Transcript PKI Forum

PKI Benefits &
Applications
Lisa Pretty
Executive Director
PKI Forum
“The
PKI Forum is an international, not-forprofit, multi-vendor and end-user alliance
whose purpose is to accelerate the adoption
and use of Public-Key Infrastructure (PKI).
The PKI Forum advocates industry
cooperation and market awareness to enable
organizations to understand and exploit the
value of PKI in their e-business
applications.”
Agenda
PKI Benefits & Applications
 PKI Technology & Interoperability
 PKI Vendor Panel
 Q&A

PKI Applications
Web
VPN
E-Mail
Custom
ERP
68%
62%
58%
43%
21%
Source: Aberdeen Group, PKI Multi-Client Study, December 1999
PKI Market Forecast, 1997-2003
by Revenue Category
$3,500
$3,000
Maintenance
Professional Services
System Integration
PKI Services
PKI Products
Revenue ($M)
$2,500
$2,000
$1,500
$1,000
$500
$0
1997
1998
1999
2000
2001
2002
2003
Source: Datamonitor, “Public-Key Infrastructure 1999-2003”, December 1999
The Speakers
Financial: Sven Hammar – Celo
 Healthcare: Justin Kromelow – Phyve
 Government: Bill Wehrmacher – DataKey
 Europe: Steve Matthews - Netlexis

PKI in the Financial
Market
Sven Hammar, CEO
Celo Communications
Why PKI in Finance?

PKI + Finance = Logical relationship
–
–
–
–
–
–
–
Banks = TRUST…
Take advantage of trust – biggest strength!
PKI proving to become security standard
Online transactions require security
Manage risk
Vital to embrace new technology
Can afford to be one step ahead
Customer loyalty
PKI for Customer Loyalty
Use PKI as customer tool
 Build loyalty relationship with customers
 PKI enables added service offerings:

–
–
–
–
Online banking
Stock brokerage
Loans
Online payment of bills
Threats…

PKI a new technology
– Understand value in order to reap benefits

Leverage existing brand
– Image, relationship & Infrastructure
– PKI enable legacy applications

Customer understanding value of PKI
– Always keep it simple for the customer!
Banks moving fast enough?

Banks challenged by “non-banks”
– Retail industry already “e-savvy”
– Infrastructure in place
– Customers in place, worldwide access

Online Competition
– Web Portals, ISPs offer Internet Banking
– Yahoo, AOL issue certificates…
– Telco’s – Superior Infrastructure
PKI Strategy in Finance

Use the advantage of TRUST!
– Work out brand management system

Create PKI business alliances
– Identrus the right path – Global presence

Think long term
– Market landscape is changing fast

Work with open standards
– PKI Forum a step in the right direction
New revenue opportunities
Certificates; A new revenue opportunity
 Banks can market active certificate list
 These customers are already:

–
–
–
–
Online
Trusted
Banking/Payment/Credit-Worthy
Early Adaptor Mentality
PKI Applications in Finance

Digital Signatures – a vital PKI feature
– Legally, binding mechanism to digitally sign
documents and transactions remotely

U.S Senate approved the E-signing Law
– Removes legal barriers for e-business
– Bill Clinton signed E-Signing bill June 30
– E-Signing law effective October 1st
Digital Signatures in Finance

Enables non-repudiation
– Verify identity of customer
– Revocation
– Storage of signatures

Customer user-friendly
– Sign online transactions with a single click
– Sign HTML web forms & contracts
– Stronger sense of security for customer when
performing online transactions
Digitally Signed Bank
Transaction

Overview
Smart Cards / USB Tokens

Smart Cards as relationship device
–
–
–
–

Tool to leverage relations to customer
Creates stronger tie to customer
Bank’s brand always present (on card)
Customer offer for higher level of security
USB Tokens
– Competitive option to smart cards
– PC hardware not yet supporting card readers
PKI is the Future!

Predictions for the overall market are huge.
Potential in Financial Sector is unlimited!
– Both IDC and Frost & Sullivan put PKI as one
of the fastest growing markets in the Internet
security space in coming years.
– According to Aberdeen Group, 98% of the
Global 2000 enterprises will be using PKI
before 2003.
Summary
PKI and Finance is a marriage made in
heaven – Logical and obvious relationship
 The Trust issue puts Financial institutions in
pole position
 Digital signatures enable a stronger position
on the market as well as with customers
 Keep it simple for the customer!
 Start now – PKI means money!

PKI Benefits in
Healthcare
Justin Kromelow
Phyve.
Why PKI in Healthcare
HIPAA
 TCO maximization objectives
 Adoption and implementation of technical
standards
 Large diverse, distributed organizations and
groups of users

Benefits
The Internet
 Administrative savings

– Paper vs EDI, Electronic report delivery
Enhance information systems delivery plan
 Data mining/disease management
 Cornerstone for data driven efficiency

Contact Information
Phyve
2200 Bridge Parkway
Redwood City, CA 94065
650-620-5100
http://www.phyve.com
[email protected]
PKI: Your government
working for you
W.H.(Bill) Wehrmacher
Datakey, Inc.
Not the first, but certainly a
very public step
In 1997, Vice President Al Gore published Access
America, a report which outlined actions the Federal
government is taking to promote the electronic
delivery of services, and electronic transactions
between agencies and trading partners, over open
networks such as the Internet. The report made it
clear that providing a proper security infrastructure
was essential for electronic transactions to flourish.
The Evolving Federal Public Key Infrastructure,
CIO (Department of the Treasury)
Richard A. Guida
Final Draft 4.0, 5-21-2000
What Government Agencies
State
 U.S. Government

