|
|||||
What is a digital ID, do you need one and how to do you go about getting one? Rose Vines explains.
What's in your wallet? Chances are you have at least
two or three items which identify you in some way: a
driver's license, registration, ATM cards, credit cards,
Medicare card.
We're used to carrying around ID, it's no big deal. But
how do you identify yourself on the Net?
Anyone who's spent any time in a chat room, MUD or newsgroup will know that the Internet is full of people who are faking it. You've probably done it yourself: assumed an identity, or given incomplete or inaccurate information, when forced to fill in a form to qualify for a software download or access to a site.
Even more importantly, how do you identify companies on the Net? When you're about to whip out your credit card and order that new Tina Arena CD through an online music store, how do you know who you're dealing with on the other end of this supposedly "secure" transaction?
In the 'real world' we identify and judge companies we deal with by a combination of name, reputation and physical appearance.
If you see an advertisement in the paper for a brand new computer system with the works and the price seems too good to be true, you're likely to do some checking up on the advertiser. If it's a familiar name or a company that others vouch for, you'll be encouraged to think about buying. If the company's name is unfamiliar, you might still decide to go to the store and suss them out: does the store look rundown or well maintained, do the staff look professional, do they answer your questions knowledgeably and clearly, how long has the company been in business, who else appears to be shopping there?
None of these things will guarantee you a "safe" buy, but they all contribute to your decision whether to entrust your business to the company.
On the Net, there's no way to give a retailer the once over; all you have to go by is the company's name, the look of their Web site, and things you've heard from other customers.
The same goes for software publishers. The Web is overflowing with software downloads, and you'll frequently come across sites which offer to download a Java applet or ActiveX control to let you experience the latest gee-whiz effects. How can you know these "freebies" are safe to unleash on your PC?
Outlook Express -- the e-mail and news reader program bundled with Internet Explorer 4 -- supports encryption and digital signatures. You need a digital certificate before you can use these features.
Enter digital certificates. A digital certificate, or digital ID, is used to prove who you are on the Internet.
Digital IDs can be issued to Web sites, software developers and individuals. You can be pretty sure that anyone who produces a valid digital ID is who they claim to be. Of course, while a digital ID verifies someone's identity, it says nothing about their character -- something you need to establish for yourself.
Nevertheless, the requirements for getting a digital
ID as an organisation engaged in electronic commerce are
stringent enough that they give some assurance of the
certificate holder being an established business. For
software publishers, a combination of a digital ID and an
Authenticode certificate not only verifies identity but
also states the equivalent of "this code has not
been tampered with and should not wreak havoc on your
computer".
The basic personal digital ID requires nothing more than
having a verifiable e-mail address. If people you deal
with on the Net are finicky about who they're dealing
with, you can get different classes of personal IDs,
requiring either third-party proof of your name, address
and other information right up to IDs which can only be
obtained by appearing in person or presenting registered
credentials.
Digital certificates let you check the bona fides of people you communicate with on the Internet.
What, exactly, is a digital certificate? Technically, it's an electronic document which conforms to the International Telecommunications Union's (the international body that determines communications standards) X.509 specification.
In everyday terms, it's a document which typically contains the owner's name and public key (see box 'What is public key encryption?'), the expiration date of the public key, the serial number of the certificate, and the name and digital signature of the organisation which issued the certificate. The digital certificate binds together the owner's name and a pair of electronic keys (a public key and a private key) that can be used to encrypt and sign documents.
What's to stop you from forging a digital certificate by combining your public key with someone else's identifying information? For instance, what prevents you from creating a bogus certificate in the name of the Australian Taxation Office?
This is the role of certificate authorities (CAs). These organisations are responsible for issuing, validating and revoking digital IDs. When you apply for a digital certificate, the CA checks your credentials and issues a certificate which they encode using their own private key. Anyone who wants to check the validity of your digital certificate can do so by decoding your certificate using the CA's public key, and then checking it against the certificate you've given them.
Of course, this means you need to be able to trust the CA, and that trust is based on the stringent requirements involved in becoming a CA. The most prominent CA at the moment is Verisign (www.verisign.com), although it is only one of a number of such authorities.
Currently, there's no pressing need for you, as an individual, to have a digital ID. But that's due to change.
Recently, a group of the major financial players in the world of online commerce, including Visa (www.visa.com) and Mastercard (www.mastercard.com), have published a new protocol for SET -- Secure Electronic Transactions. SET is designed to make online credit card transactions as secure as offline transactions and, once it's in place, many online merchants will insist you produce your digital ID before they'll do business with you. In fact, you'll need a separate digital ID for each credit card you use online.
It's not likely to stop there, either. Once online shopping makes digital IDs more commonplace, we'll probably see more Web sites using such certificates simply to check your ID. For instance, a single personal digital ID can be used instead of multiple user name/password combinations required to access different Web sites.
You'll also find more and more software developers, online shops and other sites providing their own digital IDs as surfers and consumers demand greater security on the Net.
While there's no need to rush out and get yourself a digital ID today, six months down the track you're likely to have a couple stored on your hard disk.
You can get a digital ID from any of the CA's which provide personal digital certificates.
Usually the easiest way to get one is by using an application which supports digital signatures and encryption. For example, the latest versions of both Netscape Navigator (and Communicator) and Microsoft's Internet Explorer provide support for encryption and digital signatures, and each program offers an option to sign you up for a digital ID.
No-one is making iron-clad guarantees about the privacy and security of online interactions. But with the introduction of new technology such as digital certificates, standards for e-mail encryption (such as S/MIME -- Secure Multipurpose Internet Mail Extensions), and SET for electronic commerce, exchanging sensitive information online is becoming considerably less dicey.
Top of page
|What's New | Net Guides | Web Workshop |
Net Sites | About PC User |
| Games | Education
| General & Business | Online Tools | Utilities
|
| Patches & Support files | PC User Interactive |
All text © 1997 Australian Consolidated Press - PC User Magazine