|Asia-Pacific III 2001
|Promoting Secure Electronic Transactions in Developing Countries
|Director of Business Operations
As the use and abuse of the Internet has expanded so has the need to provide security and certainty between users. Miguel Jimenez, Director of Business Operations at WISeKey, a joint venture with the ITU, here shows how this independent Swiss organisation is undertaking the difficult business of certification of Public Key Infrastructures worldwide. Having started with big entities in developed countries the emphasis now includes Electronic Commerce for Developing Countries in an effort to overcome the digital divide.
The present article introduces PKI technology infrastructure and applications. It centres on the PKI trust model and PKI deployment strategy and the role the EC-DC project plays in it, with special reference to Asia. Our Vision WISeKey’s (World Internet Security Key®) is to contribute to the establishment of a global ‘WiseMarket’ where the Internet will be transformed in a reliable and fair tool for conducting secure electronic transactions, providing for sustainable development, through substantial increase in productivity and innovation, worldwide. We address this through the achievement of two central objectives: o Provision of cross-recognition and interoperability for high-level authenticating Certification Authorities world-wide, through WISeKey ROOT certification services for Public Key Infrastructures (PKI). o Promotion of massive usage of certification and PKI-enabled applications in order to secure the Internet for e-business through both authentication and authorisation of Internet users. However, due to the lack of economies of scale, the cost of implementing PKI has until now been high. As a result, PKI has remained a solution almost exclusively limited to big entities in developed countries. Consequently, it is currently developed in isolated islands of Trust providing limited functionality for the use of digital certificates. WISeKey has developed an affordable solution ensuring cross-recognition and interoperability for digital certificates issued by present and future Certification Authorities. This will ensure the rapid development of high-value services for end-users over the Internet. As part of its strategy to promote the use of PKI through umbrella organisations, WISeKey has signed a partnership agreement with the International Telecommunications Unions (ITU). This partnership aims to promote the deployment of PKIs in Developing Countries and Countries in Transition, in order to expand the use of secure electronic communications and to overcome the digital divide. It also includes a Trust Fund-supplied with a share of WISeKey’s revenues-with the purpose of financing the development of the infrastructure in these countries. PKI Infrastructure and Applications The main purpose of the PKI infrastructure is to issue, manage and revoke digital certificates. Digital certificates associate the identity of a person with a virtual identity. The fundamental responsibility of the PKI infrastructure is to vouch for the correspondence between these two identities. Rules and procedures to be followed for operating a PKI infrastructure are defined in WISeKey Certification Practice Statement (CPS) which ensures a common quality basis for digital certificates’ international and cross-sector interoperability. The more PKI-enabled applications are available for users, the higher the value of their digital certificates. PKI-enabled applications serve for performing a combination of the following tasks: · Identity / authentication, · Privacy / encryption and decryption, · Message integrity / tamper detection, · Non-repudiation, · Global interoperability. These properties are used in a broad variety of applications, including: · Secure e-mail is the basic point to point PKI application; · Secure e-forms are used for eliminating the need for paper-based processes and for capturing intelligent information electronically; · Secure time stamp is the electronic version of time stamps in paper form, such as postmarks. It seals an electronic document with the legally valid time and proves that a digital record was made and that it has not been changed since that time. New Economic Paradigm for Digital Economy Online validation of all client digital certificates and secure single-sign-on authentication empowers PKI-enabled portals to operate a shift from current economic models emphasising promotion and advertisement (mainly cost centres for corporations and public entities) to a profit centre model based on pay per service and pay per transaction and to support a wide variety of applications requiring confidentiality and security in communications and transactions. In terms of market scope, this means that any customer around the world with a WISeKey-compliant digital certificate will enjoy secure access to the PKI-enabled portal and that profit centre model can be used for supplying information and services previously delivered through Intranets or through restricted areas of Extranets. A shift to a profit centre model for e-services implies new economic sustainability for digital economy. As a consequence, use of certification and digital signatures in electronic environments will lead to a considerable expansion of markets related to the provision of information content over the Internet, business services and associated technologies. As a point of reference, all information contained in the World Wide Web is currently of 4 terabytes, an amount equivalent to no more than 5% of information available at the US Congress Library. Trust Model Across all cultures, certification of persons has always been achieved by institutions that enjoy people’s confidence. There is no reason why digital certification should obey to different rules. As a result, any imposed and centralised digital certification global scheme is, in our opinion, due to fail. Therefore, WISeKey uses existing Trust Parties through digitising their current processes and empowers them to operate the shift from analogue to digital trust. In order to achieve this objective, these entities will issue users with electronic passports to verify their identity, through operating a Certification Authority. The neutrality of the common root is also ensured against any economic pressures against WISeKey because a Swiss law