Identrus, PKI and digital certificates

How top global financial institutions plan to make themselves indispensible by enabling identity trust in e-commerce.

The anonymity of the internet is a mixed blessing. For many home users itÆs an experience of freedom, but for businesses wanting to transact confidently through online channels, the lack of certainty over who youÆre dealing with can make e-commerce too risky to consider.

A famous New Yorker cartoon in 1993 summed up this quandry when it stated, ôOn the internet no-one knows youÆre a dog.ö Identrus, an organization owned by a group of top international banks, wants to put financial institutions in a position to enable their customers to sort out the dogs from the cats.

Formed in April 1999, Identrus has an impressive list of equity investors that includes HSBC, Deutsche Bank, Citigroup, Chase Manhatten and Barclays. On top of this, most of the worldÆs top banks have signed on as partners to the scheme.

Leveraging financial institutionsÆ traditional role of identifying customers for initiating transactions or payments, Identrus says it will use existing PKI digital certificate technology to let businesses trust the identity of an electronic trading partner in four ways: Common legal and business practices come from the member institutionsÆ global reach, regulatory experience and approval from peak bodies such as the US Federal Reserve. Authentication is done in real-time and identity warranties can be delivered by member institutions. The integrity of messages is assured and users can tell if tampering has taken place during electronic transmission. Lastly, non-repudiation is assured û legal proof of transactions can be provided to defeat claims of misrepresentation if a deal goes bad.

Legitimate signature

So, what is PKI anyway, and what makes it different from an illegible, yet unique, scribble on paper?
PKI  stands for Public Key Infrastructure and is the basic technology that allows verifiable, secure digital signatures to be transmitted over open systems such as the internet. The use of digital signatures usually involves two processes, one performed by the signer and the other by the receiver of the digital signature.

When the signer uses software to sign a message, an algorithm is generated from the characteristics of the message and combined with a code that is unique and known only to that user û known as the private key.

Combining these two elements lets the receiver of the signed message ensure not only that it has been authorised, but also that the message has gone unchanged in transit. This verification at the receiving end is done using whatÆs known as a public key. The public key is a code thatÆs been previously made known to the receiver via a digital certificate.

The digital certificate is a notification that basically says: This person (and their private key) are associated with this public key. A digital certificate has been equated to an identity card, like a driver's license, that binds an owner to a signature. It can be sent to individuals via e-mail or made accessible in a database or File Transfer Protocol (FTP) server.

But how do you know that a digital certificate is legit? How do you know itÆs not a forgery?
Certification Authorities (CA) have been set up in many countries around the world to serve as regulated issuers of  private and public keys and digital certificates. The CAs themselves sign each digital certificate with their own digital signature, which can be verified using the public key contained in a digital certificate issued by a CA higher up in the hierarchy, and so on up to the highest authority, the Root CA, or until the user is confident of the legitimacy of the original certificate.

Global root

IdentrusÆ plan is to set itself up as a global Root CA, with two tiers of Financial Service Institutions (FSIs) in a descending hierarchy.

Level One FSIs must meet certain stringent financial rating requirements and will be the issuing CAs for smaller Level Two institutions. Level One FSIs can also issue digital certificates to their employees, corporate customers and applications servers as well as building e-commerce products around key identification services such as authentication and explicit warranties.

Level Two FSIs can, through a Level One sponsor, provide certification authority, liability tracking and risk management services for their business customers.

In a typical buy-sell transaction, a seller would ask their financial institution to validate the electronic identity of a buyer. The sellerÆs financial institution would electronically contact the buyerÆs financial institution, which in turn would attest to the identity of its customer, the buyer. Identrus will provide the validation of the respective financial institutionÆs identity. The same system is used in reverse if a buyer wants to check a sellerÆs identity and if the relying party desires they can obtain an identity warranty from their financial institution. All of this is carried out securely in real-time over the internet.

Identrus uses an open architecture model, so end users and FSIs can use any software solution they want û either upgrading existing PKI architecture to meet Identrus standards, building a system from scratch or outsourcing the job to one of IdentrusÆ partners.

Identrus says that, ôthe banking, legal, regulatory, cryptographic, security and technology expertise that founding members have brought to the initiative û combined with the size, reputation and global reach of the financial institutions involved û is a significant combination. Although Identrus wonÆt be the worldÆs only root identity certifying authority, it will be a very significant one.ö