^IssueTrack
^Title
^Abstract
By ^Author
Public Key Infrastructure (PKI) systems are viewed as one of the better ways to provide security, whether the application is enabling your own employees to access company data remotely, or setting up business partners to place orders online. Longer term, many see the technology as being a key enabler of more dynamic online marketplaces, for both business-to-business and business-to-consumer applications.
But the security inherent in any PKI system may well hinge on a decidedly nontechnical issue: how to ensure that the right people are given access to the system. At the core, PKI systems rely on digital certificates, which are like electronic ID cards that enable users to authenticate themselves. Without a mechanism in place to ensure these digital certificates are given only to the appropriate people or companies, the whole PKI system can fall apart.
On top of that, if PKI is to be effective at promoting electronic commerce, there needs to be more to it than mere authentication of a user's identity. In many instances, companies will want assurances that customers will be able to pay for whatever it is they are buying. For smaller purchases, that assurance is provided by credit card companies. But if online systems are to be used for transactions of high value, and between parties with no prior relationship, experts say some means of immediate credit approval will likely prove necessary.
Reports from those involved in early PKI implementations are that companies largely have a handle on the first issue, at least for now. To ensure the identity of those people and companies to which they distribute certificates, most companies are piggybacking on existing security measures, such as human resources data. The problem becomes stickier, however, as firms seek to use PKI technology for applications where no prior relationship exists, such as a B2C transaction or online B2B marketplace.
To check credit worthiness, companies likewise fall back on checks that have already been done on their existing business partners. As relationships become more dynamic, they will have to adopt other means. One is to use services springing up from companies such as Identrus LLC, New York City, which offers a PKI system that comes with assurances of credit-worthiness. Another is to hook up with an online credit firm such as eCredit.com Inc., Dedham, Mass., or eccelerate.com, a New York City-based spin-off of Dun & Bradstreet, which are building systems that enable nearly instantaneous credit checks, a task that previously took days.
Corporate Certificate Scenarios
Digital certificates are issued by certificate authorities (CA), which can be categorized into three basic types: enterprises acting as their own CA for internal use only; enterprises acting as a CA for internal and external certificate recipients, such as business partners; and entities that issue certificates as a service, such as VeriSign Inc., Mountain View, Calif., and Identrus. Each type has varying ways of verifying the identity of certificate recipients, largely dictated by the type of user base in question and what the certificates will be used for.
For companies issuing certificates to internal employees for internal use, such as access to sensitive databases, the process is fairly straightforward.
The insurance company Aetna Inc., Hartford, Conn., for example, has issued more than 3,000 digital certificates to its employees, says Robert Duran, who until recently was lead for Internet IT security for the firm. "If you've got consistent data in a back-end database that you can trust and can come up with a list of questions that only the person on the other end should know, you can use that to verify a user," he says. Such data includes a health plan number, social security number, or birth date of an eldest child. "The problem is, how hard would it be for someone else to gather that information? Probably lots of it is available on the Internet. So asking those questions usually isn't enough."
To add another layer of security, Aetna created a self-enrollment system where users set up an ID for themselves and the company sends a verification code to the employee's home address. "We trust the mailing address we have on file for the person, that it's up-to-date and current," Duran says. "And it's a federal crime to steal someone's mail, so we have recourse if that happens."
Many organizations parlay information that is already in human resources databases to verify the identity of employees. Given that HR departments routinely gather various sorts of identification when an employee is hired, this is a viable source of verification data. Often that same data has already been used to build a database from which users are assigned e-mail accounts and server access. Such trusted sources of data can likewise be used to issue certificates, says Scott Schnell, senior vice president of marketing for RSA Security Inc., based in Bedford, Mass.
RSA's Keon Certificate Server 5.5, for example, includes a feature called OneStep that enables users to employ any existing database of user authentication data when issuing certificates. "If users have received an NT logon as a result of some screening, you can instruct Keon to automatically issue a certificate if the user successfully executes an NT logon," Schnell says.
The process becomes trickier when you're dealing with business partners, customers, and others outside your company, but the principle is the same: build off existing sources of trusted information.
John Frazier, now chief information security officer at Dallas-based i2 Technologies, until this spring was manager of security at Texas Instruments, where he helped TI implement one of the earliest large-scale PKI systems. For issuing certificates to customers and suppliers, Frazier says TI relied on a tiered trust hierarchy.
"When you want to bring a new partner in, usually there's a business relationship that already exists with that company and there is some level of physical trust," he says. Maybe there is a TI salesman who has sold goods to the new partner, or engineers who have worked together on joint development projects. A TI employee who has such a relationship would essentially sponsor the new partner, becoming a partner administrator.
The administrator would put in a request to have someone at the new partner set up with administrative privileges for the TI PKI system. The partner administrator, in turn, would be responsible for issuing certificates to appropriate personnel within his company, which is where the tiered trust comes in.
"The thought process is that someone at company A isn't close enough to the users at company B to know who should and shouldn't have access," Frazier says. "So you delegate trust as close to the source as possible, and that is an administrator at company B."
