As both B2B and B2C e-commerce are fast becoming a reality in
India, a number of companies, like Satyam and HFCL, are planning to develop
Public Key Infrastructure (PKI) to carry out Internet based commercial
transactions. PKI is a vital element of e-commerce as it ensures the security of
electronic transactions and the exchange of sensitive information between
parties that do not have a prior established business relationship through
digital certificates. As the stage is set for large scale PKI implementation in
India, it is important to analyse what opportunities and challenges lie ahead
for PKI solution providers, especially in the context of distribution of digital
certificates.
Anyone who uses e-mail regularly knows how easy it is to hide
a true e-mail account behind an alias or an assumed identity. Anonymity and
role-play can be tolerated for simple e-mail messages. However, when it comes to
serious business, a strong verifiable identity is required. Digital certificates
grew out of PKI and use asymmetric cryptography to authenticate users. In face
to face transactions, there is a high level of trust between the participants as
it is easy to verify the identity of the participants. As more and more
organisations use the Internet to conduct business, it becomes necessary to
build trust among people who have never met and who cannot meet each other.
A Certification Authority (CA) is a trusted third party
entity whose central responsibility is certifying the authenticity of users. In
essence, the function of a CA is analogous to that of the passport-issuing
office in a government. A passport is a citizen's secure document, issued by an
appropriate authority that certifies that the citizen is who he/she claims to
be. It is effectively that person's "paper identity". Similar to a
passport, a network user's "electronic identity", issued by a CA, is
proof that the user is known by the CA. Therefore, through third-party trust,
anyone trusting the CA can have confidence in the user's identity.
How can we trust a CA? In countries like the US and Canada,
CAs like Verisign and Entrust have established their credibility using the
first-mover advantage in an unregulated environment. In India, the Controller of
Central Certifying Authority (CCCA), which has already been set up by the
Government of India, invites applications from third party PKI solution
providers and grants licenses for CA, based on certain eligibility criterion.
There are two distinct segments which require digital
certificates. First, there are corporations that need digital certificates for
carrying out secure intra-company transactions through Virtual Private Networks.
Certificates are also needed to authenticate a company's commercial
transactions, done through extranets, with their clients and other business
partners. Since electronic business and B2B e-commerce necessarily require
authentication and security, there is an immediate need for companies to get
digital certificates. It is relatively easier for the CA to issue certificates
to corporations as verification of the identity of companies is easier.
The second segment is of individuals who can also get digital
certificates from the CAs. As more and more activities such as electronic
trading, Internet banking and B2C electronic commerce are deployed, digital
certificates might become the default authentication mechanism of the future.
However, registering and issuing digital certificates to individuals is a
daunting task, especially in India. Before issuing the certificates, the
identity of the individuals who have applied for certificates needs to be
verified by examining traditional forms of identification, such as a passport or
company records. The verification step is crucial, as the trust framework will
break down if certificates are wrongly issued. In countries like the US, which
have a structured computerised Social Security System, it is easier to
distribute certificates to the masses as their identity can be easily verified.
The identification proofs in India, viz. passport, Permanent Account Number (tax
ID) and driving license, are not widely available or accessible. Hence, CAs will
thus have to identify their target market as those individuals whose identity
can be easily verified for issuing certificates.
A viable option for certifying individuals is to first target
corporations and through them give certificates to their employees. Each company
will be responsible for maintaining the validity of the certificates issued to
its employees. Distribution of digital certificates within the company will also
help the organisation to keep track of access control to various information resources and create audit trails of
resource access. The company will also manage the revocation and renewal of
digital certificates through its own PKI. As more and more corporations come
into the PKI, the chain grows. Another option is to use financial institutions
like banks to provide certificates to their account holders. Nevertheless, as
there is no thorough verification of traditional documents like the passport at
all banks, the CA might have to cross check the identity of the users to
determine their true identity.
Distribution of digital signatures to end-users is a
challenging task. In the U.S., Canada, and Europe, CAs have initiated the
distribution of digital signatures through Smart Card technology. Smart Cards
form an easy-to-use, secure platform for carrying the
complex digital signature data. With the success of Smart Petro-Cards as a
preferred payment instrument at gas stations in India, Smart Card technology
might prove to be crucial in the distribution of digital signatures. Banks and
financial institutions that are allowed to issue Smart Cards in India are in the
strongest position to form partnerships with retailers, transport & petrol companies and utilities, to effectively distribute digital signatures through
Smart Cards. With the emergence of a common standard, Smart Cards will become
inter-operable and hence a convenient instrument to conduct authenticated
electronic transactions across business entities. This inter-operability will
also lead to a faster increase in the user base. Once issued, the digital
certificates will gather mass acceptance, becoming the sole structured
identification method. As the number of digital certificate owners reach a
threshold level, its acceptability and use in business and non-business
transactions will grow faster due to the
multiplier effect of using a standard product. India has about 1.5 million
Internet subscribers and is one of the fastest growing subscriber bases in the
world. However, providing certificates to individuals will mean higher volumes
but lower profits per certificate due to increased verification costs.
In conclusion, there are two ways by which digital
certificates could be deployed and adopted in India. First, CAs should issue
digital certificates to business entities, which will give a thrust to B2B
e-commerce activity in India. Second, CAs should target individuals through
business entities so that digital certification will migrate from a simple
online authentication mechanism to a structured proxy Social Security System.
Technology permits bundling PKI in small convenient systems which will aid in
its proliferation and usage.
V Sridhar is an associate professor
at IIM Lucknow, Arjun Ramdas and Shashank Rathi are both MBA students at the
same institute.