Bugwatch: The challenge of electronic identity

This week Jack Nagle, director of corporate marketing at Baltimore Technologies, considers possible solutions for mitigating the risk associated with the anonymity issue for users of the internet.

The emergence of the internet has brought with it a wealth of apparent business opportunities. These have been frequently presented in breathless terms - that failed to take some key issues into account that are needed in order for them to deliver on their promises.

Principal among them was the authentication of individuals and transaction parties. Anonymity may be good for certain types of internet behaviour, but it has limitations for the delivery of web-based services.

The delivery of e-government services to citizens and businesses needs additional components for interactions to be meaningful or, in some cases, even possible.

Users need a system where the privacy of their data is assured, with similar reassurances on the identity of the transacting parties. Equally it is vital for users to be sure that data has not been modified in transit and that messages or transactions cannot be repudiated.

The latter is usually implemented in conjunction with a source of trusted time, which gives more security and is harder to repudiate. The provision of this type of audit trail creates a sense of trust which equates with the real world.

Every marketplace can be characterised as having a number of such attributes, ranging from presentation through to payment clearance.

Identity data may not even need to be presented for some of the simpler interactions. For instance, communication with the online passport office may consist of asking a question in which identity is not important: say, can I renew my passport online?

However, once this request moves to applying for a passport, it then raises issues such as evidence of identity.

The answer lies in giving digital certificates to end users. A digital certificate provides binding identity data to a cryptographic key pair which allows users to encrypt data and ensure authentication through the use of a digital signature.

Unlike written signatures, which are essentially the same every time, digital signatures are computed using a private cryptographic key and carry unique features derived from the message being sent.

This is a stronger form of identity than methods such as issuing users with an ID and password.

A digital certificate containing identity data and associated digital signatures is a powerful mechanism. The eSignatures Directive issued by the European Commission, as well as legislation in the US and Japan, give legal recognition to digital signatures.

Increasingly governments and quasi-governmental bodies are looking to issue certificates to citizens. The loss of confidence in business longevity has cast governments in a new light as a trusted reference point.

While identity is something we take as a given, in either a personal or professional capacity, it is something which has to be captured and treated differently in the electronic world.

Credentials, identity and tokens, be they smartcards or files on hard disks, are simply a means of logically representing who somebody is along with their associated roles, privileges and entitlements.

Critical to the development and uptake of all such systems is an appropriate legal framework which exists through the implementation of a variety of legal instruments addressing issues such as distance selling, electronic signatures, copyright and data protection.

Adding all of these components together provides a mechanism for mitigating the risk associated with the anonymity issue through the use of the internet.

• Tweet  
• Facebook  
•  
•  
• Send to  

• Topics
• Security