Identity and Trust in a Digital World

Buying things on the Internet is becoming easier every year. Find what you want, from a manufacturer or an auction site, enter your credit card and shipping details into a secure form, and the product is on the way. Fast and efficient, just like advertised.

Selling things on the ‘net is, unfortunately, not such a piece of cake. The primary problem lies in the difficulty in accepting credit cards, which in turn is caused by the risk aversion by the cards’ underwriting banks. Canadian banks have been particularly hesitant to allow their clients to accept on-line payments.

And, in the banks’ defense, the Internet is definitely the highest-risk way of accepting orders, particularly for some product classifications (think porn and software). Although the conditions vary case by case, a business may be required to place a $10,000 bond against bad payments, in addition to being responsible for all “charge backs” from customers.

Although many small businesses sneak their Internet payments in through a regular retail merchant account as “phone orders”, this can be risky. Most merchant accounts explicitly forbid such transactions, and if the bank notices too many no card present payments, they may investigate. Technically it’s fraud — never a good place to be.

Why the worry? Wasn’t the Internet suppose to be the great friction less commerce engine of the future? That’s sure what all the press releases have been saying for the last several years.

Part of the needed solution is already deployed. We’ve had “high-grade 128-bit encryption” built into Web browsers and servers for years now. Implemented using what’s known as “public key” encryption, certificates are issued by certain Certification Authorities (CA) (e.g. Verisign) to server operators.

At the beginning of a “dialog”, the server’s certificate can be verified by the browser as being legitimate, and is used to generate a set of keys which scrambles the traffic between them. This makes sure no-one can “listen in”, even if the traffic flows right by them.

This arrangement also allows the client browsers to know they’re talking to the server they intended to contact, and not some electronic impersonator or “man-in-the-middle” attacker. The opposite is not true, however — the server has no idea who it’s talking to, only that the traffic can’t be intercepted.

And that one of the key problems — identity. Are you taking an order for and shipping out a iPAQ to Jane Consumer, or the thief of Jane’s credit details? As the retailer, YOU’RE out of pocket if Jane complains about a charge for product she didn’t receive.

The issues become even more acute when you start moving from the Business to Consumer (B2C) model, and look at Business to Business (B2B). When order sizes move from a few hundred to a few hundred thousand, you want to be pretty sure who you’re talking to.

One proposed solution to this is known generically as Public Key Infrastructure, or PKI. It is based on a centralized model with CAs issuing certificates to parties after they prove they are who they claim to be. Once issued, owners can use these to sign digital files and documents, and to authenticate themselves as the original author.

This is basically an extension to system already in place for web servers, but requires everyone wishing to exchange data to have a certificate. So long as the CAs do their job properly, this should work fine. This is not guaranteed, however. Recently Verisign admitted that it had issued two certificates for someone claiming to be from Microsoft, but weren’t.

An alternative approach is implemented in the GNU Privacy Guard (GPG) product, available at It is a de-centralized design which relies on building a web of trust. Someone wishing to create an electronic identity generates a pair of digital keys, one public and one private.

The key difference is to add to the credibility of the electric identity, it must be signed by other GPG users as being legitimate. The more an identity is signed, the more it can be trusted — all done without requiring (or being exposed to) a central authority.

GPG is gaining strong acceptance among security conscience individuals who need to be able to securely exchange information and identity themselves. Most businesses, however, are waiting for the PKI projects to mature. No matter which technology is used, something should be, and sooner rather than later.

While not limited to the Internet, Social Engineering, the tricking of humans by crackers to do what they want them to, is certainly easier through the facelessness of IP traffic.

“Hey” says the email, supposedly from your business partner but actually sent by a competitor with spoofed email headers, “Can you email me another copy of our business plan and financials? I can’t find them…”

Published in the Victoria Business Examiner.