240 likes | 413 Views
Public Key Infrastructure (PKI) Proposals and Positions . E-Commerce. Presented. Maria Angelica Fleetwood. Fawn Else. Marjan Shallal. Pamela Hawe. Tomorrow….
E N D
Public Key Infrastructure (PKI) Proposals and Positions E-Commerce Presented Maria Angelica Fleetwood Fawn Else Marjan Shallal Pamela Hawe
Tomorrow… “Do you want to test whether a people is given to industry and commerce? Do not sound its ports or examine the wood from its forests or the produce of its soil. The Spirit of trade will get all these things and, without it, they are useless. Examine whether this people’s laws give men the courage to seek prosperity, freedom to follow it up, the sense and habits to find it and the assurance of reaping the benefit” Alexis de Tocqueville
What is Globalization? IMF Definition: • Integration of world economies through trade and financial flows • Refers to the movement of people (labor) and knowledge (technology) across international borders • A result of human innovation and technological progress Global Trading System (GTS) = f(MTS, DTS)
Trading System Components Conventional MTS: Uruguay Round 1995 • GATT Goods • GATS Services • TRIPS Intellectual Property Rights • MFN and National Treatment • WTO • Dispute Settlement Mechanism New DTS: E-Business 2001 • Most Favoured Network & Network Treatment • P2P • Cyber Dispute Resolution • Bits • Encryptions • DRM United Nations
Trading System Evolution DTS Cyber Business 2005 MTS UR 1995 DTS Ecommerce 2001 Dispute Resolution CDR DSU WTO ADR(ICC, OECD) Secure Transaction Sig. VAN E-sig. PKI CA. DRM Data Exchange Doc. EDI EDI. Web XML, XSL International Trade E-Commerce Cyber Business United Nations
What is E-Commerce? WIPO Definitions: • Electronic. The term "electronic" can be taken to refer to the global infrastructure of computer and telecommunication technologies and networks upon which the processing and transmission of digitized data takes place. • Commerce. The word "commerce" in this context refers to an expanding array of activities taking place on the open networks – buying, selling, trading, advertising and transactions of all kinds – that lead to an exchange of value between two parties. "E-commerce services are the silver bullet that will enable companies to take advantage of the true business opportunities on the Web." Traci Gere, Analyst, The New York Times
Government (“G”) Business (“B”) Consumer (“C”) Government (“G”) G2G – Coordination Transactions between G departments G2B – Public procurement, trade procedures (customs), patents G2C – Child support, students benefits, senior citizens Business (“B”) B2G – government procurement Corporate income and sales taxes B2B- e-commerce between businesses Internet,intranet, extranet, EDI B2C – e-commerce in consumer markets Internet sales, interactive TV etc Consumer (“C”) C2G – e.g., tax compliance Income taxes C2B – price & other comparisons “Priceline” bidding C2C – auction markets “eBay auctions” Types of E-Commerce Activities
Examples of E-Commerce VeriSign teams with eBay to verify users ITworld.com 5/8/02
E-Commerce Architecture Public Domain Business Citizens Public Services Process Applications UN/EDIFACT Browser HTTP VAN ERP/ Transaction Job Shop System Process Integration Adapter Adapter Public Services Collaboration Hub XML Message Service XML Message Service XML XML Dispute Settlement Mechanism Financial Services Information Services XML XML
E-commerce Needs Secure Transactions Without security would there be e-commerce? • Establish trust relationships among customers, business partners and employees • Provide security for applications and environments • The most secure technology platform • Non-repudiation • Integrity • Authentication • Confidentiality • Availability
Enter Public Key Infrastructure • Public-key infrastructure (PKI) is the combination of policies, software, encryption technologies, and services that enables enterprises to protect the security of their communications and business transactions on the Internet • PKIs integrate digital certificates, public-key cryptography, and certificate authorities into a total, enterprise-wide network security architecture • Public key cryptography ensures the confidentiality of sensitive information or messages by using a mathematical algorithm, or key, to scramble (encrypt) data, and a related mathematical key to unscramble (decrypt) it.
PKI Protects Information Assets • Authenticate identity - Digital certificates issued as part of PKI allow individual users, organizations, and web site operators to confidently validate the identity of each party in an Internet transaction. • Verify integrity - A digital certificate ensures that the message or document the certificate "signs" has not been changed or corrupted in transit online. • Ensure privacy - Digital certificates protect information from interception during Internet transmission. • Authorize access - PKI digital certificates replace easily guessed and frequently lost user IDs and passwords to streamline intranet log-in security - and reduce the MIS overhead. • Authorize transactions - Enterprises can control access privileges for specified online transactions. • Support for non-repudiation - Digital certificates validate their users' identities, making it nearly impossible to later repudiate a digitally "signed" transaction, such as a purchase made on a web site.