– Federal
– Department of Defense

International
State Governments

Electronic / Digital Signature Law
– All 50 states have law allowing for the use of digital
signatures, most of which allow or require PKI.
• Mandate use of Digital Signatures in inter-government
communication and commerce
• Permits use of Digital Signatures elsewhere
– 43 states have adopted the Uniform Computer
Information Transactions Act (UCITA) which
references PKI based digital signatures
U.S. Government Federal

Access Certificates for Electronic Commerce (ACES)
– General Services Administration contract schedule for issuing
Certificates
– Potential ACES users’: SSA, EPA, and Dept of Education
– Three Schedule awardees: ORC (Operational Research Consultants),
Digital Signature Trust, AT&T

Smart Access Common Identification
– GSA contract schedule for issuing PKI smart cards

Federal PKI
– hosted by NIST
– At core of interoperability and cross certification
– Federal Bridge CA
U.S. Department of Defense

DoD Medium-Pilot Assurance PKI
– Sensitive, but unclassified material
– 50,000 certificates in use today

Interim External Certificate Authorities (IECA)
– IECA program can be trusted by DoD applications
– Four IECA vendors: ORC (Operational Research Consultants), Digital
Signature Trust, VeriSign, General Dynamics

DoD Class 3 PKI
– CA keys in FIPS 140-1 Level 2 hardware tokens
– LRA and RA keys in FIPS 140-1 Level 2 smart cards

Target DoD Class 4 PKI
– will require smart cards or other tokens for all certificate holders

DoD Common Access Card
– Upgrade ID cards to PKI smart cards
International Law
43 countries have law in place, in draft
or are actively investigating PKI based
law for digital signatures or ecommerce
 German Digital Signature Law

– PKI based digital signatures
– Oldest and most well known

United Nations Commission on
International Trade Law (UNCIRTL)
Why? Because we must!



“Business-to-business and business-to-consumer electronic commerce reached
$43 billion and $8 billion respectively in 1998. Estimates predict that by 2003,
those totals will exceed $108 billion and $1.3 trillion respectively (Forrester
Research). This experience suggests that electronic forms of authentication
which are accepted over the Internet – and which include the use of public key
technology – be generally accepted as having sufficient legal foundation by the
transacting parties to allow e-commerce to proceed and grow”
“In October 1998, Congress enacted the Government Paperwork Elimination Act
(GPEA, Public Law 105-277) requiring that when practicable, Federal agencies
by October 2003 accept forms electronically with electronic signatures.”
“Federal agency efforts have focused on using public key technology for intraagency, interagency, and agency to trading partner transactions. The largest
potential volume of traffic, and the greatest prospects for service delivery,
involves transactions with the general public. Recognizing this, and appreciating
that the best approach to use public key technology with the public is to devise a
PKI that all agencies can collectively use for that purpose to share the costs of a
common infrastructure, the General Services Administration began working in
1996 on an effort called Access Certificates for Electronic Services (ACES).”
Conclusions
The use of Public Key technology within
Government and business will continue to
grow at an astounding rate.
 Public Key Infrastructures to provide and
maintain trust must expand to support the
the growth of this technology
 Government is leading, and will continue to
lead, the expansion of PKI technology and
service

Please feel free to contact me
W.H.(Bill) Wehrmacher
Director of Technical Services
Datakey, Inc.
[email protected]
+1 952 808-2337
407 West travelers Trail
Burnsville Minnesota 55337
PKI: A European
Perspective
Steve Mathews
Netlexis
Where is Europe on the PKI
map?
Baltimore Technologies
 UtiMaco
 iD2
 Axenet
 Siemens
 Belsign
 Bull
 and others ……………………………….

How about European
experiences?
European Commission R&D funding for
major security projects since 1991
 European Commission R&D and
demonstrator funding for PKI projects since
1995

A sample of projects
DIABCARD-3 Smartcard held medical
records for diabetes and cardiovascular
diseases – Siemens – Austria, France,
Germany, Greece
 ISHTAR – secure healthcare telematics –
R3 (now Entrust), Belgium, France,
Germany, Greece, Netherlands, UK

More projects

TRUSTHEALTH I + II implementing PKI
and TTPs in international healthcare
– I – France, Netherlands, Norway, UK, Sweden
– II – Belgium, Denmark, France, UK, Sweden

ICX – international commercial exchange
for developing PKI supported trade – ICL,
Shell International, Sweden Post, The Post
Office
Commercial actions
Axenet announces a CA service for the
French electronic marketplace in April 98
 Brokat and iD2 integrate PKI and
smartcards to provide encrypted payments
systems complying with German digital
signature law – November 1998

National examples

Finnish citizen card and electronic
identification launched using the Finnish
Population Register Centre as the CA and
Helsinki Telephone Corporation as the
directory. Valid for electronic exchange of
information for official purposes.
National examples

Netherlands Data Protection office working
with ICL/Fujitsu and others to deliver a PKI
and smartcard based solution for the
protection of healthcare information for
access from and transport over the Internet
Commercial examples
Merita Nordbanken – Internet bank using
PKI and smartcards
 Bankgirot – Giro bank using PKI to support
Corporate payments system

www.PKIForum.org