The Burden of Proof

Public key infrastructure is paving the way for more secure transactions on the Internet

Digital Certificates

Digital certificates bind a user's identity with a public key and are vouched for, or "signed," by the authority that originally issued them. They are essentially a method for encrypting messages. Digital signing is the only resource currently available that is capable of delivering the level of protection and legal standing that many organizations demand now - and all will expect in the future.

Using digital certificates, organizations can attribute authentication, which means you can match sign-off levels to the owner of the digital certificate. Users successfully validate their identities based on the certificate, the business rules established, and knowledge of the password needed to validate the certificate. Sign-off levels can be carried in the attribute extensions of the certificate itself or referenced in a separate secure database.

Another key element made possible by PKI is nonrepudiation. This standard industry term essentially means that a mechanism is present that prevents parties in a transaction from denying their role in it. Nonrepudiation proves the identity of the sender and the validity of the content of the message.

Some of the risks that a PKI environment can help mitigate include:

• System or reputation risk. The need to protect the reputation and credibility of the system against an event such as the failure or insolvency of one of the participants or the compromise of a root key
• Authentication risk. The effects of inaccurate or obsolete information upon the system
• Transactional risk. The effects of erroneous certificate verification and any potential claims in contract or tort law by the relying party usually a vendor seeking payment
• Risk of no privacy of contract. The need to address the fine points of wording a contract to point out what recourse the injured party has if privacy of a transaction is violated.

First Things First

Electronic processes are moving toward the universal use of a robust authentication system (proving who you are), coupled with entitlements (establishing what you may do). PKI provides a secure mechanism that lets individuals request or grant access based on entitlements. Leveraging these frameworks effectively requires that it be done over the short term and medium term. The long-term payoff is preparing your organization for a fully integrated position in e-commerce in the future.

The initial step is taking an in-depth look at your available resources, the community of people involved, and any special needs in your value chain.

We find that having a strong business case to implement a PKI is more important than the technical justification. Actually, when we look at the totality of the task, we estimate that the technology consumes only 10 percent to 20 percent of the resources used, while agreeing on the business rules takes up another 40 percent. The remaining 40 to 50 percent of the effort involves the organizational aspect - where you determine how you will deploy those involved and make sure they understand their roles and responsibilities. In the final analysis, internal deployment is typically much more difficult than external aspects like understandings and relationships with trading partners.

Often, the business managers (typically nontechnical) become enamored with the technology because it's the fun part. Under these circumstances, they may start deploying the technology immediately, while more demanding and time-consuming tasks, such as putting the business rules and policies in place, remain undone.

Early in the progression of events, you must establish and commit to writing several necessary business rules, which include:

• The certificate policy and practice statements, including a detailed description of the process of identifying and authenticating certificate holders
• Procedures for revoking and renewing a certificate and handling certificate expiry
• Procedures for managing public and private keys
• Methods for distributing certificate status information, such as certificate revocation lists, to relying parties
• Procedures for backup and disaster recovery
• Formulating a relying party agreement
• Rules for dealing with subscribers and customers
• Establishing liability constraints.
• The finished process should fulfill four basic specifications:
• Identifying and minimizing risk
• Addressing business, legal, and technical considerations
• Enhancing trust with all constituents
• Establishing seamless connectivity to your core business applications that enhance value.

Benefits of PKI

For many organizations, PKI provides the basis of entering into digital commitments and contracts. Without authentication, digital signatures, and nonrepudiation, the risks of Internet transactions would simply be too high. For these organizations, the value of PKI in letting them take their traditional business model to the Internet is priceless.

Companies in a variety of industries have already experienced the benefits of implementing a PKI:

• A large national financial institution replaced hardware encryption devices with a PKI solution and saved approximately $1 million.
• A major leasing organization adopted the electronic approval and signing of applications and reduced averageapproval time from 42 days to five days.
• A telephone utility incorporated the digital signing of expense forms and achieved ROI in three months.

The ability to validate a customer's identity beyond a shadow of doubt and authorize access to confidential pricing and inventory information enables a large multinational manufacturer to reduce the cost of a sale from 10 dollars in a call center to five cents over the Internet. The window of service is also now 2437.

Rate This Article Rating: 1 (best) 2 3 4 5 (worst) Comments: Optional e-mail address:

Adopting PKI can be expensive, but when complete, it is well worth your investment. In terms of system availability, reliability, confidence, better customer relationships, and secure access to the Internet, it is hard to imagine a business that will not benefit immeasurably.

Cam Johnston (cam.f.johnston@ca.eyi.com) is a partner in Ernst & Young's E-Risk Solutions practice. He has an extensive background in business commerce solutions using intranets and extranets that incorporate PKI, single sign-on, virtual private networks, and meta-directories.

Matthew Mancuso (matthew.mancuso@ey.com) is an Ernst & Young partner and national director of Security Implementation Services. He is also the lead technologist for the firm's alliances in e-commerce and Internet security, with more than 20 years experience in PKIs, directory services, enterprise security architectures, and security technologies.