November 2002

PKI: The Key to Enhanced Internet Security Standards

New Panel to Give Input on Implementation and Standards

At a summit meeting earlier this year, the Internet’s leading digital certification authorities (CA), web browser providers, digital certificate users, and representatives of the accounting profession and the Public Key Infrastructure (PKI) Forum discussed how to improve trust on the Internet. They met to collaborate on enhancing the standards required for identifying, authenticating, and authorizing subscriber requests for digital certificates.

The participants agreed that the following major issues affecting the acceptance, use, and comparability of digital certificates need resolution:

• Levels of assurance assigned to certificates
• Required identification
• Authentication and authorization procedures
• Consistent application of standards across the CA industry
• Accreditation of root and subordinate CAs under the WebTrust for Certification Authorities Program.

Summit participants discussed several solutions, including a multilevel classification system for digital certificates, based on increasing levels of reliability and associated registration procedure requirements.

One summit participant said that by providing assurance around information and independently examining systems against a set of measurable criteria and control frameworks, the accounting profession can contribute to ensuring that digital certificate users have a sound framework on which to base their trust in the technology.

ÏThe digital certificate landscape is undergoing change:

• More and more CAs are offering subordinate CA services.
• Subordinate CAs are offering increasing numbers of certificates.
• Cross-certification of CAs is more common as support for technical interoperability improves.
• Automated verification and identification procedures are becoming more feasible.
• Use of digital certificates is increasing.

To address some of these issues, the AICPA and the Canadian Institute of Chartered Accountants (CICA), with the support of the PKI Forum, are establishing an industry resource panel for summit participants. The panel is being formed to give the accounting profession input on incorporating new and improved security and PKI standards into the WebTrust for Certification Authorities Program. It will work on developing viable solutions to accommodate the changes, as well as on enhancing the standards, particularly in the areas of authentication and identification of certificate issuers, so users can trust those with whom they do business over the Internet.

PKI: Commentary and Observations

By Oscar Kolodzinski

The Public Key Infrastructure (PKI) is a key element in ensuring that digital data transmitted across the Internet is secure. PKI relies on encryption (see “Encryption in Theory and Practice”), which uses “keys” to protect the integrity and confidentiality of digital information that can only be accessed by the intended receiver. The sender and the receiver both have a set of keys. One of them, the public key, is used to encrypt the message. An encrypted message can be read only by the person that holds the private key. The public key must be associated with a specific sender and receiver through a digital certificate that is issued and managed by a Certificate Authority (CA).

PKI is a wonderful technology but so far it has been unable to live up to its promise. The efforts being made by the AICPA, the CICA, and the PKI Forum are an attempt to address the issues that so far have hindered PKI’s success. PKI’s broader acceptance will be furthered by the accounting profession’s assistance in establishing the best practices and parameters for controls and requirements, as well as in providing independent assurance that the digital certificates, and ultimately the systems, are reliable.

PKI’s inoperability is one area of criticism. There are several PKI vendors, such as RSA Security, Entrust, and Verisign. A company that purchases a PKI product can become its own CA and issue digital certificates. It may not, however, use the same requirements or processes that other CAs use, because they determine the identity of the owner. If protocols used by CAs to issue digital certificates are different, questions then arise as to the veracity of its owner; in other words, “How do I know it is you?”

Scalability, administration and maintenance, and the burdensome process of setting up a PKI are also issues to consider. Besides these implementation issues, many companies prefer to keep information “public” so they can check e-mail messages for viruses or theft of confidential information.

These are good reasons why the corporate world has not fully embraced PKI. For example, when Network Associates announced in October 2001 that it was putting its desktop e-mail encryption system, PGP, on “maintenance mode,” it effectively stopped sales of the product. PGP in its early days was freeware, and getting consumers and companies to pay for it has been difficult. Network Associates also said that it became increasingly difficult to educate and train consumers to use the product. These issues resonate for anyone who has tried to work with PGP.

Some problems that have inhibited PKI’s implementation may be solved with faster and better technologies. The accounting profession can play a key role in the standardization of practices for issuing digital certificates. This standardization would provide a higher degree of confidence that the information is properly protected, and give PKI credibility as a valuable tool to secure and protect data shared over the Internet.