Ray Van Eng (07/29/96)
How do you prove yourself online? Well, on the highway and other public places, you would likely use your driver's license as a mean of identification. On the Information superhighway, however, you would need to have a digital signature or some form of electronic certificate. How do you obtain a digital signature? You need to go a trusted organization or a certifying authority who would issue certificates on behave of others. On the Internet, a number of companies have been formed to perform just such functions. Verisgn Inc., GTE's CyberTrust business unit, are prime examples in this area. Why is digital signature so important to you as a consumer? As a cartoon in the New Yorker magazine well illustrated, nobody knows that you are a dog on the Internet. People do need to prove themselves online in order to let the other party know that they are who they really claimed to be. This is practically essential before any trusted financial transaction could taken place over the www. Yes, we are talking about electronic commerce (EC). ----------------------------------------------------------- Remember SET (Secure Electronic Transaction)? The 'be-all, end-all' standard forged by Visa, MasterCard, Netscape, Microsoft, Terisa Systems, IBM and others? Well, SET is meant to provide a multitude of underlying protocol for handling electronic commerce over the Internet with credit card or other digital money schemes as the most commonly employed payment methods. The SET specification has been finalized since June this year and software vendors, banks, payment processing companies and others are busily working to incorporate the SET standard into their own products which may become available in time for the Christmas shopping season in 1996. In any financial transaction, especially one done remotely via a computer network between parties who have little knowledge of each other, there are four primary areas of concern: * Confidentiality: no one will have details of the transaction other than those involved. * Integrity: the message has not been tampered with enroute from one party to another. * Authenticity: you are assured of the identity of the party you are dealing with. * Non-Repudiability: The parties involved can not deny that the transaction has ever took place. The SET specification with its heavy emphasis on cryptography will allow vendors to employ data encryption technologies to effectively take care of confidentiality and integrity. Digital certificate services are needed to enforce authenticity and non-repudiability. One of the last stumbling block of EC is how does the bank or financial institution can be sure that a transaction that filtered through the Internet is a genuine one between consenting parties whose identities can be proven beyond any doubt? Without the presence of digital signatures, it is simply impossible to tell. To solve this problem, there are two major camps working towards the same objective. MasterCard International has just announced that they will take part in GTE's CyberTrust project to actively formulate an electronic certificate service that complies with the SET specification. In the same vein, Visa International choose to work with Verisign Inc., a spin-off from RSA Data, the world's largest supplier of encryption technologies.
Under the banner of Private-Label Digital ID Services, Visa and Versign will initially work mostly with Visa member banks and application developers who intend to build SET-enabled solutions for electronic commerce. Here is one scenario that Visa and Versign have envisioned - when a consumer is ready to made a purchase over the Internet, he/she will click on a credit card icon which is linked to the user's decoder key. The consumer will then fill out an order form. With the click of a 'submit' button, the decoder key, the order form and the user's digital certificate will be sent over to the Internet merchant who will then use the decoder key to gain entry into the information including the identity of the Visa card issuing bank. Digital certificate is not only useful in proving yourself online, it has many other applications as well in such diverse areas as legal and software manufacturing. For example, digital signature and time-stamping technologies are immensely useful tools in the public notary and insurance field. Digital certificate can also be used to authenticate a piece of software which you download from the Internet is a genuine article from a certain software developer. Sun Microsystems is reputed to be working on such a scheme that would allow a Java applet to be "signed" and encrypted at the software developer's server for authentication and later decrypted for use by the anyone. Although Sun's intention is certainly to be applauded, it remains to be seen how well this will actually work out. As Mariaane Mueller, Sun staff engineer, cautions "We'll have to wait and see how well digital signatures scale to the Internet." And so shall we. Many of us will also be waiting eagerly on the results of the digital ID test for electronic commerce to be conducted by Visa, MasterCard, Verisign, GTE and their partners which are scheduled to take place throughout 1996 and early next year. |