Your Digital Certificate Is In the Mail
From horses to cars to airplanes, postal authorities have tried to keep up with the times, although not as fast as some people would like.
The Internet is the latest technology putting postal authorities to the test.
Postal services in such countries as the United States, Sweden, the United Kingdom, Germany and Hong Kong are issuing digital certificates to consumers, businesses and government agencies to securely send electronic documents via the Internet. Other postal authorities are considering getting into the business of providing security for e-commerce.
These efforts could make postal authorities major issuers of digital certificates—and possibly of smart cards, which provide a place to store the certificates. Complain as they do about slow delivery, most people trust their postal service to keep their mail secure. And, with more than 700,000 post office branches worldwide, postal authorities have the network in place to identify applicants and distribute certificates.
But some problems must be worked out. So, far, not many insurance companies, banks, government agencies or other organizations have created ways for consumers to use digital certificates. And, each postal authority is choosing its own encryption technology that is not necessarily compatible with another postal service’s technology, or, for that matter, with digital certificates issued by a growing number of banks, telecommunications companies and government agencies.
Postal authorities are working to resolve these issues, in part because their futures are at stake. “Sweden’s post office has been a trusted third party since the 1600’s,” says Evald Persson, marketing manager of Sweden’s Posten AB. “It is natural to continue doing what we’re doing in the Internet age.”
Digital certificates are part of an encryption technology called public key infrastructure, which is based on the mathematical relationship of two long numbers. One number, called the public key, is distributed freely. The owner keeps the other number, called the private key, confidential. If a person wants to send his insurance company claim forms, for example he would encrypt the document with the insurance company’s public key, confident that only someone with the insurance company’s private key could decrypt the message. Parties to a transaction can also use a private key to digitally sign a document, which is considered legally binding in many countries.
photo omitted
Postal authorities issue certificates, which store the public and private keys along with data about the issuing agency and the certificate holder, for a variety of purposes. Sweden’s post office, for example, has been issuing national identification cards for 40 years. In 1996, it began converting those cards to smart cards, and is starting to load digital certificates on every smart card it issues for cardholders to use to electronically sign documents.
Posten AB charges about $50 for the chip card, which citizens are not required to carry. So far, some 40,000 citizens have bought cards, says Persson.
Posten AB would prefer to issue digital certificates on smart cards because that way the certificates can be carried around by the individuals authorized to use them. But few personal computers are connected to smart card readers, making chip cards hard to use today, says Persson. “Once computer manufacturers start including smart card readers, this will not be a problem,” he says.
In the meantime, Posten AB has issued 100,000 certificates via the Internet that citizens can store on the hard drives of their PCs. The postal service sends the recipient a password via registered mail that he uses to identify himself at the post office’s Web site to download a certificate.
Storing certificates on PCs is less secure than smart cards or other removable tokens because anyone with access to the PC could, in some cases, nsc the certificate. Also, PC hard drives are vulnerable to hackers, who can launch viruses onto PCs to sniff out certificates.
Uses for Certificates
Applications for digital certificates are emerging. Posten AB has started issuing certificates to 12,000 companies for declaring value-added taxes. It will begin issuing certificates to the Stockholm city planning administration so that developers can apply for building permits online.
It also has issued smart cards with digital certificates to 5,000 of the country’s hospital employees to enable secure access to hospital databases, says Persson.
Making the right applications available is key to promoting widespread use of digital certificates, says Persson. “You need four or five applications that will make individuals or their employers willing to pay for the smart card,” he says.
Working with government agencies and businesses in the United Kingdom to create applications is a primary strategy for ViaCode Ltd., the wholly owned certificate authority of the UK’s postal authority, the Royal Mail. For example, ViaCode is working with the UK government, which has mandated that most of its services be accessed online by 2005, to create applications that require digital signatures, such as filing income taxes.
photo omitted
Audit Trail
The applications will use ViaCode’s recently announced eCourier service, which will use digital certificates to time stamp electronic documents. The process creates the digital equivalent of registered mail.
To use the service, a sender encrypts and digitally signs an e-mail message and any attached documents. But instead of being sent directly to the recipient, the message and attachments go first to a forwarding server where they are again encrypted and time-stamped. At the same time, the server sends the sender a time-stamped “message received” receipt.
When the recipient clicks to open the message and attachments, software residing on his computer automatically checks ViaCode’s certificate directory to authenticate the sender. At the same time, it calls the messaging server to retrieve a decryption key that can be used for a limited time. The server notes the lime it was asked for the session key, and sends a time-stamped “your message has been opened” receipt to the sender.
If the message and the attachments are not opened within a specified time, the sender receives a time-stamped notification.
Initially ViaCode plans to offer the service to companies for business-to-business commerce. ViaCode would issue certificates to large corporations; owners of small businesses would go to one of the British Chamber of Commerce offices to receive a certificate.
In order to get certificates to consumers, ViaCode signed a deal in September with UK Smart, an Internet application provider that will issue free digital certificates to consumers. ViaCode will verify the identity of consumers who apply for the certificates.
Safe E-Mail
Starting this summer, consumers can pick up a free CD-ROM containing the certificate from any of 12,000 post offices branches in the United Kingdom, or they can order the software from the UK Smart Web site. Once installed on his PC, the consumer will be asked to go through a series of online checks with ViaCode, after which he will be issued a certificate. Consumers can also apply in person for a certificate at their local post office.
