The authority over certification authorities

AUTHOR

Micha Ren (Poland)

ABSTRACT

The main thesis of this paper is the following:
The faults usually associated with ICT can be mostly attributed to friction between ICT and old way of doing things. Where possible, it is beneficial to change all parts of the system to the “new way” rather than part-by-part. New legislation regarding digital signatures will allow for that step to be taken in many areas of everyday life. Digital signatures create the problem of certification of identity, and the development of certification agencies must be closely monitored.

Information and communications technology was often accused of being a snake, eating its own tail – the whole industry producing no more than it is consuming. [1] Counting strictly by amount of money produced this may be true, but there remain things not accounted for, parts of everyday life that would not have existed at all without new technologies. In most stores one can pay with a credit card – inconceivable thirty years ago. Of course, this development has given rise to new kinds of fraud – there are many horror stories about credit card numbers used for remote transactions. This is the result of friction between the real world, “brick and mortar” part of the system, and the digital, intangible part. Credit cards are susceptible to fraud because they merely give access to money – they are not the money themselves. It would be possible to devise a system of secure, untraceable, and almost impossible to forge (certainly much harder than traditional bills) digital cash. [2] But not all aspects of everyday life can exist without their “brick and mortar” parts. The ICT industry is in the stage of figuring out what can be done with technology – what can be transferred from “brick and mortar” to digital, and in what ways can digital do better.

The dream of paperless office has remained but a dream for decades. Now, this may change to an extent. The amount of electronic data exchanged in high-tech companies is already high, but for some things, paper is still indispensable. One reason is technological – there is no suitable display medium which is cheap, light, flexible and high-contrast. This obstacle will be surmounted, as it only requires refinement of existing technologies; in fact, this is happening now. [3] Another, more interesting reason is that no electronic document carried legal weight (except, perhaps, as evidence) until recently. Now, however, more and more countries create laws which acknowledge electronic signatures. That law is very important for the ICT industry. Some countries, Poland included, went as far as to state that electronic and traditional signatures will be treated equally. This is a very simple statement, but it is said that the devil is in the details, and indeed the most important part of those new laws is laying out the requirements that the digital signature must fulfill in order to be considered valid.

There emerges the most difficult part – that of certification. The digital signature is superior to a normal one – it depends on the document being signed, so it can’t be extracted and copied. However, the signature has no connection to the person signing it, contrary to handwriting, which can be recognized as belonging to an individual. A digital signature is just a piece of data, and it is of extreme importance to be able to assert: “that piece of data could only be generated by the individual named …” – something that can be accomplished by certification. [4] All digital signatures are created based on a secret, that only the signer possesses. A certification authority must exist which will vouch that a particular secret is indeed in possession of a particular individual – that too, is handled by digital signatures, but the signature of the certification authority is assumed to be well known. This function could be handled by the government, much like issuing passports or ID cards. It could also be handled by private companies, which could be certified by the government itself. Finally, it could follow a web of trust model, such as found in PGP [5]; however, this is unlikely since the trust in the certificate of authenticity can only go as far as trust in the certification authority.

And that is where the problem lies. If all countries found their own certification agencies, will every signature be trusted? Will every certification carry the same weight? I do not believe that USA and Principality of Sealand will be given equal treatment – in the USA, anyway. It is likely, however, that the pressure to be able to participate in the global economy will force, not necessarily official, but de facto “standard” – one certification authority – a country or entity, which will be fully trusted. Unsurprisingly, the most likely country for that role is the USA, or an organization existing in the USA. And a country which controls this supreme certification authority will gain an advantage – it will be easier for its agents to assume false identities. The question of “whom can you trust” is easy to answer at the country level (as the governments already issue “proofs of identity”, but between countries, it is not trivial.

REFERENCES

[1] Gogo³ek, W³odzimierz, (2000), “Mity i rzeczywistoœæ Internetu.” conference materials from “INTERNET – Wroc³aw 2000″ (in Polish).

[2] M. Kuty³owski, W. Strothmann, “Kryptografia. Teoria i praktyka zabezpieczania systemow komputerowych.”, Read Me 1999 (in Polish)

[3] “The Electronic Paper Chase”, Steve Ditlea, Scientific American 11/2001, also online at http://www.sciam.com/2001/1101issue/1101ditlea.html

[4] A. Menezes, P. van Oorschot, S. Vanstone, “Handbook of Applied Cryptography”, CRC Press, 1996, also online at http://www.cacr.math.uwaterloo.ca/hac/

[5] “The International PGP home page”, online at http://www.pgpi.org/

Comments are closed.