Transcript Document

E-Commerce
Public Key
Infrastructure (PKI)
Proposals and
Positions
Presented
Maria Angelica Fleetwood
Fawn Else
Marjan Shallal
Pamela Hawe
7/7/2015
1
Tomorrow…
“Do you want to test whether a people is given to industry and
commerce? Do not sound its ports or examine the wood from its forests
or the produce of its soil. The Spirit of trade will get all these things
and, without it, they are useless. Examine whether this people’s laws
give men the courage to seek prosperity, freedom to follow it up, the
sense and habits to find it and the assurance of reaping the benefit”
Alexis de Tocqueville
7/7/2015
2
What is Globalization?
IMF Definition:



Integration of world economies
through trade and financial flows
Refers to the movement of people
(labor) and knowledge (technology)
across international borders
A result of human innovation and
technological progress
Global Trading System (GTS) = f(MTS, DTS)
7/7/2015
3
Trading System Components
Conventional MTS:
Uruguay Round 1995



GATT Goods
GATS Services
TRIPS Intellectual
Property Rights



MFN and National
Treatment
WTO
Dispute Settlement
Mechanism
New DTS:
E-Business 2001



Bits
Encryptions
DRM



7/7/2015
United Nations
Most Favoured Network &
Network Treatment
P2P
Cyber Dispute Resolution
4
Trading System Evolution
MTS
UR 1995
7/7/2015
DTS
Cyber
DTS
Ecommerce 2001 Business 2005
Dispute
Resolution
DSU WTO
ADR (ICC, OECD)
Secure
Transaction
Sig. VAN
E-sig. PKI
CA. DRM
Data
Exchange
Doc. EDI
EDI. Web
XML, XSL
International
Trade
ECommerce
Cyber
Business
United Nations
CDR
5
What is E-Commerce?
WIPO Definitions:


Electronic. The term "electronic" can be taken to refer to the global
infrastructure of computer and telecommunication technologies and
networks upon which the processing and transmission of digitized
data takes place.
Commerce. The word "commerce" in this context refers to an
expanding array of activities taking place on the open networks –
buying, selling, trading, advertising and transactions of all kinds –
that lead to an exchange of value between two parties.
"E-commerce services are the silver bullet that
will enable companies to take advantage of the
true business opportunities on the Web."
Traci Gere, Analyst, The New York Times
7/7/2015
6
Types of E-Commerce Activities
Government
(“G”)
Government
(“G”)
Business
(“B”)
Consumer
(“C”)
G2G –
Coordination
G2B –
G2C –
Public procurement,
trade procedures
(customs), patents
Child support,
students benefits,
senior citizens
B2Be-commerce
between
businesses
B2C –
e-commerce in
consumer
markets
Internet,intranet,
extranet, EDI
Internet sales,
interactive TV etc
C2G –
e.g., tax
compliance
C2B –
price & other
comparisons
C2C –
auction markets
Income taxes
“Priceline” bidding
Transactions between
G departments
Business
(“B”)
B2G –
government
procurement
Corporate income and
sales taxes
Consumer
(“C”)
7/7/2015
“eBay auctions”
7
Examples of E-Commerce
VeriSign teams with eBay to verify users
ITworld.com 5/8/02
7/7/2015
8
E-Commerce Architecture
Public Domain
Business
UN/EDIFACT
Public Services
Process
Applications
VAN
ERP/
Transaction
HTTP
Browser
Job
Shop
System
Process
Integration
Adapter
XML Message
Service
Citizens
Adapter
Public Services
Collaboration Hub
XML
XML
XML Message
Service
Dispute Settlement Mechanism
Financial
Services
7/7/2015
XML
XML
Information
Services
9
E-commerce Needs Secure
Transactions
Without security would
there be e-commerce?
7/7/2015

