Delivering Digital Signature Technology with PKI
Before you deliver a digital signature solution for your company's e-commerce transactions, you need to decide which public key trust model fits your business and applications. If you implement digital signatures for a small, designated group of people and your company has no intention to implement a PKI infrastructure over the short term, products that follow the direct trust model (e.g., Entrust/Solo, SynCrypt) are suitable for you. However, if you conduct e-commerce in a public environment (e.g., over the Internet), you need a product that falls under the third-party trust model. If you have not implemented PKI in your company, digital signature technology following the third-party trust model can be a killer application that drives you to support other certificate-enabled applications such as encryption, Secure Sockets Layer (SSL) Web communication, and smartcard logon. Implementing a PKI infrastructure is not an easy task. You need to carefully plan your project and examine vendor solutions. Here are some basic questions to ask yourself or vendors you evaluate, as you plan your PKI and digital signature solution.
Outsource or in-source? You can outsource your PKI and certificate management through a public CA. The public CA will handle certificate management for your company, and you won't need to host and maintain an in-house CA system. However, you will lose the ownership of your certificates and pay a fee for each certificate the CA issues to your company.
As an alternative to contracting a third-party CA, several software companies offer commercial CA products and comprehensive PKI solutions. Some examples are Baltimore Technologies' UniCERT, Entrust Technologies' Entrust/PKI, Microsoft's Certificate Server, and Netscape's Certificate Server. Using these products, you can build a CA system to issue and manage certificates and establish CA trust relationships with your business partners.
A recent study by Giga Information Group, an information technology advisory company, compared the costs of different application scenarios using Entrust Technologies and VeriSign. According to the report (available at Entrust Technologies' Web site), implementing a solution using a commercial PKI product is cheaper than outsourcing CA services.
Which PKI vendor? If you implement PKI, you need to decide which PKI solution to use. Microsoft includes Certificate Server 1.0 in Internet Information Server (IIS) 4.0 and will deliver a comprehensive CA service in Windows 2000 (Win2K—formerly NT 5.0). Microsoft supports digital signature and encryption in Outlook email but does not implement digital signature technology for files; however, Win2K will include Encrypting File System (EFS). You can develop digital signature functionality for your files and base it on your application requirements by using Microsoft's CryptoAPI.
Entrust Technologies is a strong Microsoft competitor. Entrust Technologies has been developing PKI products for many years and has a substantial presence in large companies. Entrust/PKI running on multiple platforms offers a complete PKI solution. And there are other vendors from which to choose. The decision you make should reflect your technical requirements and business strategy.
Which directories? A CA publishes its issued certificates in a directory. For example, Microsoft's Certificate Server in Win2K publishes certificates in Active Directory (AD). Netscape's Certificate Server publishes certificates in Directory Server. Baltimore UniCERT can publish certificates in any X.500 directory, such as ISOCOR GDS. Entrust/PKI can publish certificates in its directory, Entrust/Directory; in an X.500 directory, such as an ICL i500 directory; or in a Lightweight Directory Access Protocol (LDAP) directory, such as Netscape Directory Server. Entrust Technologies is working with Novell to incorporate Entrust/PKI into Novell Directory Services (NDS). If you are planning an enterprise certificate directory or meta-directory, your PKI implementation will affect your enterprise directory choice.
Which CA trust relationship? When you practice e-commerce with your business partners, your CA and your partners' CAs need to establish a trust relationship so users in different companies can trust one another. Today, two trust-relationship models exist: hierarchy certification and cross-certification. In hierarchy certification, partner companies trust a common root CA, which signs the companies' CA certificates. In cross-certification, partner companies certify and sign one another's CA certificates. If you have many business partners, cross-certification will become very complicated. Today, Microsoft's Certificate Server supports only hierarchy certification; Entrust/PKI supports hierarchy and cross-certification.
How about interoperability? No real interoperability exists today among different digital signature software products, except in standard Secure MIME (S/MIME) email. Don't expect to use one vendor's software to verify your business partner's signatures in files created by another vendor's software. For now, companies that want to use digital signature technology must use the same digital signature software that their business partners use.
What about government regulation? The US government doesn't regulate digital signature technology, but it does forbid exporting encryption larger than 56-bit. Be sure to examine the kinds of encryption the vendor you're evaluating supports.
No Falsification in E-Commerce
In September 1998, a group of hackers attacked the New York Times Web site and falsified its contents to retaliate against a Times writer for his reporting about the hackers. Had the New York Times applied digital signature technology to its Web contents, the newspaper would not have left its Web site open to sabotage. Digital signature technology is important for data integrity and authentication. When you implement digital signature technology and PKI, you greatly reduce the threat that forgery and document tampering pose to your e-commerce documentation.