Benefits of PKI • Time Savings - Use of electronic processes and digital signatures can reduce the time required to process information collections from sources inside or outside the agency • Cost Savings - The long-term cost of performing agency business may be reduced as a result of decreased transaction time and cost, increased accuracy and productivity, or operating costs associated with paper-based systems • Enhanced Service - The availability and accessibility of agency processes to users inside the agency, to the public, and to other outside entities is enhanced. The strong authentication, which digital signatures provide, allows the agency to supply broader service and to promote Administration goals and objectives to a wider audience. • Improved Quality and Integrity of Data - With electronic processes using digital signatures, the quality and integrity of data collected are substantially improved
Risks of PKI • Standardization – No federal or international standard. • Fraud - Concerns have been expressed that the use of digital signatures in lieu of paper signatures will make it more difficult to prosecute individuals seeking to defraud the Government. Some people say that an individual who wishes to defraud an agency may submit a fraudulent claim for benefits, but that individual’s signature on the paper embeds what are called “biometric” or “forensic” elements unique to the individual. • Service Failure or Shortfall - An important goal of using electronic processes with public key technology is to ensure parties seeking Government services get those services quickly, efficiently, and with trust. But a service failure or shortfall having an adverse effect on an agency’s ability to meet its legal obligations can result from factors such as poor design or implementation of the software providing or using the public key technology, or inadequate training of the service providers or users. • Liability - Whenever a Federal agency interacts with outside parties, it must face the question of how its actions make it legally liable to affected parties. The use of public key technology is no different in this respect from the use of other technologies.
Simple PKI model ACTION RESPONSE
WTO and E-commerce Chronology • The Geneva Ministerial Declaration - adopted 20 May 1998 • Adopted a declaration on e-commerce • Established comprehensive work programme • Members will continue their current practice of not imposing customs duties on electronic transmissions • The Doha Ministerial Declaration – adopted 20 November 2001 • Acknowledged progress and complexity of issues for three types of transactions on the Internet: • Transactions for a service which is completed entirely on the Internet from selection to purchase and delivery. • Transactions involving “distribution services”in which a product, whether a good or a service, is selected and purchased on-line but delivered by conventional means. • Transactions involving the telecommunication transport function, including provision of Internet services. • Members will continue their current practice of not imposing customs duties on electronic transmissions • Seminars on e-commerce in 1999, 2001 and 2002 intended to provide input to Committee considerations • Progress reports
Obstacles in Developing Countries • Poor Information and Communication Technology (ICT) infrastructure • High cost of access and hardware • Low income • Lack of awareness on e-commerce and e-business issues • Inadequate legal and regulatory framework • Absence of trust, network payment and secure transaction services • Entrepreneurs prefer their “traditional way” of doing business • Lack of adequate banking infrastructure
Proposal from EU "Businesses and people using the web can now feel more confident knowing that e-signatures will be admissible in a court of law should dispute arise“ Dept of Trade and Industry @ 2001 Electronic Signature Summit • The Electronic Signature Directive is a European framework for the development of electronic commerce • Directive’s main elements: • Legal recognition • Free circulation • Liability • A technology-neutral framework • Scope • International dimension
Proposals from Developing Countries • To reduce the setup and operational costs for businesses, increase the potential for sustainability and creating an environment that will encourage the development of the ICT infrastructure. These objectives could be achieved using the following strategy: • Target the businesses in the supply industry with trading partners in industrialized countries where there is an adequate ICT infrastructure and payment services. • Reduce the requirements for participating in e-business by separating the trust, secure transaction from the network payment services. • Build a scalable e-business commerce infrastructure that would be shared by multiple independent businesses and integrate this infrastructure into existing ICT infrastructure in developing countries. • Provide a mechanism to enable the transfer of e-business technologies and increase public awareness.
Proposals from Institutions • Organization for Economic Co-operation and Development (OECD) • Culture of Security • ITU • Electronic Commerce for Developing Countries (EC-DC) – partnership with WISeKey • United Nations • UNCITRAL's Model Law on e-Signature • ebXML/OASIS • UNECE E-Transition Programme
United States PKI Programs • USA Patriot Act • Bill passed Oct. 2001 relating to online activities and surveillance • Smart Card Specifications • National Institute of Health - Interoperability Project • RFI for the E-authentication Program • Digital Signatures to Secure E- Transactions • Unions File Annual Reports Using Digital Signatures • Federal Public Key Infrastructure Steering Committee • The establishment of a single cross-government, ubiquitous, interoperable public key infrastructure used by all 80 agencies and 19 departments • The development and use of applications which employ PK
Conclusion • Resolve standards issues • Train IT professionals • Decision-makers need to be aware of the importance of information and communication technologies • Policies to facilitate the development and the use of these technologies. • Developing countries need to address issues related to the operation and procedures for CAs and RAs.
Sources • http://www.wto.org/english/tratop_e/ecom_e/ecom_e.htm • http://www.imf.org/external/np/exr/ib/2000/041200.htm • http://www.online-commerce.com/ • http://gits-sec.treas.gov • http://www.pkilaw.com/ • http://ecom.ic.gc.ca • http://www.counterpane.com/pki-risks.html • http://csrc.nist.gov/pki/twg/twg99_7.htm • http://www.dsv.su.se/~kasun/securitybookmarks.html • http://www.futurecompany.co.za/2001/05/11/covstory.htm • http://www.teledotcom.com/article/TEL20000823S0034 • http://www.apconnections.com/perspective/99-8.html • http://www.verisign.com/corporate/calendar/past_speaking.html • http://www.dstc.qut.edu.au/MSU/projects/pki/ • http://ecommerce.wipo.int/index.html • http://csrc.nist.gov/publications/nistpubs/800-25/sp800-25.pdf • http://www.cio-dpi.gc.ca/pki-icp/pki-in-practice/efforts/2002-07/scan-analyse06_e.asp#_Toc19584718 • http://www.hipaadvisory.com/tech/pdfs/PKI_Brochure.pdf • http://www.privacy.gov.au/publications/dpki.html • http://www.epic.org/privacy/terrorism/hr3162.html