Instead of charging consumers for the certificates, ViaCode and UK Smart will charge businesses that accept the certificates, either on a subscription basis or per transaction, says Sean Mills, ViaCode’s marketing manager. ViaCode also plans to market its eCourier service to Internet service providers so their customers could use certificates to send each other secure electronic mail, he says.
ViaCode chose not to issue certificates on smart cards because few
computers
in the United Kingdom have readers, says Mills. “The aspiration to use
smart
cards is there because then consumers have a roving service they could
access
at any computer with a reader,” he says. “But at this time we are
constrained
by the lack of technology”
photo omitted
In its digital certificate initiative, the United States Postal Service resolved the card reader issue by supplying readers from New York-based PubliCard Inc. to users of its NetPost. Certified service. The service will use smart cards loaded with digital certificates to certify electronic documents.
Initially, the Postal Service will offer the service to government agencies.
Later on, NetPost. Certified may be available to the public.
“One of our strengths will be our ability to authenticate consumers in
person
at one of our 40,000 branches,” says Stephen Kearney, the Postal Service’s
senior vice president of corporate and business development. “But first we
want to make the service right for the government”
The federal Health Care Financing Administration and the Social Security Administration will be the first agencies to use NetPost. Certified to process reimbursement claims for renal dialysis centers. The service will enable the claims from 4,700 centers in the country to be electronically filed, speeding up processing.
“We could issue between 5,000 cards to 50,000 cards for HCFA,” says Chuck
Chamberlain, manager of e-government for the Postal Service. “It depends on
how many cards are issued per renal dialysis center”
In addition, government agencies may come up with new applications that would require more cards. For example, the Social Security Administration may use the cards for wage reporting, which would require a minimum of 6.5 million cards, says Chamberlain. “It is all application-driven,” he says.
NetPost.Certified is designed to encrypt documents so that when they are sent online, only the receiving party can open them. The technology also will time-and date-stamp the documents, making them as legally binding as certified mail in the physical world. The Postal Service plans to charge 50 cents per file transmitted.
If a cardholder loses his smart card or has it stolen, the Postal Service would revoke the digital certificate on the chip.
The cards, which will be supplied by France-based Gemplus International SA and Australia-based KeyCorp Ltd., will have 52 kilobytes of memory. Although a digital certificate typically takes up less than 2K of memory, the Postal Service plans to use the additional memory for other applications. “Having a multiapplication card is part of our overall smart card strategy,” Chamberlain says. Credit or debit applications are being considered, he says.
European Projects
Like the United States, Germany’s federal government has passed a law making digital signatures legally binding. E-commerce security projects are just getting underway in the country, using certificates from “trust centers” formed by major banks, a telco, government agencies and the postal authority, Deutsche Post.
Deutsche Post has contracts to supply at least 300,000 smart cards loaded with digital certificates to several hospitals, a state government and national association of notary publics, says Marcus Belke, managing director for Deutsche Post Signtrust, which runs the postal service’s certificate authority and e-commerce security products unit.
The cards would be used by the various groups as ID cards, for controlling access to medical records; signing applications and other documents sent to the government; and securing contracts and documents transmitted online for government and business-to-business commerce, he says.
In addition, PC retailer and manufacturer Vobis Network SpA is planning to issue cards bearing Deutsche Post certificates in Italy and Austria later this year to customers who buy its PCs. Consumers could use the cards to securely buy computer equipment and supplies on Vobis’ Web sites, says a spokeswoman.
The company plans to expand the project to other countries it does business in and to other Web sites. Vobis also plans to build readers into its PC keyboards.
The idea, says Belke, especially for the projects in Germany, is to get secure e-commerce flowing by building a “critical mass” of individuals, government agencies and businesses who use digital certificates.
No Common Language
But even within Germany, certificates from one trust center do not work with those issued by another: Germany’s certificate providers are working with similar organizations in other countries and PKI vendors to make certificates interoperable. But there is much work to be done.
“How can we send a hill from Germany to Paris, France, and have it be accepted?” asks Peter Mandos, managing director of D-Trust, the trust center owned by the Bundesdruckerei, the former German federal printing office.
“The
Internet is a global business, it’s borderless. We have to break down the borderlines.”
Other postal authorities are working with the Universal Postal Union, an agency of the United Nations, to draft standards for securely sending electronic documents internationally, says Steve Gray, program manager of e-business for the Postal Union. Postal authorities in Hong Kong, the United States, United Kingdom, Canada and Norway are participating in a pilot to create standards for time stamping electronic documents, says Gray.
The UPU also wants to ensure that postal authorities can accept each other’s secure electronic mail by creating a common PKI standard for postal authorities worldwide, which the Postal Union would oversee, he says.
Another technological problem is integrating PKI systems with existing computers, says Gray. For example, if a government agency uses digital certificates to process taxes, the agency needs to rake the information from the Internet and put it in its back-end system, where other data is stored, says Gray. “It’s a lot easier for agencies to get money to build new technology based around the Internet than it is to replace the legacy systems,” he says.
This is among many hurdles postal authorities must cross to make their systems work. But more and more authorities are convinced the effort is worth it if they want to remain relevant in the Internet Age.
“You have to find new ways of surviving,” says Posten AB’s Persson.
ISSN 1093-1279; Page 22-30
Copyright 2001 Thomson Financial Media
© 2001 Resp. DB Svcs. All rts. reserv.
$$CARD TECHNOLOGY, 01st April 2001
