The San Jose Mercury News


DIGITAL IMPRINT
NEW DIGITAL IDS GUARANTEE INDIVIDUAL FINGERPRINTS FOR INFO THAT FLOWS THROUGH THE NET


Published: Monday, July 15, 1996

Section: Business Monday

Page: 1E


By SIMSON L. GARFINKEL, Special to the Mercury News

FLY IN to San Francisco International Airport, flash a driver's license and a major credit card, and you can drive away with a brand-new car worth more than $15,000. You can do this because the rental-car company knows that if you steal the car, you almost certainly can be tracked down and thrown in jail.

The driver's license makes the accountability possible. And that accountability helps make car rentals - and many other transactions - possible.

Digital identifications will be the driver's licenses of cyberspace, supporters say. And a number of companies now are working hard on digital IDs. Their goals (beyond making money) are to make the Internet safe for commerce, improve consumer confidence in the programs they get or ''download'' from the Net - and even make it possible to create private spaces on the Internet, allowing private groups and clubs to stop strangers at the doors.

Digital IDs might even play a role in the 1996 elections to help voters distinguish official campaign materials from parodies or outright fraud. And digital IDs could lay the framework for sending truly ''secure'' electronic mail - a mail system unable to be tapped even by the world's most powerful governments and corporations.

Digital IDs are based on digital signatures, a technique for mathematically ''signing'' electronic messages and computer programs. Digital signatures are based on public key cryptography, a 19-year-old mathematical technique for scrambling information so that it cannot be viewed by anyone other than the intended recipient.

To sign a digital signature, you first need to create two digital ''keys,'' one public and one private. To sign your digital signature to a document, you feed both the document and your private key into a special computer program. The program creates an electronic signature, which is attached to the document at the bottom. Anybody else can feed the document and signature into another program, along with a copy of your public key, and determine whether the signature is authentic.

Any change invalidates the signature

Digital signatures actually are superior to conventional pen-and-ink signatures in one important way. With a paper contract, there always is a chance that an unscrupulous person might make a change to the document after you sign it. (That's why both parties should keep a copy.) With digital signatures, any change to the document invalidates the signature.

''As long as your private key remains private, you can show mathematically that there is no way either to forge a signature on a new document or to modify a document that already has been signed,'' says Bruce Schneier, author of the book ''Applied Cryptography.''

Digital signatures are built into the popular cryptography program ''Pretty Good Privacy,'' written by Philip K. Zimmermann, a Colorado-based computer programmer who has used PGP as a way to thumb his nose at the government that wants a way to monitor electronic transmissions. But programs like PGP always have had a stumbling block that has prevented their widespread use: a reliable system for distributing people's public keys and for proving that a person's public key actually belongs to that person, not an impostor.

Consider the PGP public-key server, a computer at the Massachusetts Institute of Technology where public keys are stored and available to anyone. As of June 21, there were 13,924 public keys on the server. But some of the keys obviously were fakes - such as the key for William J. Clinton at the e-mail address: president(atsign)whitehouse.gov and the one for Albert Gore: vice-president(atsign)whitehouse.gov ; programs such as PGP violate the administration's encryption policies.

Then, there is the key for Hillary Rodham Clinton with this malicious e-mail address: bimbo(atsign)whitehouse.gov . All these names reside on the publicly available PGP ''key server,'' says Jeffrey I. Schiller, manager of the MIT Campus Network, because anybody on the Internet can submit a ''key'' with any name they wish and have it registered. The service is free. There are no controls - which means no accountability.

VeriSign of the times

VeriSign, a year-old company based in Mountain View, has developed a way for stamping out this anarchy. But the plan requires that everyone who wants to do business on the Internet to trust VeriSign as the Net's gatekeeper.

VeriSign's digital IDs use digital signatures to prove that ID holders are who they claim to be. VeriSign's basic ID card contains a copy of your public key, your ''distinguished name'' - usually your legal name - and, optionally, your e-mail address. The ID then is signed by one of VeriSign's private keys. To verify somebody's digital ID, a program running on your computer checks the signature to make sure that it's correct.