Establish trust relationships among
customers, business partners and
employees

Provide security for applications and
environments

The most secure technology platform

Non-repudiation

Integrity

Authentication

Confidentiality

Availability
10
Enter Public Key Infrastructure



7/7/2015
Public-key infrastructure (PKI) is the combination of
policies, software, encryption technologies, and
services that enables enterprises to protect the security
of their communications and business transactions on
the Internet
PKIs integrate digital certificates, public-key
cryptography, and certificate authorities into a total,
enterprise-wide network security architecture
Public key cryptography ensures the confidentiality of
sensitive information or messages by using a
mathematical algorithm, or key, to scramble (encrypt)
data, and a related mathematical key to unscramble
(decrypt) it.
11
PKI Protects Information Assets






7/7/2015
Authenticate identity - Digital certificates issued as part of PKI
allow individual users, organizations, and web site operators to
confidently validate the identity of each party in an Internet
transaction.
Verify integrity - A digital certificate ensures that the message or
document the certificate "signs" has not been changed or corrupted
in transit online.
Ensure privacy - Digital certificates protect information from
interception during Internet transmission.
Authorize access - PKI digital certificates replace easily guessed
and frequently lost user IDs and passwords to streamline intranet
log-in security - and reduce the MIS overhead.
Authorize transactions - Enterprises can control access privileges
for specified online transactions.
Support for non-repudiation - Digital certificates validate their
users' identities, making it nearly impossible to later repudiate a
digitally "signed" transaction, such as a purchase made on a web
site.
12
Benefits of PKI




7/7/2015
Time Savings - Use of electronic processes and digital signatures
can reduce the time required to process information collections
from sources inside or outside the agency
Cost Savings - The long-term cost of performing agency
business may be reduced as a result of decreased transaction
time and cost, increased accuracy and productivity, or operating
costs associated with paper-based systems
Enhanced Service - The availability and accessibility of agency
processes to users inside the agency, to the public, and to other
outside entities is enhanced. The strong authentication, which
digital signatures provide, allows the agency to supply broader
service and to promote Administration goals and objectives to a
wider audience.
Improved Quality and Integrity of Data - With electronic
processes using digital signatures, the quality and integrity of data
collected are substantially improved
13
Risks of PKI




7/7/2015
Standardization – No federal or international standard.
Fraud - Concerns have been expressed that the use of digital
signatures in lieu of paper signatures will make it more difficult to
prosecute individuals seeking to defraud the Government. Some
people say that an individual who wishes to defraud an agency
may submit a fraudulent claim for benefits, but that individual’s
signature on the paper embeds what are called “biometric” or
“forensic” elements unique to the individual.
Service Failure or Shortfall - An important goal of using
electronic processes with public key technology is to ensure
parties seeking Government services get those services quickly,
efficiently, and with trust. But a service failure or shortfall having
an adverse effect on an agency’s ability to meet its legal
obligations can result from factors such as poor design or
implementation of the software providing or using the public key
technology, or inadequate training of the service providers or
users.
Liability - Whenever a Federal agency interacts with outside
parties, it must face the question of how its actions make it legally
liable to affected parties. The use of public key technology is no
different in this respect from the use of other technologies.
14
Simple PKI model
ACTION
7/7/2015
RESPONSE
Pam wants to transmit a
message electronically to
Maria, proving that she sent it
and ensuring that its contents
are not altered
Pam’s PKI software uses her
private key to create a digital
signature for the document
Pam wants to ensure that no
one other than Maria is able to
read the message
Pam’s PKI software uses her
public key to encrypt Maria’s
message
Maria wants to read the
message
Maria’s PKI software uses her
private key to decrypt the message
Maria wants to verify that Pam
sent the message and that its
contents have not been altered
Maria’s PKI software uses Pam’s
public key to verify her digital
signature
15
WTO and E-commerce Chronology

The Geneva Ministerial Declaration - adopted 20 May 1998




Adopted a declaration on e-commerce
Established comprehensive work programme
Members will continue their current practice of not imposing
customs duties on electronic transmissions
The Doha Ministerial Declaration – adopted 20 November 2001

Acknowledged progress and complexity of issues for three
types of transactions on the Internet:
•
•
•


7/7/2015

Transactions for a service which is completed entirely on the Internet
from selection to purchase and delivery.
Transactions involving “distribution services”in which a product,
whether a good or a service, is selected and purchased on-line but
delivered by conventional means.
Transactions involving the telecommunication transport function,
including provision of Internet services.
Members will continue their current practice of not imposing
customs duties on electronic transmissions
Seminars on e-commerce in 1999, 2001 and 2002
intended to provide input to Committee considerations
Progress reports
16
Obstacles in Developing Countries








