|
Digital
Signatures and Authenticating Identity When
John Hancock signed the Declaration of Independence, no one had to guarantee his
identity. His colleagues saw him in the flesh, and witnessed his act of signing
the now historic piece of paper. Some of us may even remember the days when a
letter of introduction would suffice to verify a person’s identity and
authorize that person to represent an organization. And most of us are familiar
with the ritual of signing a legal document, in the presence of a witness or a
notary. So how will such roles of verification and authentication be replaced in
the digital signature process to guarantee that the correct individual completes
a transaction? PKI Functions: RAs and CAs
The roles of verification and
authentication that John Hancock’s esteemed colleagues, the notary and the
witness once played are now being replaced by two functions within a Public Key
Infrastructure (PKI). You may recall that in the last issue of The Green Sheet,
we described digital certificates and their necessary place within a PKI. A
digital certificate must be issued in order to verify the identity of the person
using a digital signature. You might want to compare
this process with one that you are quite familiar with. When you apply for a
driver’s license, you experience a two-step authentication process analogous
to that which takes place when you request a digital certificate: 1) You identify yourself to
someone—who is widely known as a trusted party—well enough so that that
person (or institution) is willing to vouch for you, and 2) You ensure that the person
(or institution) willing to vouch for you records their authentication by
issuing a certificate to that effect. Thus, in order for a digital certificate to be issued, it is
first required that an individual register as a user and request a certificate.
Only then can an organization authenticate the identity of the requester and
issue the certificate. This process is gradually being automated, and made
electronic, to keep pace with technological change within various departments of
financial services organizations. The functions of verification and
authentication, in the two-step process described above, are essentially carried
out, respectively, by the Registration Authority and Certificate Authority
within PKI: Registration Authority (RA):
an entity dedicated to user registration and accepting requests for
certificates. For example, the traditional financial institution’s use of your
mother’s maiden name as a means of verifying your identity will now be more
complex, but automated, and likely electronic. According to “Understanding
Public Key Infrastructure,” an RSA Security white paper, “User registration
is the process of collecting user information and verifying user identity, which
is then used to register a user according to a policy. This [function] is
distinct from the process of creating, signing, and issuing a certificate.” Certificate Authority (CA):
an entity that issues digital certificates by signing with its own
digital signature. A CA must also store keys, certificates and a record of
certificates that have been revoked. According to RSA’s white paper, “ The
CA signs the certificate, thereby authenticating the identity of the requester,
in the same way that a notary public vouches for the signature and identity of
an individual. In addition, the CA “stamps” the certificate with an
expiration date. The CA may return the certificate to the requesting system
and/or post it in a repository.” Management of RAs and CAs
The functions of RA and CA
may be managed separately, or together, depending on the organization. For
example, a Human Resources department may manage the RA function, while an
Information Technology department manages the CA. By separating the RA function
from that of the CA, the organization adds one level of security. For more
information on digital certificates and PKIs, visit www.rsa.com. Evaluating PKI Products You will find that the more
you read about PKI, the more products you will discover are being offered to
authenticate identities for both individuals and businesses.
The Prudential Insurance Co. of America is one of many financial services
organizations that has spent much time evaluating PKI technologies. Recently,
Prudential joined forces with eWeek to review a few of the many currently
available products (see chart entitled “Who’s Out There?”). Criteria used to assess
these products included: 1) The ability to set up a CA
(certificate authority) and RA (registration authority), 2) Bulk key and certification
generation, 3) Certificate revocation, 4) Key escrow and recovery, 5) Certificate renewal, and 6) Directory support and
integration. In addition, eWeek examined
the products’ abilities to cross-certify, which is necessary when one CA
agrees to trust certificates issued by a different CA. For more information on this
evaluation, visit www.zdnet.com, and search
on “PKI Products” and look in Tech News. Guaranteeing Identities A Certificate Authority (CA)
is chartered with the responsibility of guaranteeing the identities of the
parties making an agreement, whether they be an individual or a business. You
will find that some financial services organizations focus more on guaranteeing
the identity of individuals, and others focus more on guaranteeing the identity
of businesses or organizations. Guaranteeing the Identity
of Individuals Salt Lake City-based Zions
National Bank recently went public with the American Bankers Association’s
Digital Trust initiative. Called a Trust ID, the certificate is an online
identification credential, similar to a driver’s license or passport. A Trust
ID certificate verifies an individual with a “guarantee of identity.” By issuing Trust ID
certificates, banks can become key players in electronic transactions and will
be able to offer more online financial services, build customer relationships
and establish new profit centers. For more information, visit www.aba.com
or www.digsigtrust.com. Guaranteeing the Identity
of Businesses Identrus LLC greeted the new
millennium by becoming the first of the financial industry’s three
multi-institution digital certificate programs to go live. Bank of America
Corporation, one of the now 36 member banks in the Identrus alliance, recently
began providing guaranteed identification of businesses to other businesses
trading online. According to Bank Technology
news, Khaja Ahmed, Identrus’ new chief technology officer, explained what
being live really means. “The difference is not in the technology; it’s in
the liability and risk management. We’re saying, ‘This is for real. We’re
going to stand behind this transaction and cough up money if something goes
wrong.’” |
|
© Copyright 2001 · The Green Sheet, Inc. |
