31
Interoperable digital certificates forInteroperable digital certificates fore-commercee-commerce
Dr Andreas MitrakasGlobalSign
The Open Group Conference,Helsingor, 27 April 1 9 9 9
Context
Basic “key” elements of our trade culture
H IdentifiersH ProofsH The need for Privacy
Context
Basic “key” elements of our trade culture
H Identifiers Digital IDsH Proofs Digital SignaturesH The need for Privacy Encryption
Market Volume
H Source Datamonitor: Market Volume PKI (certificates)
0
500
1000
1500
2000
$m
1997 1998 1999 2000 2001
PKI Market Volume
RoW
North America
Europe
Market Volumes
H Datamonitor: Market Volume PKI: 2001, $m1800,1 / 3 Europe, grow th rate Europe > US
H Forrester Research: “The average corporationcurrently spends more on coffee and soft drinks thanon network security; w e expect this to change”
H John M aynard Keynes: “I w ould rather be vaguelyrigth than precisely w rong”
Market Volumes
H Aligned grow th rate w ith e-commerce
• number of Internet Users: 9 7 million in 1 9 9 8 , 3 2 0 m illion in2 0 0 2
• e-commerce market volume: $ 3 2 billion in 1 9 9 8 , $ 4 2 6 billion
Agenda
H IntroductionH Certification AuthoritiesH A profile of GlobalSignH InteroperabilityH A Legal Framew orkH Conclusions
Certification Authorities
H Trusted Third entity that issues, publishes andrevokes certificates• market recognition: partners, brand-name
• licensing from the government
H Certificate classes• M ay issue different “classes” of certif icates depending on the
level of ‘trust’
• Banking vs Online Publishing
• verification: is that person the person w ho he/she claims tobe?
GlobalSign
GlobalSign
H “Leading European Trusted Third Party basedon an International Netw ork of Certificationand Registration Authorities w hich all meetthe same accreditation requirements, followthe same verification procedures and co-brandtheir certificates in order to achieveinternational recognition of digital certificatesand w orld-w ide interoperability of CAs andRAs”.
GlobalSignH GlobalSign:H a network of local Certification and Registration
Authorities
H combining nat ional t rust credentials by local presenceand international recognition and interoperability byuniform rules
H combining a minimum common framew ork based onEC direct ives and local legislat ion
H diverse legal regulations in the European Union can bebetter addressed through a network of RAs.
A Clearing Network
Bank Bank
Clearing House
Bank
Clearing House ...
Int Credit Card Comp
A Certification Network
GS
CARA
RARA
CA
RA
RA
RA
CARA
RA
RA
CARA
RARA
GlobalSign’s European CA/RA Network
H ItalyH BelgiumH LuxembourgH AustriaH NetherlandsH UKH Greece
H EC projects: 1 1 member States
GS Market Numbers
H GlobalSign: 1 2 0 , 0 0 0 certificates issued in 1 9 9 8
• Belgium: 6 %
• Germany: 7 %
• UK: 8 %
• Italy: 5 %
• Netherlands: 5 %
• France: 5 %
• Japan: 5 %
• United States: 5 %
Agenda
H IntroductionH Certification AuthoritiesH A profile of GlobalSignH InteroperabilityH A Legal FrameworkH Conclusions
Issues of interoperability
H Legal diversity
H PKI industry faces a balkanised legal environment
H Less obvious problems in the technical front
H CA instruments: CAs compelled to co-ordinate theirpractices w ith the Law through their CPS andCertification Policies
GlobalSign’s CPS
H GlobalSign publishes its Certification PracticeStatement describing in great detail the practices andprocedures it uses for the issuing and management ofcertificates.
H The CPS of GlobalSign is subject to annual auditingby a recognized auditor. Suggestions have beenappropriately incorporated in the current version.
A recognized CPS
H GlobalSign’s CPS is compatible w ith most legalobligations imposed by law s in EU member states andthe EU draft directive and the draft law s of theBelgium and the Netherlands
H GlobalSign acknow ledges its responsibility as a CAthrough a comprehensive insurance programme
H As a European CA GlobalSign offers full protection toconsumers according to the EU directives onconsumer protection and privacy
Technical Interoperability I
H GlobalSign follow s the PKIX W G recommendationse.g. the RFC 2 4 5 9 draft
H GlobalSign’s Top root and primary roots follow thePKIX recommendation
H To serve users of Netscape, GS adds non-criticalNetscape proprietary extensions to clients and thelow est level of GlobalSign’s signing roots
H Next generation of certificates w ill not require theproprietary extensions of brow sers any more
Technical Interoperability II
H GlobalSign certificates have been tested on softw arepackages:• Netscape brow ser and server
• M icrosoft brow ser and server
• Opera brow ser
• Apache server
H and on operating systems• W in NT4 , ’ 98 , 3 .1
• Linux
H GlobalSign certificates can be used on many morepackages and OSs depending on user needs andrequests.
Technical Interoperability III
H Although GlobalSign currently does not have full scaleprocedures for interoperability tests it is currently onthe w ay of implementing interoperable standards w ithother CAs.
H Discussion and exchange of opinion through mailinglists
Agenda
H IntroductionH Certification AuthoritiesH A profile of GlobalSignH InteroperabilityH A Legal FrameworkH Conclusions
Towards Security Interoperability I
H Self-regulation
H As market grow s it w ill be increasingly necessary toaddress the issues of interoperability throughdiscussion in appropriate industry fora
H Self regulation essential for interoperability to set astandard of PKI services, technical requirements,organizational matters and additional securitymeasures
Towards Security Interoperability II
H Positive Law
H A homogeneous legal approach on interoperability w illreduce transaction costs and increase the level oftrust in providing CA services
H Uniformity is critical in areas like consumertransactions and professional usage
A self-regulation based framework
H The ICC ETERMS Repository
H The ICC ETERMS Repository can be used to register,publicize and access a CPS
H The ICC ETERMS Best Practice Rules can provide anappropriate forum for the discussion and conclusionof a uniform w ay to address interoperability issues
H Adherence to the ICC ETERMS BPRs can be usedw ithin a benchmarking system to assess compliancew ith interoperability standards
Where do we go from here?
BusinessCredentials
Identifiers
PaymentSecurity
LegalSecurityTaxLogistics
CertificationAuthorities
DigitalSignaturesEncryptionDigital IDs
ClearingHouse
BusinessAuditors
As e-comm progresses...
Tentative Conclusion
Tentative Conclusion
H W idely applied information security consistentlegislation to support interoperability of CA certs
H Self-regulation to dynamically pursuit an industrysupported solution for interoperability
H The ICC ETERMS can play a role in an increasinglycomplex information security environment based onPKI