foundation owns it. Moreover, this foundation serves as controller and issues guidelines for root management that WISeKey must follow, thus avoiding any temptation of unilateral management by WISeKey itself. The Trust Model is reinforced by a multilateral system for decision-making and control ensured by the foundation. Foundation members are public and private sector entities that: · either participate in the global PKI (directly or indirectly) · or represent a public interest in the field of electronic communications and information security. The Foundation is the competent organ for establishing operative principles and rules being implemented by WISeKey and constitutes a forum for international co-operation aiming: · to harmonise standards for accreditation, licence and cross-recognition of certification products and of digital signatures and PKI audit practices, and · to promote good practices aimed at preserving at the same time, the need for national security and defence of public interest and citizens’ privacy and the required confidentiality for the functioning of the private sector. From a technology perspective, WISeKey strictly acts as technology integrator. The WISeKey Expert Group that includes IT and professional services providers and the ITU ensures technological neutrality in products and services development. This is a non-exclusive group and is open to any company providing value to the products and services offered by WISeKey. In summary, the WISeKey Trust model is based upon the following elements: · political neutrality based on non-single Government trust delegation (ITU partnership), Swiss neutrality and multilateral system for management and control of the ROOT key; · expansion based on PKI promotion to already existing trust communities and on a systematic search for inter-operability; · search of global interoperability through consensually agreed high security world standards; and · technological neutrality. The EC-DC project The partnership between WISeKey and the ITU was signed in 1999 with the aim of promoting the use of PKI technology in developing countries. This collab-oration takes place in the Electronic Commerce for Developing Countries (EC-DC) programme framework. This is an ITU project where WISeKey’s role is to serve as technical implementor and common Root services provider. In order to fulfil its duties, WISeKey has developed a Certification Authority (E-Commerce PKI) for the incubation of PKI projects in developing countries channelled through the EC-DC programme. WISeKey’s approach in this programme is aimed to provide entities in developing countries with the benefits of issuing digital certificates to their respective communities without having to bear the cost of implementing a full Certification Authority. The objective here is that EC-DC projects serve as incubators so that entities get familiar with the technology and operate economically sustainable operations in order to gradually migrate to becoming Certification Authorities. The technological solution that fulfils this objective is the establishment of Registration Authorities called ‘Bronze Service Provider’ in WISeKey’s jargon. The essential functions Registration Authorities perform include: · Identification of end-users; · Secure Cryptographic Key Pair Generation; · Requesting the issuance, renewal, suspension and revocation of certificates; · Maintaining archives of their operations, including the documentation presented by certificate applicants; · Local training on information security and the use of public key certificates; · Distribution of certificates, PIN letters and key pair storage devices to their customers. The pilot phase (July 2000 – July 2001) for this global PKI deployment included two main periods. a) The July 2000 – December 2000 period was devoted for conducting the following tasks: · identifying potential Registration Authorities in Developing Countries, · training of about 50 operators in Geneva during the WISeWorld2000 Conference in November 2000, and · testing software system for Registration Authority in 10 selected Developing Country entities. This first period involved 250 entities from developing countries with following sector distribution: Government 19 per cent; Chamber of Commerce 33 per cent; Export Promotion bodies 12 per cent and IT companies 36 per cent. Twelve per cent of these entities came from Asia, including the following countries: Bangladesh, Cambodia, China, Fiji, Korea, Malaysia, Maldives, Mongolia, Nepal, Philippines, Samoa, Singapore, Sri Lanka, and Vietnam. The second period of the pilot phase (January 2001 – July 2001) centred on drawing the lessons of test implementation and, consequently, on developing a robust and user-friendly technical solution for such a dispersed and wide-ranging global PKI deployment. The experience of the pilot phase identified the following fundamental needs: · integration of an independent audit and the training of the Registration Officers; · minimisation of problems arising from installation of the system due to lack of standardisation in local configurations and corresponding hardware; · reduction of the global support maintenance costs; and · integration of wide range of smart cards and tokens solutions without changing anything on the installation, providing more flexibility to the customer. As a result, WISeKey has developed a pre-configured workstation for a Registration Organisation designed to provide the most cost-effective way to benefit from PKI technology and avoid implementation delays and inter-operability problems. The package also includes support, training, audit and system upgrades. WISeKey is now entering in full deployment phase that will allow Registration Authorities in developing countries to issue digital certificates to their communities and clients. The objective is a continuous improvement of services available through for instance the provision of new standardised applications such as e-voting or e-bidding, and the hosting in a WISeKey established PKI-enabled portal (truste-portal.com) of Registration Authority web pages as a way for securely promoting their services on a global scale and migrating to own secure interactive digital platform. The World Internet Security Infrastructure and the Electronic Commerce for Developing Countries (EC-DC) Programme is jointly developed by the ITU and WISeKey.