jim.shamlin.com

European E-Signatures Solutions on the Basis of PKI Authentication Technology

The author asserts that the accurate identification of users is critical to the future economic growth of the Internet. The anonymous nature of the medium facilitates fraud and misrepresentation, and provides cover for criminals, thwarting efforts to prevent or react to criminal activities such as fraud and hacking. The solution proposed (for the EU) is to use PKI authentication that will require all users (and service providers) to identify themselves by means of a public encryption key, as a means to overcome the problems of anonymity online.

PKI TECHNOLOGIES

The authors discuss the basics of PKI (public key infrastructure) in great detail. I'm skipping much of it.

Fundamentally, certain organizations provide a service by which an individual can obtain a code that is used as a means of identification (often called a "digital certificate" or "digital signature"). The code is a "public key" that is checked against a corresponding "private key" in a registry to authenticate the user.

EN: PKI has been widely accepted as an effective method of security and identification - but in the end, it's just a code, like a password, that can be intercepted, forged, or hacked. The authors do little to address this vulnerability, but seem to rely on the assumption of inviolability.

PKI SERVICES

The authors enumerate the kinds of services to which PKI can provide. Again, I'm skipping the granular details, but fundamentally, it comes down to this: PKI can be applied in any instance where a user connects to a server, or when data is transferred from one machine to another (including any stop along the way).

CURRENT (EUROPEAN) REGULATORY ISSUES

The use of PKI technology has long been voluntary - any given user, or the operator of any given system, has the option of using (or not using) the technology. However, due to the perceived complexity to the end-user, it has not been widely adopted; due to the additional work to implement and support user-friendly systems, it has not been widely supported by access providers; and due to its lack of adoption and support by customers, it has not been widely implemented by service providers.

To be effective, the use of PKI must be universal; and to be universal, it must be required by law. The author mentions a handful of legal efforts to require organizations to protect their own data and systems by employing security technologies to safeguard against unauthorized access, so the author's proposal is not unprecedented.

EN: another key assumption made by the author pertains to the effectiveness of law in forcing compliance. It has been noted in other chapters that EU resolutions have no legal teeth and are only sporadically enforced or adopted.

He also recommends that the government take on the role of certificate authority, replacing the myriad of private companies that provide this service, for practical reasons (one central database is easier to deal with, there would be a single standard, it decreases the opportunity for forgery, it makes any attempt to hack a criminal offense, etc.). He also suggests this would address the concern about giving the government (as the keeper of all personal keys) the ability to monitor encrypted communications for security reasons, as well as the ability to keep an eye on the movement of goods in the economy.

ADOPTING SOLUTIONS

The author presents some suggestions for getting the market to adopt PKI of its own free will, without the need for heavy-handed government intervention or undue burden on citizens.

Primarily, having a single certificate authority, with a single database, and using a single set of standards will facilitate adoption (as opposed to having to support multiple databases and standards, which is inefficient, difficult, and costly).

Legal recognition of PKI acceptable by the legal system (in the investigation and prosecution of crime, as proof of acceptance in contractual disputes) would also provide another non-intrusive incentive for businesses to adopt it, and require it as a condition of service.

Requiring PKI in order to conduct official correspondence with government agencies would also provide incentive of organizations and individuals to adopt the technology (though it should be provided as an option, chosen for its convenience, rather than a condition of having access to government services at all).

CONCLUSION

A rehash of the main points of the article, plus the suggestion that early action on the part of the European government would enable them to set the standard for other governments, rather than putting them, and the economy of Europe, in the position of having to adopt standards established elsewhere.


Contents