Digital Certificate Authority

views updated

DIGITAL CERTIFICATE AUTHORITY

Certificate authorities were at the hub of many e-commerce developments in the early 2000s. One of the greatest impediments to the widespread adoption of online commerce was the fear among many consumers and businesses of the security risks involved in sending financial or other information over the Internet. Certificate authorities hoped to alleviate such fears by acting as guarantors of the authenticity and security of online transactions. To accomplish this, they issued digital certificates, or encrypted electronic packages carrying information that authenticates its sender.

Digital certificates employ a public-key infrastructure. A public code, or key, can be used by anyone to encrypt a message to a given authority. However, only that authority can decrypt the message using its private key. Only the combination of the private key and the public key can authenticate a user's identity or a transaction using a digital certificate. Digital certificates, in turn, were the primary vehicles for digital signatures, which were set to play an enormous role in the e-commerce world of the 2000s. Certificate authorities maintain the private key, and therefore serve as the trusted agents behind these encrypted transactions. Certificates then carry an authority's stamp of approval wherever they travel, and recipients refer to that authority as the mark of trust to ensure that the given information is secure and the identity of the sender is sound. The authority legally binds an individual, or at least an individual computer, to a particular public key, and certifies that the certificate holder is officially recognized by a trusted third party.

Certificate authorities generally are run by corporations for their internal and external communications and transactions, or by commercial certificate authorities. For example, VeriSign, based in Mountain View, California, was a commercial authority that dominated the industry in the late 1990s and early 2000s. Certificate authorities determine the conditions of a certificate contract, including the duration of its activity, the breadth of privileges it affords, and the obligations of the certificate holder.

Certificates usually are issued for one year, although the duration can vary widely. Most authorities are wary of issuing certificates for longer periods because of concerns over long-term security in light of developing technology, the aversion to risk stemming from the trust of individual holders, and the desire to reap continued income from issuing new certificates. Certificates also can be revoked before their expiration date using a certificate revocation list (CRL)—a list digitally signed and issued by the certificate authority that signals to recipients of digital certificates that a given user is no longer validated by the authority.

The certificate authority relationship extends beyond the one-to-many relationship between the authority and its certificate holders. Within a public-key infrastructure, certificate authorities are organized hierarchically, so that each authority lower in the hierarchy maintains a parent authority to verify its public key. This relationship becomes particularly crucial in business-to-business Internet transactions, in which companies need to share secured information using digital certificates for verification. In such cases, the coordination and interoperability between certificate authorities is important to facilitate smooth interaction. The management of multiple certificates creates headaches and uses up valuable resources for a company. Thus, creating authority hierarchies in which certificate validity is smooth throughout various levels was considered an optimal business solution.

Moreover, authorities provide a mechanism for built-in fraud control, in that companies and individuals can trace the path of certificate authorities through which a transaction moved to determine where any mischief may have taken place. Upon discovering abuse of the certificate, the authority can immediately revoke the offending user's certificate. However, since certificate authorities are the trustees of signature security on the Internet, ensuring their own physical, personnel, and network security is a premium concern.

In the early 2000s, certificate authority models still had a number of wrinkles to be ironed out. In fact, one of the biggest obstacles to the public-key infrastructure was the lack of interoperability between certificate authorities and their certificates. As long as hierarchies remained incompatible over a tremendously wide network, the use of digital certificates for e-commerce was expected to be limited. The tremendous cost of establishing a public-key infrastructure, which can run as high as $1 million, prevented most companies from becoming in-house certificate authorities. Thus, these companies opted to outsource the management of their digital certificates to commercial authorities, which tailored the certificates to the companies' needs.

However, certificate authorities had a great deal of incentive to work with businesses and each other to create a seamless, compatible system. When digital signatures were officially recognized as legally binding by the passage of the Electronic Signatures in Global and National Commerce Act in 2000, the function of certificate authorities in the e-commerce world was taken up a few levels. As more and more transactions were readied to take place over the Internet, including Web-based banking, the secure validation of such transactions was among the remaining barriers to the floodgates of e-commerce, and certificate authorities held the keys to those gates.