In the world of business to business (B2B) e-commerce, trading partners stand to lose very substantial sums if it transpires that they have not been dealing with whom they thought they were. Indeed, the potential to make cost savings and increase service offerings via internet commerce may be outweighed by the risk of losing large amounts of money through an insecure internet transaction.
B2B users need to be certain that an e-mail message truly originates from the ostensible sender. For instance, if an Italian car manufacturer wants to order $1m of Japanese steel over the internet, the car manufacturer's purchasing agent needs to be certain he or she is communicating with the steel manufacturer's agent. There is too much at stake simply to trust blindly in a trading partner's identity – incorrect identity could break a business.
In the past, if you had no confirmation that an order originated from a trusted source or if you had never conducted an on-line business transaction with a particular company before, you had to go to great lengths to research the potential client. However, there is now a global infrastructure that can handle this research. And, just in case something goes wrong, this infrastructure also puts a bullet-proof audit trail into place.
The importance of having a trust infrastructure with enforced processes and operating rules to back digital certificates was illustrated earlier this year, when Verisign issued two digital certificates to criminals fraudulently claiming to be Microsoft employees. Verisign failed through 'human error' to follow certificate authority policies in issuing the certificates.
Managing the risk
Whether it is the negotiation and ultimate execution of a purchase transaction from the corporate procurement area, or the closing out of a large position on the foreign exchange desk, certainty and enforceability of contract take on a whole new meaning as transactions are increasingly done using an electronic signature rather than a paper one In recognition of this trend, both in wholesale capital markets as well as in the core commercial banking marketplace, a group of major financial institutions took the bold step of creating a vehicle that would provide a global infrastructure - a set of scaffolding on the internet. This vehicle has both a technical platform and supporting operating rules extending into each participating financial institution. Contractual relationships between parties within the system provide the legal infrastructure. The platform provides a core identity assurance service, around which applications would be based.
The financial institutions are positioning themselves as the trusted third party (TTP) organisation that businesses look to when seeking identity services. These TTPs act as certificate authorities equipped with the knowledge to certify, issue and maintain digital certificates verifying identity, upon which trading partners can rely.
Financial institutions are an ideal choice to act as a certificate authority. They are uniquely trusted by corporations worldwide, they are already regulated by local regional and national government agencies and they have experience in risk management activities that can be adapted to the digital world. They also have the capital to back up transactions, should that be necessary.
Identrus LLC acts as the global root certificate authority, from which financial institutions can extend their e-commerce based offerings. Based in New York and with an international office in London, Identrus made its public debut in the autumn of 1999 at the SIBOS Expo in Munich. Subsequently, its founders received a green light from the US regulators for the entity to offer certificate authority services to regulated financial institutions who, in turn, provide their own branded digital identity credentials around which they would offer value adding applications to their end customers. It is with the financial institutions' participation and agreement that Identrus will be able to meet its targets and schedules throughout the forthcoming year and fulfil its mission based on these principles – global coverage, interoperability, simplicity and trust (GIST).
The legal model of Identrus is based upon a contractual relationship between parties within the system (sometimes referred to as being a "closed" system), because the only law that can conceivably offer global uniformity and enforceability is private contractual law. In such an environment, there are no grey areas, and two parties can conduct ad hoc transactions in the confidence that their signatures will be accorded legal validity. In this framework, the users of the Identrus business model, the '4-corner model', essentially take the well recognised practice of two trading parties using their respective banks – 'participant banks' – and allowing those end parties to seek varying degrees of identity assurance.
An end-user of the system can use it to mitigate or manage the degree of risk that is associated with trust.
- A relying customer can simply accept an Identrus compliant certificate and bear 100% of the risk (equivalent to trading on open account) - known trading customer to known trading customer.
- Where a relying customer sees a trading partner infrequently, but has had no problems in the past, he might check that the certificate that was good last time is still valid today and that nothing has changed. In that case, a simple validation, through the "relying participant" across to the "issuing participant", will confirm the certificate is still valid and that it has not been revoked.
- Where a high value transaction occurs, or where perhaps there is less frequent interaction with the counterparty, the relying party may seek a warranty - a specific assurance both as to amount and term, which effectively binds the certificate to the person it purports to represent. In the event of any loss that occurs in the transaction as a result of mistaken identity, the relying party can look to the issuing participant as the first line of defence in resolving the issue.
There are over 40 member banks in the Identrus system so far, including some of the largest banks in the world. Eight of these banks are deployed with live infrastructure and Identrus expects live transaction flow to build on the system this year.
There are 20 more financial institutions in the queue to deploy this year, representing a large percentage of current members moving to live production. In the corporate marketplace, Identrus will be available to two thirds of the commercial accounts in the world by the end of 2001, representing 85% of world trade activities in industrialised countries.
Speed to market, the ability to generate applications and the supporting framework to quantify and effectively manage operational risk are seen as critical success factors. For example, the initiative with SWIFT, the bank owned worldwide messaging system will speed take up. It recognises the need for convergence of infrastructures, and it gives both banks and their customers the option of using this well trusted long- established infrastructure.
The future is here - and it shows every sign of being enormously exciting and ultimately beneficial to all parties concerned.
John Bullard is managing director, sales and participant relations, Identrus LLC, Telephone: 020 7618 8000, E-mail: email@example.com
The deadline for EU member states to implement the provisions of the Electronic Signatures Directives into their national legislation was 19 July 2001. Addressing the Signature Standardisation Initiative conference in Brussels a month earlier, Erkki Liikanen, member of the European Commission responsible for Enterprise and the Information Society, said that the objective is to allow for a better legal recognition of electronic signatures in the EU, so that they can be used legally not only in one member state but also for cross-border transactions. The directive also aims at facilitating the take up of e-commerce in Europe.
Liikanen stressed that the new information society services require a high level of trust and security in a business environment where technologies are rapidly changing. As proposed in the recently adopted Communication on network security, member states are invited to review all relevant security standards and - if necessary - to organise competitions for European encryption and security solutions.
Plug and play
Microsoft Corp is supporting the Identrus system in an agreement that encompasses a wide range of Microsoft products, including the Windows 2000 platform and .NET Enterprise Servers as well as e-mail application Microsoft Outlook.
The collaboration will empower financial institutions and their corporate trading partners to combine the Identrus framework with popular Microsoft platforms to conclusively identify one another during e-commerce transactions and create non-disputable records of these transactions. This first-of-its-kind agreement will make bank-backed internet security "plug and play" on Microsoft enterprise computing products.
In March, Financial Sector Technology (FST), an online resource for financial services and technology professionals, presented Identrus with its top annual award for driving B2B e-commerce. The FST award recognised Identrus' ability to deliver definable and significant business for its customers, innovation in its products and services, and successful project management as evidenced by delivering on time and within customers' budgets.
The complete list of FST Award winners can be found at http://www.fstech.co.uk .