September 8, 1997

Can You Trust Digital Cer tificates? By Jon Pepper igital certificates may be the solution to Internet-commerce security issues. Internet commerce continues to be plagued by security doubts. Ironically, the very things that make the Internet so appealing-its ease of use and universal access-are also what cause so many IS managers to feel leery. They worry mainly about exposing their corporate accounts while doing business on the Net. The idea behind digital certificates is relatively simple, even if the underlying technology is not. Think of the certificates as the Web version of an old-fashioned letter of credit and letter of introduction rolled into one. The certificates are issued by a certificate authority that undertakes the verification process-not unlike the way a passport or credit-card issuer provides assurances as to the identity or solvency of the holder. Digital certificates have three advantages over passwords and other current methods of verification. First, they're easier to use. Second, since they're based on an encryption protocol, certificates can't be "stolen" online the way passwords and credit-card numbers can. Third, digital certificates can be authenticated to various levels, much as a bank line or letter of credit can be. That lets two companies or individuals who have never met nonetheless enjoy a high level of trust over the Internet. "You end up with instant and in-depth vetting-and the high degree of trust that goes with that," says Charles Cresson Wood, an information-security consultant with Baseline Software Inc. in Sausalito, Calif. "The digital certificates vouch for your identity over the Net." Get SET To Go Already, numerous protocol issues have been worked out, including SET (Secure Electronic Transaction). Backers of this digi tal certificate technology include heavyweights such as Cisco Systems, Hewlett-Packard, Microsoft, and Netscape Communications. So this technology is ready for widespread use, right? Not so fast. Several issues remain to be resolved. Not the least of them: How do you trust the issuing authorities? In theory, anyone could become an issuing authority. So if a company is doing business with an overseas firm, and that firm has a digital certificate issued locally, is that trustworthy? Whom to trust is a major issue, but it could disappear soon. Visa International, MasterCard, and the U.S. Postal Service, among other major issuing authorities, are stepping in. Another glitch is the lack of interoperability among various Web browsers. But again, that issue should be resolved soon. Microsoft, Netscape, and others intend to provide seamless transactions and include this technology in their browsers. So, while digital certificates are important now as a gateway toward real Internet commerce, they wi ll be even more important once some minor roadblocks are smoothed out. Ultimately, the technology could bring truly secure and anonymous commerce among partners regardless of whether they have ever met. "This is going to be a very important part of the virtual world," says Steve Herz, senior VP of electronic commerce at Visa in Foster City, Calif. Herz says the whole concept of authentication is crucial for Internet commerce to succeed, and he adds that digital certificates will function as a virtual representation of the trust that most businesses and individuals now place in their credit cards. Herz says, "We really need authentication so that people have the same trust online as they do in the real world." Back to News in Review Send Us Your Feedback Top of the Page

---