By Mike Parsons
I often reflect on how commerce used to be. There was the corner hardware where you were always welcomed like an old friend. There was the dress shop where women could share their confidences with the proprietress. When these establishments received something they knew would be of interest to specific customers, they made a personal effort to reach out to them and share the good news. In those days, credit wasn’t on a card—good customers were able to put purchases “on account,” because shop owners knew their customers and trusted them.
It’s quite a different world today, and many question whether it’s possible to develop similar relationships in the world of cyberspace. How do e-commerce proprietors know when good, loyal customers are visiting? What tools are available to ensure that when customers return, storeowners know who they are and how best to serve them?
To be truly successful, e-commerce merchants need some way of being alerted as to who’s stopping in to shop; they need to be able to track and store past customer purchases and behavior patterns; and they need a tool to stitch all the customer data together so that they don’t keep trying to sell the same products to the same customers over and over again.
In this article, I’ll tackle the first requirement—securing online identity—and then I'll go over some of the potential problems.
The problem with using PKI
A couple of years ago, I was enthralled with the concept of public key infrastructure (PKI) and digital certificates. Here was the electronic equivalent of the passport—a tool that could help solve the online shopping issues detailed above.
PKI applications could review a user’s credentials and, in return for a modest fee, provide the user with a digital certificate attesting to his or her true identity. Just like the passport office at the U.S. Department of State, the certification companies receive an application for a digital certificate from an individual or organization, and review evidence submitted with the application. If the review is successful, the certification authority issues a digital certificate and a set of public and private keys to the applicant.
This digital certificate is the certification authority’s signed statement that the applicant is who he or she claims to be—a validation of identity. These keys let users digitally sign electronic documents and protect the documents from modification. They also provide entities with a way to send users confidential messages that can only be unlocked with the certificate key.
PKI makes it possible to ascertain exactly who is using a company's services. The electronic credentials allow irrefutable transactions, as participation has been approved by the use of a digital signature based on the private key issued by a trusted third party.
The PKI approach also enables confidential communications. By publishing a public key, users provide others a reliable means to communicate with them in confidence. The user's peers, colleagues, and friends can use the public key to encrypt a message or a file and can be confident that the recipient will be the only one reading the message.
But if PKI offers all these features, why isn’t it being used more? Why is e-mail as secure and confidential as a postcard? Why can individuals apply for credit cards in someone else’s name, and be able to order merchandise without fear of being held accountable?
While a system of digital certificates can solve most of these security dilemmas, it turns out that no one wants to do the time-consuming work involved in establishing an infrastructure of directory services, certification, and registration authorities—the technical work necessary to support a PKI system.
Other security solutions in play
As of late, much interest has been focused on other security technologies, such as Passport from Microsoft and Liberty Alliance from Sun Microsystems, IBM, and others. To some extent, these efforts attempt to accomplish goals similar to those of a national PKI. However, these solutions can never give us the trust in networking services that PKI can.
Passport and Liberty Alliance provide a secure envelope to safeguard electronic evidence of personal identity as well as payment instruments. This envelope is based on information and data provided by the user without additional validation or verification by a trusted third party. However, the keys to that data are still a form of user name and password that can be compromised. In the case of Passport, for example, the username is almost always the personal e-mail address. All that remains for the hacker is guessing the password.
The utility aspects of some security applications are limited. You can’t use Passport or the Liberty Alliance tool to digitally sign and protect a document. Nor can you use them to provide additional confidentiality and privacy within communications.
The tools’ role is limited to offering a single electronic wallet or envelope to use for the storage of sensitive personal data. While useful, it’s not clear to me how either solution can provide an identity service that is irrefutable by the participants. In my mind, that type of true identity security is critical to the growth of e-commerce.
Better technologies needed
To be fair, both Passport and the Liberty Alliance offer merchants some ability to recognize customers when they visit an e-commerce site. But it can’t end there—online shops need to know that when "Mr. Jones" bought the snow blower, it was really "Mr. Jones” and not “Mr. Smith.”
Establishing a national PKI is obviously an undertaking that would likely rival the birth of the Internet in scope and resource consumption, and there is no single authority or organization to point to as the management lead.
Any form of national PKI would require a third party that everyone involved in e-commerce could trust. But is the best choice a government organization, a quasi-government organization, or a private organization?
It’s the difficulty of the last question that will likely prevent attaining the primary goal facing e-commerce and secure communications today.
Stay tuned as I continue exploring the three hurdles that need to be cleared if e-commerce is ever to replicate the levels of customer service seen in the past. Next I'll discuss the technologies and approaches for recognizing repeat behavior by Web site visitors, and the methodologies of stitching online customer data together with solid management technology.
Mike Parsons is an instructor in Computer Information Systems at High Point University in High Point, NC. At some point in the future, Parsons hopes to earn a Ph.D. in Information Technology with a focus in Information Assurance and Risk Management from UNC Charlotte.