In order for this system to work, the program on your computer must have a copy of VeriSign's public key. Fortunately, the company already has anticipated this need. Copies of the VeriSign public key are included inside every copy of Netscape Navigator and Microsoft's Internet Explorer, the main Web browsers in use today.

In fact, if you ever have used Netscape Navigator to connect to a ''secure'' Web server - a computer that offers Net users a connection where information exchanges are scrambled so outsiders can't read them - you've used a VeriSign digital ID.

VeriSign charges merchants $290 for server-authenticity certificates. They must be renewed each year for $95. Besides enabling the encryption that's built into the Netscape Navigator, they have another important role: Because VeriSign conducts a background investigation of each business before the digital ID is issued, the digital ID greatly reduces the chances that one organization could masquerade as another.

'Ripe Man for the Job'

With the coming elections, the possibility of a spoof or parody Web site increasingly is a problem for the legitimate campaigns. This past November, for instance, pranksters set up a spoof ''Dole for President'' Web site. The site
(w http://www.dole96.org/) declared the 73-year-old to be ''the Ripe Man for the Job'' - not what the actual Dole site (w http://www.dole96.com) would want you to think.

VeriSign's background checks could prevent people from obtaining digital credentials in another organization's name, though the Dole-site prankster, Brooks Talley, disagrees. ''We could always set up a fictitious business name,'' says Talley, who writes for a computer magazine. ''There will always be ways to scam things on the Net.''

A different class of ID

This summer, VeriSign plans to go beyond certifying businesses and plans to certify individual Web surfers, as well. What makes this possible is a new feature inside Netscape Navigator 3.0 that can store digital credentials for users in addition to companies.

VeriSign plans to offer four kinds of digital IDs. A Class 1 ID simply would assure that the user had a valid e-mail address. VeriSign plans to give away for free Class 1 IDs for personal use.

VeriSign's Class 2 ID would provide greater assurance that a person is who he or she claims to be. To obtain a Class 2, Net users would have to provide their legal names and a valid mailing address. VeriSign would then verify this information with Equifax, one of the nation's largest credit-reporting agencies. A Class 2 ID would cost $12 per year.

Even more secure is the Class 3 ID, which would require the presentation of notarized documents. It will cost $24 per year. VeriSign also has planned a super-secure Class 4, though the price for this digital ID doesn't appear on the company's price list.

Head-to-head competition

VeriSign isn't the only digital ID player. Later this year, GTE plans to launch CyberTrust, a family of services that will compete directly with VeriSign. GTE also plans to sell software that will let companies set up their own certification authorities, bypassing VeriSign entirely.

One of the big differences between the GTE product and VeriSign's, says CyberTrust director Tom Carty, is that GTE won't have VeriSign's complicated four-class hierarchy. ''We will hopefully simplify that process for the subscribers,'' he says.

GTE's CyberTrust also will allow electronic identification to be given to roles within an organization rather than the actual individuals who hold those roles. This might allow a corporate purchasing officer to sign a digital purchase with just a job title rather than an actual name.

Because GTE's public-key technology also is embedded inside Netscape Navigator, GTE could give VeriSign real competition.

Keeping secrets

To use your digital ID, you'll need the matching private key. Version 3 of the Netscape Navigator automatically creates the public key and the private key when you visit VeriSign's digital ID Web site (http://digitalid.verisign.com). The public key is sent to the VeriSign site to get the company's signature, but the private key never leaves your computer. If you need more security, Netscape Navigator can encrypt your private key, too. Netscape recommends that you encrypt your key if other people have access to your computer.

One of the problems with all of VeriSign's IDs, though, is that they don't really prove that the person who flashes the ID really is who he or she claims to be. Instead, all a VeriSign ID proves is that the person flashing the ID has access to your secret key. It might mean that you did not encrypt your secret key, and a thief stole your computer.

''I will admit that it is not the ultimate proof of identity, even at class 4,'' says Stratton Sclavos, VeriSign's CEO.

Copyright 1995, The San Jose Mercury News. Unauthorized reproduction prohibited.


The San Jose Mercury News archives are stored on a SAVE (tm) newspaper library system from MediaStream, Inc., a Knight-Ridder Inc. company.