click here to find out more about us













Just one more thing

CAs crucial for secure e-mail, e-commerce

DESPITE criticisms about paper documents being ``old-fashioned'' in the digital age, they are still implicitly secure and trustworthy. People trust paper documents because they are physical, written signatures are used, and the ink is indelible (normally).

But when it comes to the Internet, security and trust are usually not the first words that comes to people's minds.

Internet users may also realise they cannot answer a very basic question: Is this person who he claims to be?

E-mail encryption systems like PGP or S/MIME ensure that messages remain secure, private and unaltered. But by themselves, these systems still do not address the issue of trust.

Let's say you receive a public key from a user claiming to be Tan Ah Beng with an e-mail address of ahhbeng4039@hotmail.com. But how do you know if the public key and e-mail account really belong to Tan Ah Beng? Or if there is even a real Tan Ah Beng in the first place?

What we need is a trusted third party or official authority in cyberspace to verify Tan Ah Beng's identity and validate his public key.

Certificate authorities

A certificate authority or CA serves as a common point of reference, or trusted third party on the Internet. A CA's main task is verifying public keys and issuing digital certificates.

CAs are usually appointed by the government and the digital certificates they issue serve as a user's identity card while online.

A digital certificate is basically a data file containing personal information and the user's public key, plus it is signed with the CA's private key.

Secure e-mail protocols like S/MIME rely on a centralised trust hierarchy which utilise certificate authorities and digital certificates.

Gerard Teoh, head of business development at Lester Technology Group, says the establishment of a local CA is vital for widespread use of secure e-mail and the growth of e-commerce.

Lester Technology is a provider of digital certificate technology.

``The effect of a public key will become apparent when it is incorporated into a digital certificate,'' Teoh says.

In addition, CAs are responsible for issuing server certificates which are a key requirement for secure websites, which in turn are crucial for e-commerce on the Web.

Sign here

The presence of a CA also adds credibility to a digital signature, which is string of data attached to a message that ensures it has not been changed and that it comes from the purported sender.

Digital signatures protect messages against forgery and tampering and also ensures non-repudiation (explained below).

A digital signature, coupled with CAs and appropriate legislation, puts digital signatures on par with handwritten signatures -- which means they will be recognised in a court of law.

Section 62 (2) of Malaysia's Digital Signatures Act of 1997 states that ``a digital signature created in accordance with the Act shall be deemed to be a legally binding signature.''

For instance, if I send a digitally signed e-mail message to Company A requesting the shipment of 50 units of their SupaWidget products, then that e-mail message would be as legally binding as a paper order hand-signed by me.

Digital signatures also enforce the concept of non-repudiation, which means a user cannot deny having sent a message if it was digitally signed by him.

This is especially important if e-mail is to be used for financial transactions, issuance of receipts, and contractual agreements.

Where's our CA?

The Malaysian Government has established the Office of the Controller of Certification Authorities (CCA) and has named Post Department's director-general as the interim controller.

The CCA's main responsibilities are to regulate the operations of CAs, repositories, and date/time stamp services in Malaysia. The CCA falls under the jurisdiction of the Energy, Communications and Multimedia Ministry.

At this juncture, there is no indication exactly when a CA will be appointed, or which company will be the CA. When contacted, the CCA did not respond in time for this article.

So far, around 15 companies have expressed interest in becoming a CA, according to an article in the Jaring Internet Magazine (Oct issue).

The most likely contender is Digicert Sdn Bhd, a joint venture company comprising Pos Malaysia Bhd, Mimos Bhd and GITN Bhd, which was officially launched on Aug 13 with the intention of becoming a CA.

Lester Technology's Teoh notes that the technology is already available for establishing a local CA, but the authorities need to consider the legal framework and implementation of a public key infrastructure.

``This is not just a technology issue, we also need to look at policies and implementation,'' he says.

In the meantime, users can still sign up for a digital certificate from US-based certificate authorities like VeriSign Inc, but they can expect to fork out a minimum of US$9.90 (RM37.62) a year for their services.

Also note that US-based CAs will only provide a minimal level of validation to foreign users, which means that the digital certificates they issue to Malaysian are no more valid than say, a signed PGP public key.

Futhermore, digital certificates from non-Malaysian CAs may not be covered under the Digital Signatures Act.

Editor's Note: Digicert is expected to be appointed CA this week -- see In.Tech news.

© In.Tech, Star Publications (M) Berhad.
All Rights Reserved
e-mail intech@thestar.com.my