Assessing Certification Authorities: Guarding the Guardians of Secure E‐commerce?

Pages217-226
DOIhttps://doi.org/10.1108/eb026020
Date01 March 2002
Published date01 March 2002
AuthorJames Backhouse
Subject MatterAccounting & finance
Journal of Financial Crime Vol. 9 No. 3
Assessing Certification Authorities: Guarding the
Guardians of Secure E-commerce?
James Backhouse
IMPORTANCE OF IDENTITY
AUTHENTICATION IN E-COMMERCE
Electronic commerce denotes the use of electronic
means, usually the Internet, for creating and often
fulfilling contracts without the use of face-to-face
encounters.1 In recent years many countries have
passed legislation to render to the electronic signature
the same significance in contract formation as the
traditional hand-written signature. The general
desire is to promote user trust and confidence in the
process of authentication in the information age.
Leading the charge to transform their traditional
business into e-commerce is the financial services
industry, although many other sectors have begun
to develop their electronic market-place with gusto.
What this means for money laundering is that
wealth may be rapidly moved around the globe
and so layering and integration become child's play.
Online brokers, bankers and intermediaries of all
varieties already accept instructions from clients
using traditional user name and password type
authentication. But the flawed nature of this type of
authentication is rapidly forcing the adoption of
public key cryptography with digital signatures and
digital certificates. Unless a financial services institu-
tion can be absolutely certain about the identity of
the online client, it is taking very great risks to
accept instructions on their
behalf.
Recent advances
in public key cryptography provide an enabling
platform for the secure transaction of business.
WHAT IS PUBLIC KEY
INFRASTRUCTURE?
A PKI provides a means for relying parties (recipients
of certificates who act in reliance on those certificates
and/or digital signatures verified using those certifi-
cates) to know that another individual's or entity's
public key actually belongs to that individual or
entity.2 Certification authorities (CAs) and certifica-
tion functions have been established to address this
need. A PKI uses public/private key pairs two
mathematically related keys. One of these keys is
typically made public, by posting it in a publicly
accessible read-only repository for example, while
the other remains private.
'Public-key cryptography works in such a way
that a message encrypted with the public key can
only be decrypted with the private key, and con-
versely a message signed with a private key can
be verified with the public key. This technology
can be used in different ways to provide con-
fidentiality, authentication, integrity, and non-
repudiation.'3
Public key technology allows transacting parties in an
electronic environment to authenticate each other's
identities and ensure non-repudiation of electronic
transactions through the use of digital signatures. In
many respects the digital signature functions largely
as an electronic credential or passport. A passport
embodies an assertion by the issuing authority that
it identifies the rightful holder. It certifies the connec-
tion between the token and the holder as one of
identity. Someone relying on the passport to function
as a credential will perform checks on it to reassure
themselves of its authenticity. In the case of the digital
certificate, the issuer is a CA, or trusted third party,
which provides authentication services to clients
who in their turn rely on them having undertaken
the proper checks before issuing the certificate. The
system allows previously unacquainted persons to
be certain of the identity of their interlocutors, vital
in the burgeoning world of e-commerce. Although
no final solution, for fighting fraud and money laun-
dering this authentication method has no serious
contender. Working electronically in the financial
services industry means trusting the identities of par-
ties whose presence is realised only through computer
networks and Web servers.
But why should control over the issuance of elec-
tronic identity be of interest to those fighting
money laundering? The power of the state to detect
and remove ill-gotten assets from individuals
involved in crime means that is beneficial for
Journal of Financial Crime
Vol.
9.
No.
3,
2002,
pp.
217-226
© Henry Stewart Publications
ISSN 1359-0790
Page 217

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT