Picked up from the N.Y. Times. It is not a biometric article, but , it shows how biometrics would make things a lot easier.
Bank Allowed to Issue Internet Identity Certificates
By PETER WAYNER
Federal banking authorities have approved a move by a Utah bank into the business of identifying people and companies on the Internet.
The Office of the Comptroller of Currency, which is the part of the Department of Treasury responsible for regulating the powers of national banks, on Tuesday approved a decision by the Salt Lake City-based Zion's First National Bank to be the first financial institution to act as a certificate authority and issue certificates of identity for the Internet.
A certificate authority is a relatively new business that is emerging to help people analyze and authenticate numeric IDs, or "digital signatures," on the Internet. A person might use a certificate authority to check whether a digital signature on a purchase order or a check is valid. Many people feel that these companies are crucial to making Internet commerce more secure and reliable.
There are already several companies in the business of supplying certificates, but this is the first move by a bank. Some of the other certificate companies like VeriSign and GTE began by supplying certificates for Web servers. Lately, they have begun to experiment with supplying the certificates for the credit card industry.
The greatest significance of this decision may be cultural because it opens the doors for banks to extend their control of commerce in the Internet.
The application from Zion's First National Bank outlines a small, experimental program that will only serve commercial customers at the beginning. The first application will help the Utah state court system process electronic documents and verify that they are authentic.
Digital signatures are excellent tools for these applications because they can provide more security than a basic signature. Many of the new Internet transaction protocols, like the SET credit card process, rely heavily on digital signatures to prevent fraud. A document sealed with a digital signature can't be changed or tampered with in any way without making the signature invalid, while photocopies and other reproductive tools have made it easy to forge handwritten signatures and move them to documents that never carried them originally.
In practice, digital signatures are just numbers that are attached to a document, but the numbers are calculated with a complicated formula that virtually guarantees that it is impossible for anyone but the person holding the secret key to come up with the same number.
Certificates act like driver's licenses or passports on the Internet. They provide the means for someone to check someone's digital signature and guarantee this by also carrying the digital signature of the person or agency that issued the certificate.
PGP Inc., the encryption software company, includes the process in its software that allows anyone to produce certificates by applying their digital signature to the key of another. The company refers to this process as "building a web of trust" and this is essentially what a certificate does. It lets someone say, "I don't recognize your signature, but I do recognize the signature of First National bank. They've given you a certificate endorsing a copy of your signature with theirs. Therefore, I'll trust you because I trust them."
The decision by the Comptroller of the Currency validates a line of thinking that has been percolating throughout the banking industry for the past several years. According to some, the business of banking is not just about counting dollars and cents, it's about managing risk. Banks are looking for ways to leverage their ability to manage risk to make more money in cyberspace.
In the letter to the Zion Bank authorizing the new business, the Office of the Comptroller of Currency said that it was recognizing, "that banking also involves understanding, processing, and using massive amounts of information regarding the credit risks, market risks, and other risks inherent in a vast array of products and services, many of which do not involve traditional lending, deposit taking, or payments services. Today, banks can be said to be part of a technological revolution in risk information processing."
In time, the bank's role may change to make this job more transparent and accessible to the public. Right now, a bank may merely give away certificates to the people and companies maintaining accounts at the bank, but in the future it might charge for certificates when they come with additional features like guaranteeing transactions.
The new move is an extension of a bank's traditional role as a notary public and a provider of letters of credit. Jay Simmons, a Senior Vice President at CertCo, explains, "Strangers who are buyers and sellers have a problem entering into a contractual relationship. The notion of trust that is injected into those relationship by letters of credit from their bank."
CertCo is the company that provides the software being used by Zions First National Bank. It was originally part of Banker's Trust until it was spun off into a separate venture in November, 1996.
Simmons suggests that in the future, certificates issued by a bank's certificate authority might act just like a letter of credit. For instance, a bank might issue certificates to officers of a company that guarantee their signatures up to, say $100,000.
If a business received an electronic purchase order for $50,000 worth of goods with the digital signature from that company, the business could turn to the bank's certificate authority for help verifying that the signature is valid.
These possibilities are all in the future and the Comptroller of Currency did not authorize this business yet. Julie Williams, the chief counsel at the Comptroller of Currency, said that this feature might be considered in the future. "There will be evolution and growth from this decision. We're not there yet. I don't think I would feel safe in predicting what would come next. The important thing is that this is the beginning."
In the letter, the Comptroller of the Currency also recognized that Zion's First National Bank was not initially going to offer the technology to the consumer market. Nevertheless, the letter anticipated the move and insisted upon several safeguards for the public. The bank must inform consumers how the technology works and provide an adequate mechanism for dealing with errors. It must guard the personal data acquired in the process and it cannot sell the information or use it for marketing purposes.
The bank also does not intend to act as a "key recovery" agent for any of its clients. That is, it won't maintain copies of their private keys that scrambled proprietary data. Williams said: "That area is one that they would clearly have to come back and ask for regulatory guidance."
She said that the liability involved with such a job is an important problem to consider.
Related Sites
Office of the Comptroller of the Currency
Zion's First National Bank, and Digital Signature Trust Company, the bank's new subsidiary
___________________
Peter Wayner at pwayner@nytimes.com welcomes your comments and suggestions.
Sunday, January 17, 1998
Copyright 1998 The New York Times
|