7/7/2015
Poor Information and Communication
Technology (ICT) infrastructure
High cost of access and hardware
Low income
Lack of awareness on e-commerce and ebusiness issues
Inadequate legal and regulatory framework
Absence of trust, network payment and
secure transaction services
Entrepreneurs prefer their “traditional way”
of doing business
Lack of adequate banking infrastructure
17
Proposal from EU
"Businesses and people using the web can now feel more confident knowing
that e-signatures will be admissible in a court of law should dispute arise“
Dept of Trade and Industry @ 2001 Electronic Signature Summit


The Electronic Signature Directive is a European
framework for the development of electronic
commerce
Directive’s main elements:






7/7/2015
Legal recognition
Free circulation
Liability
A technology-neutral framework
Scope
International dimension
18
Proposals from Developing
Countries

To reduce the setup and operational costs for businesses,
increase the potential for sustainability and creating an
environment that will encourage the development of the
ICT infrastructure. These objectives could be achieved
using the following strategy:




7/7/2015
Target the businesses in the supply industry with trading
partners in industrialized countries where there is an
adequate ICT infrastructure and payment services.
Reduce the requirements for participating in e-business by
separating the trust, secure transaction from the network
payment services.
Build a scalable e-business commerce infrastructure that
would be shared by multiple independent businesses and
integrate this infrastructure into existing ICT infrastructure in
developing countries.
Provide a mechanism to enable the transfer of e-business
technologies and increase public awareness.
19
Proposals from Institutions

Organization for Economic Cooperation and Development (OECD)


ITU


Culture of Security
Electronic Commerce for Developing
Countries (EC-DC) – partnership with
WISeKey
United Nations
UNCITRAL's Model Law on eSignature
 ebXML/OASIS
 UNECE E-Transition Programme

7/7/2015
20
United States PKI Programs

USA Patriot Act







Smart Card Specifications
National Institute of Health - Interoperability Project
RFI for the E-authentication Program
Digital Signatures to Secure E- Transactions
Unions File Annual Reports Using Digital
Signatures
Federal Public Key Infrastructure Steering
Committee


7/7/2015
Bill passed Oct. 2001 relating to online activities and
surveillance
The establishment of a single cross-government, ubiquitous,
interoperable public key infrastructure used by all 80 agencies
and 19 departments
The development and use of applications which employ PK
21
Conclusion





7/7/2015
Resolve standards issues
Train IT professionals
Decision-makers need to be aware of the
importance of information and
communication technologies
Policies to facilitate the development and
the use of these technologies.
Developing countries need to address
issues related to the operation and
procedures for CAs and RAs.
22
Sources




















7/7/2015
http://www.wto.org/english/tratop_e/ecom_e/ecom_e.htm
http://www.imf.org/external/np/exr/ib/2000/041200.htm
http://www.online-commerce.com/
http://gits-sec.treas.gov
http://www.pkilaw.com/
http://ecom.ic.gc.ca
http://www.counterpane.com/pki-risks.html
http://csrc.nist.gov/pki/twg/twg99_7.htm
http://www.dsv.su.se/~kasun/securitybookmarks.html
http://www.futurecompany.co.za/2001/05/11/covstory.htm
http://www.teledotcom.com/article/TEL20000823S0034
http://www.apconnections.com/perspective/99-8.html
http://www.verisign.com/corporate/calendar/past_speaking.html
http://www.dstc.qut.edu.au/MSU/projects/pki/
http://ecommerce.wipo.int/index.html
http://csrc.nist.gov/publications/nistpubs/800-25/sp800-25.pdf
http://www.cio-dpi.gc.ca/pki-icp/pki-in-practice/efforts/2002-07/scananalyse06_e.asp#_Toc19584718
http://www.hipaadvisory.com/tech/pdfs/PKI_Brochure.pdf
http://www.privacy.gov.au/publications/dpki.html
http://www.epic.org/privacy/terrorism/hr3162.html
23