapore.
Standards for PKI
With respect to global trading and communication, standards serve to reduce risk and allow organizations or individuals to perform better in changing political, economic, and technical climates. The International Organization for Standardization (ISO) defined standards as “documented agreements containing technical specifications or other precise criteria to be used consistently as rules, guidelines, or definitions of characteristics, to ensure that materials, products, processes, and services are fit for their purpose” (see www.iso.ch). In the field of PKI, technical standards so far have contributed significantly to bringing PKI to large multinational corporations and entire Internet populations by specifying useful certificate formats [1]. Two dominant examples are ITU-T Recommendation X.509 data format standard, standardized by ISO as ISO/IEC 9594-8, and PKIX by IETF for profiling certificate and certificate revocation list (CRL) format. However, there are no standards yet addressing interoperability problems at the institutional level. In addition to the development of standards, accreditation schemes that review the appropriate controls, procedures, and policies to ensure trustworthy PKI operations and components are also needed.
Because of political, organizational, and economic complexities, developing standards and accreditation schemes for interoperability at the institutional level is much more difficult than developing technical standards.
This is the crux of problem. Because of political, organizational, and economic complexities, developing standards and accreditation schemes for interoperability at the institutional level is much more difficult than developing technical standards. One standard, BS7799 (Part I of which is now an international standard, ISO/IEC17799) is an information security standard focusing on the managerial issues in organizations, and offers a model for standards work in the institutional domain of PKI. Launched by the U.K. Department of Trade and Industry (DTI) in 1998, in consultation with industry partners, the c:cure scheme provided a formalized accredited certification infrastructure against BS7799. However, it was discontinued in October 2000. Although generic accreditation is still readily available in the U.K., accreditation under this higher-quality scheme, with assessors licensed individually to perform the reviews, is no longer possible. From our study of the failure of this scheme, we draw attention to some critical factors that should interest those launching accreditation schemes of this nature.
Lessons From the c:cure Scheme and Recommendations for a CA Accreditation Scheme
Market-led Leadership. One major problem associated with c:cure discontinuation was the lack of enough commitment and participation from large industry players, despite substantial government support. Hence, we recommend the success of a CA accreditation scheme requires strong commitment from major global PKI players, such as Verisign, Entrust, and Globalsign.
Legislation in Place. The c:cure problem also partly resulted from the failure of the 1998 Data Protection Act to require an organization to provide a “means of attestation,” in demonstrating compliance. This legislation was originally expected to include stronger language in specifying organizational systems requirements with respect to data protection—a factor that may have driven market take-up of BS7799 certification. Hence, we recommend the success of a CA accreditation scheme entails having all the necessary legislation in place.
Government Sets the Example. The inability of the U.K. government to meet its targets for electronic government had certain impacts on the confidence of organizations in the take-up of BS7799 certification. Hence, we recommend the success of a CA accreditation scheme can be influenced strongly by whether the particular government itself adopts PKI under the scheme.
Efficient Auditor Assessment Process. There was no clear consensus with respect to the requirements of independent certified auditors for c:cure. Its unique selling point of independently assessed auditor competence, in contradistinction to the cheaper generic accreditation, failed to establish a competitive advantage in the market owing to the long lead times and very time-consuming process of auditor assessment and licensing. Hence, we recommend the success of a CA accreditation scheme requires a transparent and speedy auditor certification process.
To achieve e-commerce on a global scale, both technical and institutional problems of PKI interoperability must be resolved.
Conclusion
PKI plays an important role in the era of e-commerce. However, to achieve e-commerce on a global scale, both technical and institutional problems of PKI interoperability must be resolved. International standards have demonstrated their value in harmonizing PKI certificate formats. At the institutional level, we see the combination of standards with accreditation schemes as the best road to interoperability. Learning from problems associated with the discontinuation of the c:cure scheme in the U.K, we highlight four areas that require extra attention when aiming for a successful CA accreditation scheme: market-led leadership, legislation in place, a government that sets the example, and an efficient auditor assessment process.
Join the Discussion (0)
Become a Member or Sign In to Post a Comment