One of the most hindering factors for e-Commerce has been the fact that most of the services related to e-Commerce have not been implemented with security in mind. If security is applied as an add-on or a patchto existing e-Commerce solutions, it provides a degraded service because existing e-Commerce functional requirements cannot easily be altered a posteriori. Even if this is not the case, e-Commerce users do not usually trust such an e-Commerce service and frequently opt out of it, being afraid of possible risks they might have to take while using the service. Security for e-Commerce must be thought of as a primary functional requirement and must be designed and implemented a priori. Thus, security will not constitute a hindering factor, but an enabler. This paper first considers security requirements for e-Commerce applications, then discusses the workings of the Public Key Infrastructure, PKI, and, finally, highlights its role in developing secure, hence trustworthy, e-Commerce applications.
The Internet is changing every aspect of our lives, but no area is undergoing as rapid and ificant a change as the way businesses operate. Today, companies large, medium and small are sing the Internet to communicate with their customers, suppliers and partners, to facilitate the unication among their employees and among their branches, to connect with their back-end data- systems, and to transact commerce, i.e. they do e-business. In this environment, where almost every organization is increasing its reliance on information and computer-processing facilities, e-Commerce is bringing with it new dependencies and new risks. An industry survey discovered that “organizations engaged in Web commerce, electronic supply chains, and enterprise resource planning experience three times the incidents of information loss and theft of trade secrets than everybody else” [1].
The Information Security Breaches Survey of the British Department of Trade and Industry [2] indicates that 60% of the organizations surveyed (a total of 1000) have suffered a security each in the last 2 years.
Public Key Infrastructure
A PKI consists of five types of components [10]:
1. Certification Authorities, Cas, that issue and revoke PKCs;
2. Organizational Registration Authorities, ORAs, that vouch for the binding between public keys and certificate holder identities and other attributes;
3. Certificate holders that are issued certificates and can sign digital documents and encrypt documents;
4. Clients that validate digital signatures and their certification paths from a known public key of a trusted CA;
5. Repositories that store and make available certificates and Certificate Revocation Lists, CRLs.
Additionally, a Time Stamping Authority, TSA may be considered as part of the PKI. Entities that collectively operate as CAs, RAs, Repositories and TSAs have been commonly referred to as Trusted Third Parties, TTPs, or, more recently, as Certification Service Providers, CSPs.
Conclusion
The vast majority of businesses are competing with each other nowadays in the e-Commerce arena. Incentives most commonly used to attract customers in e-Commerce include the fact that the customer transacts directly with the service or product provider, reduced prices (stemming mostly from the lack of business intermediaries) and ease of locating a service
or a product.
What the business world seems to be neglecting is the use a model for e-Commerce transactions, a model that would clarify the functional requirements that have to be met in order to jump on the e-Commerce wagon. In this paper we provide such a model. Our business conclusion, based on that model, is that the best customer incentive for e-Commerce is probably the integrated security services. This can lead a customer into trusting e-Commerce and engaging in electronic transactions. We show what PKI services businesses need to use in order to enable e-Commerce. Information security technology is there; all businesses have to do is use it in a proper way. What is needed is a careful examination of the risks involved in the process, a comprehensive plan for managing them and the acceptance or mitigation of the remaining ones.
Information security –if used in a correct manner– is once more shown to be an enabler rather than a hindering factor for business.
The Internet is changing every aspect of our lives, but no area is undergoing as rapid and ificant a change as the way businesses operate. Today, companies large, medium and small are sing the Internet to communicate with their customers, suppliers and partners, to facilitate the unication among their employees and among their branches, to connect with their back-end data- systems, and to transact commerce, i.e. they do e-business. In this environment, where almost every organization is increasing its reliance on information and computer-processing facilities, e-Commerce is bringing with it new dependencies and new risks. An industry survey discovered that “organizations engaged in Web commerce, electronic supply chains, and enterprise resource planning experience three times the incidents of information loss and theft of trade secrets than everybody else” [1].
The Information Security Breaches Survey of the British Department of Trade and Industry [2] indicates that 60% of the organizations surveyed (a total of 1000) have suffered a security each in the last 2 years.
Public Key Infrastructure
A PKI consists of five types of components [10]:
1. Certification Authorities, Cas, that issue and revoke PKCs;
2. Organizational Registration Authorities, ORAs, that vouch for the binding between public keys and certificate holder identities and other attributes;
3. Certificate holders that are issued certificates and can sign digital documents and encrypt documents;
4. Clients that validate digital signatures and their certification paths from a known public key of a trusted CA;
5. Repositories that store and make available certificates and Certificate Revocation Lists, CRLs.
Additionally, a Time Stamping Authority, TSA may be considered as part of the PKI. Entities that collectively operate as CAs, RAs, Repositories and TSAs have been commonly referred to as Trusted Third Parties, TTPs, or, more recently, as Certification Service Providers, CSPs.
Conclusion
The vast majority of businesses are competing with each other nowadays in the e-Commerce arena. Incentives most commonly used to attract customers in e-Commerce include the fact that the customer transacts directly with the service or product provider, reduced prices (stemming mostly from the lack of business intermediaries) and ease of locating a service
or a product.
What the business world seems to be neglecting is the use a model for e-Commerce transactions, a model that would clarify the functional requirements that have to be met in order to jump on the e-Commerce wagon. In this paper we provide such a model. Our business conclusion, based on that model, is that the best customer incentive for e-Commerce is probably the integrated security services. This can lead a customer into trusting e-Commerce and engaging in electronic transactions. We show what PKI services businesses need to use in order to enable e-Commerce. Information security technology is there; all businesses have to do is use it in a proper way. What is needed is a careful examination of the risks involved in the process, a comprehensive plan for managing them and the acceptance or mitigation of the remaining ones.
Information security –if used in a correct manner– is once more shown to be an enabler rather than a hindering factor for business.
