Remember my post that stated "HP to web enable every service"? What great
advantage besides portability is coming with web browsers?
Ever since the Internet put shrink wrap on the world, security was the last
great hurdle to jump over. I predict that certificates (in the USA) will
become the replacement of all legacy security systems and could very well be
integrated into OS's in the next few years - driven by commercialization of
the Internet.
Certificates are now used to secure Web transactions under the RSA method,
like Netscapes's commerce server. You probably don't know it, but the SSL
(secure socket layer) method generates a random one time 'session' digital
'signature' instead of the user supplying their own digital ID.
Personal certificates are the next step that will be widely used to
authenticate Web transactions between user and server, i.e., the user must
obtain and supply their own digital ID to perform transactions (VeriSign is
offering free ID's now for testing http://www.verisign.com )
Certificates will verify other forms of electronic transfers like the EDI
standards. Finally, certificates should push their way down to file systems
and the OS (Like Gradient and Netscape ONE both use certificate
authentication for access control to resources today.)
Certificates will be the god-send of distributed object technology. Once
certificate based distributed object technology takes hold - the world ain't
seen nothing yet. Your enterprise can be virtually ANYWHERE and still be
secure and manageable. Not possible with ACL's and username/password schemes.
Someday I'll never need to fill out another Web page life history for a
internet service and keep lists of passwords - I'll simply supply my digital
ID stored in a cache on my web browser. I can do this repeatedly and not
compromise any aspect of my host security, unlike passwords do today
(customers behaving badly have a tendency to simplify their lives by using
the same password to every service that comes along.)
Certificates are based upon public-key encryption technology which is more
suitable for electronic commerce for these reasons:
1) scalable to very large systems with tens of millions of users,
2) has a more flexible means of authentication (user supplied),
3) can support digital signatures,
4) enables non-repudiation enforcement to verify the transmission or receipt
of a given transaction between two entities through a certificate authority.
It is the last quality (4) that will accelerate certificate use (although
the first three are minimum requirements!). Entities can be institutions
(banks, universities, government agencies, ...) as well as individuals.
For more information, check out these resources:
"Electronic Commerce over the Internet....A white paper"
http://andromeda.einet.net/tradewave/products/vpiwp.html
Excellent, clear, concise, complete overview in non-technical verbiage of
all Internet security issues related to transaction processing. Ignore that
it leads to a plug for their services.
Which builds into the next more technical article:
"Keying In: The Myths and Realities of Cryptography"
http://www.mccutchen.com/ip/ip_2200.htm
Which helps with understanding the VeriSign FAQ:
http://www.verisign.com/faqs/id_faq.html
Have a good day!
---
Eric Schubert, Senior Analyst, Excellence in Service Team
Office of Information Technologies, Univ Notre Dame, IN USA
(219)631-7306 http://www.nd.edu/~eisteam http://www.nd.edu/~eschuber
|
