"Being in agents' offices, seeing those yellow Post-it notes with passwords all over the place convinced us [PKI] was a better approach."
--John Almeida, assistant vice president of MIS, Safety Insurance
Securing international payments
For companies like Ruesch International Inc., e-commerce is the core of the business model. With U.S. headquarters in Washington, D.C., Ruesch expedites international trade for its 25,000 worldwide clients by providing currency exchange and international banking services. For example, the company enables its clients to check payment histories to existing vendors or to set up automatic payments to new vendors. Two-and-a-half years ago, Ruesch decided to develop online services for existing customers; in Feb. 1999, the company launched its Web site.
Authentication and privacy are important issues for Ruesch, and not just because clients expect sensitive data to be protected. The company falls under U.S. banking industry regulations, so any tampering with data could trigger legal action by the government. But Ruesch didn't want to go overboard with security, since a system that's a burden to customers could drive away business.
Ruesch considered a number of technologies, including biometrics, which employs specialized scanners to check unique physical characteristics such as users' fingerprints or retinal patterns. Unfortunately, while biometrics provides solid authentication, the technique requires intrusive scanners that fit on a finger or over an eye.
The company finally settled on a PKI system, building it with pieces from a number of different vendors. This choice provided an additional benefit: the ability to disprove any false claims by customers that they did not make specific transactions. The PKI system can refute false claims by producing evidence that the customer's unique digital certificate was indeed presented during the transaction.
Ruesch's first step in implementing PKI was to choose vendors. The company started working with GTE Internetworking Inc., a Cambridge, Mass., unit of GTE Corp., almost three years ago to set up VPNs among Ruesch's branch offices in the United States. Ruesch decided to continue using GTE Internetworking as its ISP and as host of its Web site.
In addition, another division of GTE had bought CyberTrust of Needham Heights, Mass., a certification authority. So Ruesch chose CyberTrust over competing CAs like VeriSign Inc. and Entrust Technologies Inc., in Plano, Texas. Outsourcing PKI services also was more appealing to Ruesch than buying software from a vendor like Baltimore Technologies PLC, with U.S. headquarters in Plano, Texas, and creating an in-house CA. "It seemed like a nice marriage," says Ronald Szoc, senior vice president of technology at Ruesch.
GTE hosts both the Web and PKI servers, with the former tied back to Ruesch's headquarters through a VPN. CyberTrust issues a certificate to a Ruesch customer, who then goes to Ruesch's Web server. This server passes the certificate to the PKI server, which authenticates the certificate with CyberTrust. If approved, the customer is allowed through the firewall to use Ruesch's services. Using GTE for certificates and Web hosting allows Ruesch to avoid the cost and trouble of building PKI expertise in-house.
There is no right or wrong answer--and there is no standard that all CAs must follow. What is adequate security for one is expensive overkill--or even impossible--for another. Imagine if Amazon.com required each customer to meet with a company representative.
Businesses also have to decide how long certificates will remain valid, matching the certificates' "lifetime" to the habits and profiles of its customers. "If you set your lifetime too long and you have a lot of turnover... you end up having a huge revocation list," says Michael Froh, chief scientific officer at CyberSafe Canada Corp., in Ottawa, Ont., a division of CyberSafe Corp., an Issaquah, Wash., a vendor of enterprise security software. The revocation list, which enumerates certificates that have been voided, must be checked each time a certificate is used. The longer the revocation list, the more overhead the PKI system incurs.
There is also the issue of how often revocation lists are updated. Immediate notification from the CA when a certificate is no longer valid means more bandwidth and infrastructure expense. "Not a lot of organizations will need that degree of revocation checking," adds Froh.
Is it safe?
Aside from operational issues, some people worry that PKI can lull companies into a false sense of security. For example, a public key infrastructure isn't self-sufficient; it depends on other IT resources, like the network directory, which is necessary for storing the certificates.