Network: The virtual fingerprint

One of the toughest problems faced by Net users is that of authenticati on: how do you know who you are really dealing with? Now there is a way to tell. Jan Libbenga reports
Although the Internet has become a hotbed of advertising and commercial activity, shopping online is still in its infancy. Sure, you can order any product on the Web and pay by credit card or even by digital cash, but there is no guarantee that what you've ordered will be delivered to your doorstep.

How do you tell a genuine online shop from an outright fraud? You can't. There is not even a Web police force to chase the pranksters. It is not just shopping that worries users. According to Bill Gates, billionaire owner of Microsoft, more than 80 per cent of the e-mail sent in his name is actually from pranksters.

But help is at hand. An American company called VeriSign issues digital signatures, "fingerprints" that assure you that the people you are dealing with online are indeed who they say they are, or that documents haven't been tampered with. Digital signatures are based on a technique called public key cryptography, which is used for scrambling information so that it can't be viewed by anyone other than the intended recipient.

To sign a digital signature to a document you need to create two digital numbers called "keys", one public and one private. You feed both the document and your private key into a computer program, which creates the signature and puts it on the document.

With a copy of your public key, the recipient can determine whether the signature is authentic. Digital IDs are superior to written signatures because they cannot be altered. A signed document can always be changed; that's why both parties should keep a copy. But if you try to change a digital document it will invalidate the signature.

Digital signatures have other advantages, as well. You can always tell when a document was produced, as long as it has been time-stamped. If someone claims he wrote a song which in fact belongs to you, you may be able to prove him wrong.

Digital signatures are not a new phenomenon. They are currently built into most popular Internet cryptology programs such as Pretty Good Privacy (PGP). Unfortunately, many of the public keys used for these programs are not at all genuine, either. Some of them belong to people who claim deeply suspect e-mail addresses such as

Until recently there was no trusted certificate authority to issue public keys. That's why VeriSign is offering several classes of public certification. Not only will VeriSign confirm that your e-mail name is a unique name in their database; it will also take information from you in order to verify it with a third party. With some classes you even have to present yourself (in person) to an authorised party. Say you run a company called Anysoft, and would like to sell software over the Internet. If someone connects to a secured Web site with the address, he can be sure that it is Anysoft he's dealing with. VeriSign charges about $300 for a merchant validation.

Web browsers and servers are the first wave of products designed to take advantage of the technology. VeriSign's digital IDs are already used in Web browsers from Netscape and Microsoft. Microsoft even uses the technology to legitimise copies of commercial software downloaded over the Net. Digital signatures can also be used to authenticate publishers of software components written in languages such as Java and ActiveX.

Java originally used a "sandbox" model for security, in which Java components loaded from the network were granted extremely limited capabilities. But, with a new signing technology called Authenticode, applets (tightly focused mini-applications) can be given free rein to do virtually anything. Depending on their digital signature, of course.

In Microsoft's new browser, Internet Explorer 4 (still in beta), users can even identify four zones of trust, including Internet and intranet (sites inside a corporation), where applets can be either "trusted" or "untrusted".

VeriSign is not the only company that develops digital IDs. The telecommunications company GTE has a product called CyberTrust which has the same features and levels of service that VeriSign offers. The US Postal Service is planning to use IDs for e-mail services only. It will charge for a digital postmark for each transaction.

Although VeriSign faces potential competition from these companies, most observers say that it has an impressive head start. VeriSign has issued more than 100,000 digital IDs and has partnerships with more than 50 leading Internet application providers. Last year the company announced a strategic alliance with America Online (AOL) to provide its customers with digital IDs for use in a wide range of electronic commerce and communications applications. Others will follow.

So, digital IDs are here to say. Better not send any e-mail without them.

VeriSign -