InformationWeek
Defining The Business Value Of Technology
By Jason Levitt
When will one of the big retail sites offer digital certificates to customers instead of--or in addition to--user names and passwords? No one's done it in the United States yet, but some of the big-name retailers, banks, brokerages, and other financial concerns are certainly preparing for this eventuality. Microsoft is even playing the wait-and-see game. On one hand, it's releasing Windows 2000 with a number of sophisticated server components for PKI. But as far as PKI on the Windows 2000 desktop is concerned, Microsoft has been relatively quiet. Even its Windows 2000 PKI technical white paper humbly concedes that "Public Key Infrastructure-based security is relatively new, and there are very few case studies of actual PKI deployment." Duh!
A Look Ahead
There isn't this kind of trust in digital certificate authorities yet, so, at first, certificate use and verification will remain in the domain of the businesses that issue them. A digital certificate issued by Amazon.com will only be used at Amazon.com. It won't, and can't, be used at other sites. While initially the pile of user names and passwords that customers have been using for different sites will likely be replaced by a single password and a pile of digital certificates (one issued by each online site you frequent), future E-commerce scenarios will, I hope, be much more simple. As trust builds and people become more at ease with the use of certificates, cross-certification agreements between businesses could reduce the number of certificates users need. Eventually, there could be the equivalent of a digital credit card, probably in the form of a smart card with your private key, or keys, on it, as well as other critical information. When that time rolls around, I'm also hoping that advanced security techniques will be used in case of theft.
I spent New Year's in Mexico and was impressed with how quickly AT&T canceled my calling card when I started using it from within Mexico to make long-distance phone calls to the United States. The company's monitoring software quickly noted that I live in the United States and that my calling card had never been used outside of the country. AT&T actually left a message on my home answering machine telling me that someone might be using my calling card fraudulently and that I should call them to verify that everything was OK. When I didn't (hey, I was on vacation), they canceled the card within 24 hours. Similar techniques could be used to note fraudulent use of digital certificates.
PKI Awareness
End Note
he year 2000 has arrived, and I'm still waiting for the other public key infrastructure shoe to drop. PKI, technology for establishing a secure method of exchanging information, has been attracting attention in the business-to-business space for some time now, but there's little or nothing for consumers to experience.
Digital certificates are sometimes compared to a driver's license, which isn't a bad analogy. Like a driver's license, a digital certificate will verify your identity and will include additional information. A birth date, state of issuance, and some other personal data is typical for a driver's license, but a digital certificate can contain other bits of data. It was recently pointed out to me that a driver's license is only legally valid as verification of your right to operate a motor vehicle. The fact that it's used for other purposes (age verification at nightclubs, identity checking at banks and airports) is a strictly unofficial use that has arisen mainly because of the trust businesses have in the authorities that issue and manage driver's licenses.
Lots of companies are experimenting with PKI, and my guess is that more than a few online sites are ready to roll with their PKI implementations by issuing and managing digital certificates. But they're all waiting for something. A few more standards? The right market spin? No one's talking because there's a lot at stake. A major failure on the business-to-business side wouldn't necessarily derail PKI. Businesses know they need PKI's authentication capabilities and that technical problems, no matter how annoying, can be dealt with. But a major security gaffe with consumers could shut down PKI operations in a heartbeat, and consumers aren't very forgiving when their money or online conveniences are compromised.
I'm still confused by some certificate-management details, but I'd like to think I've helped clear the air about PKI just a little bit. I wrote a column about PKI in June where I mentioned that the PKI vendors need to band together to help customers break through some of the marketing obfuscation and technical barriers. I suggested the vendors form a PKI Forum, and I recently discovered that such an organization has, indeed, been formed (http://www.pkiforum.org). I'm not sure if I was even partially responsible for the creation of that organization, but I'm glad it's around, and I hope its members help enlighten the IT community.
AuthorITies Archive
Send Us Your Feedback
Top of the Page
 | |||
|
Lou Bertin: The Observer Lou offers a view of the good, the bad, and the bizarre developments in the technology business 
|
Charles Pelton: Eye On IT Charles explores IT management issues and strategies that business and technology managers face.
|
Stuart Johnston: Internet Zone As our eyes and ears in Redmond, Stuart gives his perspective on the latest events at Microsoft.
|
Rusty Weston: Matter Of Fact Rusty explores the facts and figures behind business technology.
|
Cirrus Logic seeking Digital IC Design Engr in Austin, TX
Hebrew SeniorLife seeking Senior Network Analyst in Boston, MA
Agilent seeking NPI Project Manager in Shanghai, CN
UC Berkeley seeking Helpdesk Team Lead in Berkeley, CA
Rohm and Haas seeking Product Portfolio Manager in Philadelphia, PA
For more great jobs, career-related news, features and services, please visit our Career Center.
Today's Top News
- Radical Desktops Deliver Power To The People. But What About IT?
- Need Disaster Recovery On The Cheap? Think Virtualization
- No Virtualizing Without A License
- Smart Stuff: The State Of Business Intelligence 2008
- Down To Business: Are Technology Leaders Focusing Too Much On The Small Stuff?
- Rolling Review Wrap-Up: Vendors' RFP Responses Make The Case For Switching
