|
Newsletters
|
|
|
|
|
Will UK mobile electronic signature trial reinforce PKI’s identity?
by Nicki Hayes, March 28, 2001
Public Key Infrastructure (PKI) is going through an identity crisis lately. According to research from the
Gartner Group, about 80 per cent of PKI pilots have been abandoned by companies because PKI is
difficult to install and expensive to use. Add to this the general battering technology stocks are taking
and the consequential slashing of corporate IT budgets and it’s easy to see why PKI Vendors are racing
back to their drawing boards looking for new ways to position their products. In spite of the market’s
general nervousness, Vodafone, the world’s largest mobile operator, and the UK government’s
Department of Trade and Industry (DTI) announced last week a wireless public key infrastructure
(WPKI) trial. Will this trial boost flagging confidence in PKI and wireless technology? Nicki Hayes,
WirelessDevNet’s European correspondent, investigates.
There has been a lot of publicity recently about the failings of public key infrastructure (PKI) technology,
much riding on the back of The Gartner Group’s research which states that around 80 per cent of PKI trials
have been abandoned. In spite of this Vodafone, Sonera SmartTrust and the UK’s DTI proudly announced
the UK’s first secure mobile electronic signature trial based on WPKI technology last week. This well
publicized trial aims to test the feasibility of rolling out mobile commerce services based on WPKI
technology to thousands of future users. During the trial 50 employees of the Radio Communications
Agency (RA), an executive agency for the DTI, will use electronic signatures to digitally sign travel forms
from their mobile handsets over a period of four months.
Does this indicate that the UK government still sees PKI as the catch all security solution for
electronic commerce in spite of recent signs of the industry’s nervousness?
Patricia Hewitt, the UK’s Minister for Small Business and E-Commerce advised:
“As mobile penetration reaches new heights, the latest developments in mobile technology will change the
way we use our mobile devices. The latest technology will offer customers the ability to sign transactions
securely, wherever they are. We are pleased to be part of this innovative trial which will demonstrate how
electronic signatures could become part of our everyday lives.”
No nervousness here then.
Indeed, the UK government, along with a host of other governments worldwide, is very keen to push digital
signatures as having the same legal and commercial status as handwritten signatures, and there’s plenty of
legislation out there to prove it. Successful commercial applications of the technology are seen as crucial to
the future of mobile commerce and this trial may go a long way towards boosting flagging confidence.
So how does the technology work via mobile devices?
For a full explanation of WPKI it’s well worth reading a previous WirelessDevNet article at ((Insert link)).
For the purposes of this article it’s perhaps enough to say that, inline with EU directives on digital
signatures, the signatures will be generated through advanced highly secure techniques developed by
Smarttrust, Giesecke & Devrient, Secartis and GlobalSign. SmartTrust is supplying the software platforms
that will request and verify digital signatures. Munich-based Giesecke & Devrient developed the subscriber
identity module (SIM) smartcards used in the phones. Secartis designed the digital signature directory
necessary to authenticate all of the signatures, while the root certificates that recognizes all of these
certificates comes from Globalsign.
In order for a digital signature to be transmitted on Vodaphone’s mobile network, the information from the
SIM card travels through the phone’s (a Siemans C35I digital GSM phone in this instance) browser to
secure servers. These servers record the content of the transaction, making it acceptable as legal evidence in
the case of a dispute.
The use of SIM cards is perhaps the most interesting aspect of this trial. Currently SIMs are essential for
the use of digital signatures. This is because current handsets are unable to offer full end-to-end security.
However in the next six months handsets able to do so will be released. Indeed, we are even likely to see
such phones demonstrated at CeBIT this week.
While SIMs offer a number of benefits to operators and could prove a method for the European operators to
claw back some of the vast quantities of cash they’ve shelled out for 3G networks by giving them
ownership of transactions over their network, there is one significant barrier. Existing users of networks
will need to change their SIM card to access new services, or buy a new phone. This makes the adoption of
mobile payment applications offered by Vodaphone and other operators relying on the SIM-based approach
to security questionable. SIM cards do offer other benefits and barriers too and there will be more about
these in a future article, but perhaps the most important point that I’m sure Vodaphone and SmartTrust
would be keen to point out is that at least they get you to the market early! The rest of the market will, for
sure, be keen to learn the results of this UK trial whether their strategy for entry involves SIM card
technology or not.
So, SIM card or no SIM card, will WPKI be as difficult to implement as PKI has allegedly been?
Well, in the main, PKI implementation difficulties are to do with interoperability. There is no standard
client that will use PKI and all applications within an organization’s IT infrastructure need to be PKI-
enabled. This stands true for mobile access to the PKI infrastructure too. The only way around such
interoperability issues is to have standards that everyone complies to. The sensible thing is to use standards
that already exist in the wired world rather than to invent a whole new set of wireless standards. And this is
what the industry, led by the WAP Forum, is doing.
And, interoperability, implementation and cost issues or not, WPKI is the only way forward. Too many
governments have legislated for digital signatures to turn back now. Add to this the full blown PKI
capabilities of Windows 2000, set to become the world’s predominant operating system, and it seems to be
a one horse race, regardless of what the gloom merchants choose to predict. Indeed, anyone who expects to
implement a PKI infrastructure overnight at little expense is, at the best, naive. Any technology, business
process or legislation designed to deliver something as complex as secure electronic commerce takes an
enormous amount of planning, implementation and expense. The analogy to a new currency, such as the
Euro, stands. And after all, if the governments of the European countries working towards the single
European currency had tried to introduce the new infrastructure needed for the currency to become adopted
without the necessary groundwork Europe would have more to worry about than foot and mouth disease
right now!
About the author:
Nicki Hayes is a freelance writer and corporate communications consultant specialising in business to business internet issues. She has contributed editorial to a number of publications including Unstrung.com, Guardian Online, Financial Times, Banking & Financial Training, eAI Journal and Secure Computing. Nicki is also the European correspondent for The Wireless Developer Network. Nicki is based in Dublin, Ireland and also has a base in Cambridge, UK. Through her consultancy, Hayes-Singh Associates, she has access to a number of technical writers and PR consultants throughout Ireland and the UK.
|
|
|