Often company B has to sign a legal document saying it will properly manage the process and assume some liability. "It's not too heavy," he says. "Typically there are already overriding business agreements that tie the companies together," such as intellectual property management and nondisclosure agreements.
Going Public
Some public CAs use a similar trust hierarchy when issuing certificates to companies or individuals, many of which have no prior relationship with the company.
Identrus, for example, is a CA that is working to establish a trusted hierarchy in the financial services world. Formed by a group of major banks, Identrus issues certificates to banks which, in turn, issue them to end customers.
"In general, the goal was for financial institutions to be able to leverage existing client relationships they have established," says Paul Donfried, chief marketing officer for Identrus. Similarly, when a bank issues certificates to large corporate customers, the bank binds those customers into the role of local registration authorities who are responsible for performing due diligence before issuing certificates to employees and business partners. In each case, the issuing authority feeds off established relationships, as in the TI example.
The process becomes more involved when a financial institution is issuing a certificate to a company with which it has no previous relationship. While the process will differ somewhat from case to case, in general the financial institution will verify that the company is a legitimate enterprise, such as by checking for a Data Universal Numbering System (DUNS) number. DUNS numbers are nine-digit numbers assigned by Dun & Bradstreet that identify more than 57 million companies around the world. They provide links to various D&B corporate data and are a widely accepted form of identification for businesses.
Financial institutions are also likely to call a company and speak with a corporate officer, to further verify the company is legitimate. Ultimately, Donfried says Identrus customers must enter into a contractual agreement with the financial institution that issues the certificate. The terms of that agreement can vary, but there is a baseline set of terms that must be adhered to.
Those terms speak to requirements such as notifying your financial institution about any changes to governance or ownership of your organization, and tracking changes in employee status such that you can revoke certificates if need be. "You can't be a 50-person commune where people come and go freely and you don't know where people are," he says.
VeriSign, another big digital certificate issuing authority, has three classes of certificates, with increasingly stringent identification requirements. Class 1 certificates require no personal authentication, says Kevin Trilli, senior product manager for Internet service at VeriSign. An example would be a visitor to a Web site who enters enrollment information, perhaps in order to view more detailed information. That enrollment info is linked to the visitor's e-mail address and a personal identification number (PIN) is sent via e-mail. The PIN is used, along with previously entered login information, to pick up the certificate from the Web site.
Class 2 certificates require some level of personal authentication. The exact routine varies depending on the application, but may involve verifying identification data against a third-party database such as a credit agency or company employee list. It is a form of trusted hierarchy in that the name is linked to some form of previously authenticated data, Trilli says.
Class 3 certificates require a process similar to that of Identrus, involving the checking of DUNS numbers, phone calls to the company, and perhaps a notarized letter. When issuing Web server certificates that will be linked to a domain name, VeriSign checks the domain name registration to verify that the applicant owns that domain name or has the right to use it.
"Our intention is to use the certificate as a conveyor belt between the buyer and seller at the point of transaction."
Online Credit Checks
Dun & Bradstreet is leveraging its vast database of corporate information to provide an additional service on top of digital certificates. D&B's eccelerate.com spin-off uses data stored in a company's certificate to validate that company for online transactions, says Andre Dahan, president of Dun & Bradstreet North America, Murray Hills, N.J., and of eccelerate.com.
"Our intention is to use the certificate as a conveyor belt between the buyer and seller at the point of transaction," Dahan says. That conveyor belt will carry information that verifies the identify of each party to the other, and data regarding the buyer's ability to pay and the seller's ability to supply the goods.
Eccelerate.com places a layer of software on Web servers owned by companies that sign up for its service. If a seller wants to verify the identity of a buyer, the software pulls a DUNS number from the buyer's certificate and verifies it against the D&B database. In a similar fashion, the seller can inquire about the seller's credit, which D&B can likewise provide from its database.
This type of credit check is key to the online transaction process because it represents risk abatement. Besides giving a seller assurance that the buyer will pay, buyers can get verification that the seller is a reliable supplier. The price for an eccelerate.com credit check ranges from $2 to $8. That's far less than the cost of a written credit report, which Dahan says is typically more than $30. Still, he admits prices will have to drop considerably to make credit checks a routine part of every transaction. Such drops are entirely possible if demand blossoms, he says.
eCredit.com also performs online credit checks in real time via connections to myriad credit data providers in the U.S., Canada, Latin America, and Europe, says Mahantesh Kothiwale, vice president of technology for the firm. eCredit.com works with clients to incorporate their unique business rules into the credit equation. Such rules can be based on the company's past experience with a customer and myriad corporate policies. Each potential customer is given a score that indicates its risk factor and predefined rules determine on the fly whether that level of risk is acceptable.
Should all else fail, there are also companies offering fraud insurance to cover electronic transactions. VeriSign offers its NetSure Protection Plan, Trilli says. For $1,000 to $250,000 per customer, you can protect your business against any fraud and misuse of certificates that can be attributed to problems with VeriSign processes. "We haven't heard of any cases where things went wrong," he says.
Paul Desmond is East Coast Editor for Software Magazine. E-mail him at pdesmond@softwaremag.com.
