The Burden of Proof

Public key infrastructure is paving the way for more secure transactions on the Internet

by Cam Johnston and Matthew Mancuso

If your organization is like most, you're busily engaged in putting Web-based solutions into effect. You're probably very clear on your objectives: reduce costs, increase sales, get greater market reach, improve customer relationships, and raise profitability.

But you shouldn't rush headlong into e-business without first taking a good, long look at your security. An individual making an unauthorized entry into your system can do a great deal of damage, by stealing sensitive information or even bringing down your system. So identifying and addressing all possible weak links as part of your overall business strategy and processes makes plenty of sense.

Protecting Business Transactions

As the world moves quickly toward e-business, you need to consider not only the risk of compromised information, but also other dimensions of security, such as the lack of system availability, processing capacity, or inability to maintain transaction integrity.

In the brave new world of e-commerce, people use the Internet in purchasing, leasing, negotiating, entering into contractual agreements, and sharing sensitive legal, financial, and personal information. In high-stakes transactions, you must establish and validate the electronic credentials that prove an individual's identity.

For example, when you send a bid on a sizable project over the wire, do you know if the recipient of that message was really your business partner's purchasing agent? Did an unauthorized third party, such as an unscrupulous competitor, hack into the system? Or perhaps the recipients were correctly identified, but were not really authorized to act in the capacity they claimed?

Even more important in e-commerce, businesses increasingly need to indemnify transactions - fix responsibility for certain actions or failure to act.

Assigning Responsibility

For example, assume that you agree with your supplier over the Internet that an order of critical parts worth hundreds of thousands of dollars will be delivered on a just-in-time basis. Who is accountable if the shipment arrives so late that it shuts down the production line, or doesn't arrive at all? What if the order was never captured, booked, or shipped? What dollar amount of liability is assumed? By whom? How can you prove the agreed-upon delivery terms with certainty? Can you prove the seller ever received the order?

When the validity of the identity of the parties is not certain, can you prove anything regarding that transaction in a court of law? Businesses are insisting upon an affirmative answer, based on positive identification.

Handling these serious concerns goes beyond simply managing PINs and passwords and hoping for the best. It inevitably leads to the more complex world of public key cryptography (see sidebar, "Code Sheet").

One element of public key cryptography is public key infrastructure (PKI). A PKI includes the policies and procedures used for setting up a secure method for exchanging information within an organization, an industry, or any worldwide community of users. It includes not only the use of certificate and registration authorities, directory services, and digital signatures, but also the hardware and software used to manage the process, such as servers, protocols, and applications.

The certificate authority (in-house or outsourced, depending on your application or trust model) establishes the chain of trust by positively binding your identity to your electronic credential (for example, your public key). With a trusted identity, you can send "notarized" documents over the Internet using digital signatures or send private encrypted messages you can be sure will only be readable by the intended recipient.

Because information exchanged with PKI is secure, you can legally enforce the transaction, if necessary. The United States enacted digital signature legislation in 2000, and the American Bar Association has invested significant resources in its PKI Evaluation Guide, which supports many legislative efforts. Digital signature laws have been on the books of some states even prior to 2000. Enforceability generally should follow the pattern established by electronic data interchange (EDI), where numerous legal rulings favored the technology.