Eight financial institutions have joined with ecommerce company CertCo to form a global trust enterprise, intended to encourage the widespread adoption of business to business electronic commerce. It has been recognized for some time that such business to business transactions will eventually form the bulk of electronic commerce, but with obvious security concerns in mind, multinationals are hesitant to move their closed network systems onto the open internet for now. Prominent among these concerns is the difficulty of establishing whether or not a trading partner on the internet is who it says it is. This is a particular problem for banks, whose traditional duties have included verifying signatures and checks and acting as trusted third parties. It is in this field, technically known as identity warranty that CertCo believes it can help. CertCo president John Herron Jr explains that his company, which was formed in 1996 by Bankers Trust Ventures, believes security is only partly a question of technology. Our approach has always been multidisciplinary, he explains, we are active in cryptography and high end systems security but we have looked at the social contract and the legal system as well. Simply coming up with a technical solution is inadequate. We soon saw that linking up global institutions was the only way to go. On Wednesday that approach paid off. CertCo was instrumental in bringing together ABN AMRO, the Bank of America, Bankers Trust, Barclays, Chase Manhattan, Citibank, Deutsche Bank and Hypo Vereinsbank. The partners have agreed to form a global company to address the issue of identity warranty. It will establish an interoperable network of financial institutions that will act as certificate authorities. Each member will issue certificates to people and organizations based on a standard set of rules and business practices. Because all the partners contributed to those standards, CertCo reasons, they should be able to trust one another to implement them. CertCo says its role was to initiate the concept, which differs from its competitors in three ways. First, it is global and based upon standards and interoperability, which should mean it doesn’t leave businesses dependent upon a single vendor. Second, it already has its eight global financial institutions as members. Third, if all goes according to plan, businesses should only need one digital identity for all their internet activities. The certificate authorities will be able to check and trust each others’ certificates. With a standard infrastructure in place, the banks will be able to start competing on services. CertCo certainly wants to provide the root key technology, but Herron emphasizes that the company sees itself very much as a partner in the enterprise, not its leader. CertCo’s own root certificate authority depends on key fragmentation technology, whereby fragments of keys are distributed to various parties – in this case, the member banks. Herron claims a multi-step process for signing keys means that there is: no single point of failure. The technology, however, is only half the story. What CertCo is trying to do is to establish a trust hierarchy of individual banks who have agreed to a common set of standards. The next step is to solicit broader membership in the network itself. At the same time, there needs a to be development effort to make the various certification technologies now in use – CertCo’s and VeriSign’s, for example – interoperate with one another. These independent CAs are not bound together, Herron explained, there is still work to be done to assure greater interoperability in terms of the certificates. The partners must also develop the infrastructure necessary to operate the new entity. On the social contract side of the fence, Herron points out that it will take a lot of work to define the system roles and contractual obligations between various entities in these hierarchies. That’s one of the reasons we feel banks play an important part, Herron explains, adding: I should be more precise and say regulated financial institutions. There is considerable oversight of what happens in these institutions. That doesn’t mean there isn’t risk, but there are risk controls that exist. CertCo and its newfound partners want to carry controls like those forward into the virtual realm.
