Network: The virtual fingerprint
One of the toughest problems faced by Net users is that of authenticati on: how do you know who you are really dealing with? Now there is a way to tell. Jan Libbenga reports
Tuesday 26 August 1997
How do you tell a genuine online shop from an outright fraud? You can't. There is not even a Web police force to chase the pranksters. It is not just shopping that worries users. According to Bill Gates, billionaire owner of Microsoft, more than 80 per cent of the e-mail sent in his name is actually from pranksters.
But help is at hand. An American company called VeriSign issues digital signatures, "fingerprints" that assure you that the people you are dealing with online are indeed who they say they are, or that documents haven't been tampered with. Digital signatures are based on a technique called public key cryptography, which is used for scrambling information so that it can't be viewed by anyone other than the intended recipient.
To sign a digital signature to a document you need to create two digital numbers called "keys", one public and one private. You feed both the document and your private key into a computer program, which creates the signature and puts it on the document.
With a copy of your public key, the recipient can determine whether the signature is authentic. Digital IDs are superior to written signatures because they cannot be altered. A signed document can always be changed; that's why both parties should keep a copy. But if you try to change a digital document it will invalidate the signature.
Digital signatures have other advantages, as well. You can always tell when a document was produced, as long as it has been time-stamped. If someone claims he wrote a song which in fact belongs to you, you may be able to prove him wrong.
Digital signatures are not a new phenomenon. They are currently built into most popular Internet cryptology programs such as Pretty Good Privacy (PGP). Unfortunately, many of the public keys used for these programs are not at all genuine, either. Some of them belong to people who claim deeply suspect e-mail addresses such as firstname.lastname@example.org.
Until recently there was no trusted certificate authority to issue public keys. That's why VeriSign is offering several classes of public certification. Not only will VeriSign confirm that your e-mail name is a unique name in their database; it will also take information from you in order to verify it with a third party. With some classes you even have to present yourself (in person) to an authorised party. Say you run a company called Anysoft, and would like to sell software over the Internet. If someone connects to a secured Web site with the address www.anysoft.com, he can be sure that it is Anysoft he's dealing with. VeriSign charges about $300 for a merchant validation.
Web browsers and servers are the first wave of products designed to take advantage of the technology. VeriSign's digital IDs are already used in Web browsers from Netscape and Microsoft. Microsoft even uses the technology to legitimise copies of commercial software downloaded over the Net. Digital signatures can also be used to authenticate publishers of software components written in languages such as Java and ActiveX.
Java originally used a "sandbox" model for security, in which Java components loaded from the network were granted extremely limited capabilities. But, with a new signing technology called Authenticode, applets (tightly focused mini-applications) can be given free rein to do virtually anything. Depending on their digital signature, of course.
In Microsoft's new browser, Internet Explorer 4 (still in beta), users can even identify four zones of trust, including Internet and intranet (sites inside a corporation), where applets can be either "trusted" or "untrusted".
VeriSign is not the only company that develops digital IDs. The telecommunications company GTE has a product called CyberTrust which has the same features and levels of service that VeriSign offers. The US Postal Service is planning to use IDs for e-mail services only. It will charge for a digital postmark for each transaction.
Although VeriSign faces potential competition from these companies, most observers say that it has an impressive head start. VeriSign has issued more than 100,000 digital IDs and has partnerships with more than 50 leading Internet application providers. Last year the company announced a strategic alliance with America Online (AOL) to provide its customers with digital IDs for use in a wide range of electronic commerce and communications applications. Others will follow.
So, digital IDs are here to say. Better not send any e-mail without them.
VeriSign - http://www.verisign.com.
Weather bomb in pictures: Storms cuts power for tens of thousands – and snow is on the way
Jessica Chambers: 19-year-old woman 'doused with lighter fluid and burned alive' in the US
Russell Brand calls Nigel Farage 'poundshop Enoch Powell' in BBC Question Time debate
Russell Brand was rendered speechless on Question Time by this man
Fury at Airbus after it hints the super-jumbo may be mothballed
- 1 Nigel Farage: Me vs Russell Brand on Question Time – he's got the chest hair but where are his ideas?
- 2 Harry Potter fans can apply to the Hogwarts-inspired College of Wizardry
- 3 Jessica Chambers: 19-year-old woman 'doused with lighter fluid and burned alive' in the US
- 4 Russell Brand calls Nigel Farage 'poundshop Enoch Powell' in BBC Question Time debate
- 5 Orange Wednesdays are no more
£50000 per annum + 26 days holiday,pension: Ashdown Group: A highly successful...
£50000 per annum + 26 days, pension, private medical : Ashdown Group: A highly...
£25000 per annum: Ashdown Group: IT Service Desk Analyst - Chessington, Surrey...
£35000 - £40000 per annum: Charter Selection: This renowned and well establish...