Digital certificates are the key to e-security

Do you know any firms that negotiate and close multimillion-pound deals using just e-mail and the public internet? Neither do I.

So why are so many industries, governments and financial organisations suddenly keen to trade information and money over the internet?

The answer lies in a technology called Public Key Infrastructure (PKI), which uses digital certificates and cryptography to bring trust and security to the internet. It also deters people from setting up impostor websites, falsifying e-mail identities and altering electronic paper trails.

At the moment firms would much rather carry out serious business on the phone or face to face, even trotting right across the globe to close a deal with a handshake and a glass of wine. But the argument goes that they can save time and money by using personal digital signatures instead, issued and managed by a trusted authority such as a bank or government, along with cryptography to encode information.

PKI systems work by generating a unique pair of keys, one that can be publicised, and a private one with which the recipient can decode an encoded financial transaction or other information. Separate from this, a certificate is issued for each trader by the trusted third party. This is to validate the trader; to make the transaction legally binding (as European law now recognises certificates); and to allow financial recourse if something goes wrong.

A number of vendors, such as Oracle, Microsoft and Cisco, already sell PKI solutions, and security firms like Entrust, Baltimore and Verisign supply PKI tools and services. The argument against such solutions is that they can be expensive and complex to implement, have no easily measured financial return and may not work with other people’s certification systems. The numbers taking part in the PKI process have also been criticised – it is only as strong as the weakest link.

But there is a major cross-industry initiative to make PKI more attractive, which means firms do not have to buy the infrastructure. This has been a barrier to entry for all but governments and banks. Identrus is a banking and cross-industry PKI and smart card initiative that may boost adoption of this whole thing. It is backed by the European Commission, and dozens of banks such as Barclays, HSBC and Lloyds TSB as certificate issuers.

You can expect them to knock on your firm’s door very soon, to ask if you want to join the party. Someone else knocking on your door might be Consignia, formerly the Royal Mail, which plans to hand out certificates of its own to firms and consumers next year.

Will firms stop closing deals with a handshake and a glass of wine? I doubt it.

Arif Mohamed is News Editor of IT Week