Who do you trust with PKI?

The first question to ask anyone trying to sell you online risk services is how much liability they will accept for trades...

The first question to ask anyone trying to sell you online risk services is how much liability they will accept for trades undertaken using their digital certificates says Bob Carter

Bob Carter

Opinion

Business has always been about the balance between risk and return on investment: what level of risk is an organisation prepared to expose itself to in return for wealth creation?

Digital certificate-based Public Key Infrastructures (PKI) are a means of managing the risk associated with online authentication, security and legal status. However, the way an organisation implements digital certificates can have significant implications over corporate risk and liability models.

The question is: who is best able to authenticate you and your customers either in the physical world or on the Internet? Who should assess e-business risk and accept the associated liability?

A growing number of organisations are clamouring to be "trusted third parties" (banks, postal organisations, software companies and telcos), issuing and validating online identities. But what effect do these suppliers have upon risk and liability?

Every certification authority must make its policies for issuing certificates explicit: the level of security check performed to validate certificate applicants' physical identities, how long certificates remain valid, the rules that govern the revocation of certificates and so on.

Crucially they must outline the liability they will take for transactions underwritten using their certificates. It is these fundamental rules and processes that give a digital certificate and a PKI business value.

If control over these rules is given away to an independent third party, so too is the ability to manage online risk and liability.

The first question to ask anyone trying to sell you services in this area, is how much liability they will accept for trades undertaken using their digital certificates.

The other thing to bear in mind is that if you have business practices that are specific to your market then even the most scrupulous of PKI providers may be unable to offer you any warranty assurances.

If they do not understand your market how can they vouch for those operating in it? This is why "closed" PKI systems that give control of the certification policy and the liability accepted for certificates to the organisation that owns the trusted relationships are the best option.

Providing a "closed" system that is specific to an industry or organisation means that the certificates are actually useful in a business context. For example, lots of companies already have trusted relationships they've built up over years of business - or they have their own criteria that must be fulfilled before they deal with people. Why would they want somebody else who doesn't understand their business sitting in the middle of all that and charging them for the privilege? Yet, this is what some vendors and organisations are peddling.

In summary, the usefulness of certificates is tied directly to the business models that underlie the various solutions being offered.

It is all a matter of trust, not just of those you are trading with but also those who will claim to vouch for whoever you are trading with. In the final analysis the key issue is one of liability and this should be foremost in the minds of all organisations buying certification services.

Bob Carter is managing director of PKI specialists De La Rue InterClear

Read more on IT risk management

SearchCIO
SearchSecurity
SearchNetworking
SearchDataCenter
SearchDataManagement
Close