PKI interoperability critical to future of e-commerce
Europe's largest PKI interoperability project ,One of the barriers to further development of e-commerce is the lack of interoperability between different IT security technologies. PKI is one of these; an enabling technology that is fundamental to the creation of trust between supplier and buyer in cyberspace. PKI is the infrastructure that creates and manages electronic credentials, allowing the use of digital signatures and their underlying keys and certificates across the Internet. PKI enables the business community, public authorities and the individual consumer to exchange valuable information and data within a secure and trusted environment. That is the theory. The practice has been somewhat different, with many vendor products interpreting PKI standards differently. As a result there have been growing concerns over the multiplicity and interoperability of PKI products and services available. Enter PKI Challenge - a project designed to establish a common reference against which various manufacturers' PKI products could be tested. PKI Challenge was Europe's largest PKI interoperability project. Running between January 2001 and April 2003, and funded by the Swiss government as well as the EC's IST programme, the aim of the project was to identify, address and overcome these issues of interoperability. Establishing a common reference ,So how important is PKI? Project coordinator Jane Hebson of lead partner EEMA believes it is fundamental. "PKI is a much higher level of security than present Web commerce. We're talking of contracts that could involve the exchange of high-value knowledge, of licensing. Messages may need to be time-stamped, and offer the kind of audit trail that can be proven in a court of law." PKI Challenge established a common framework whereby the differing implementations of secure electronic commerce and user technology from product suppliers, service providers, European projects and standard initiatives could be linked together to test interoperability. The aim was to gather practical experience that could be used by other EU projects, initiatives and industry to further develop a cohesive solution for electronic commerce across Europe. A secondary objective was the promotion of practical solutions. Ten testing participants - Baltimore Technologies, Cryptomathic, Guardeonic Solutions, Microsoft, RSA Security, Safelayer, TC TrustCenter, SmartTrust Nexus, UTI Systems and VeriSign were recruited to test their products against the reference implementation. Each had access to a specially designed website hosted by project partner Royal Mail. Wholehearted cooperation from vendors ,Hebson emphasises that the project enjoyed extensive cooperation from the product vendors. "They have been wholehearted in their support and committed to the project," she says. Product marketing manager Jordi Buch of the company Safelayer concurs. "We were very happy to get involved in the project because it enabled us to test our products for compatibility with others on the market. The main value for us was that all the PKI providers were doing the testing with the same independent test site. As a result we can tell our customers that they can implement a PKI infrastructure and will be able to set up digital signature applications without problem." This view is backed by Paul Green of Verisign. "We found we could do most of the testing without problem, including CA [Certifying Authority] signing. We found the typical problems lay with the applications - either they are not PKI compatible or did not meet the certification requirements of the CAs." A focus on applications needed ,Buch stresses the importance of a future focus on end-user needs. '"Our next steps are focused on application interoperability rather than infrastructure interoperability. Users are able to use any kind of digital certificate; their questions revolve around whether their email application can work with email clients from other suppliers. They want true services interoperability." Verisign's Green takes a similar stance. "If we use a certificate that is EU-qualified, we cannot yet find an application capable of implementing such solutions. Verisign is working with application providers such as Microsoft to get certificate applications going, to have them Verisign certified for example, so that they'll work with PKI." Standards need simplifying ,One of the key results emerging from the project was that the existing standards have far too many options, and thus do not ensure that different vendors build fully interoperable systems. Says Hebson, "we think the standards need to be further refined and made more definite, with fewer options. We need more 'musts' and 'shoulds' rather than suggestions." Profiling the standards would seem to be essential. But even then, this may not be enough. Given that the European Electronic Signature Standardisation Initiative specifications add yet another layer of complexity to the existing international standards, it would seem that the existing standards are simply too complex to be fully implemented. The implication for the EU is that fewer and simpler standards, rather than more of them, are needed. Source: Based on information from PKI ChallengeThe IST Results service gives you online news and analysis on the emerging results from Information Society Technologies research. The service reports on prototype products and services ready for commercialisation as well as work in progress and interim results with significant potential for exploitation.,
Countries
United Kingdom