Séminaire sur la Certification Electronique Algiers Algeria, 8-9 December, 2009 International Telecommunication Arab Regional Office Assisting Governments in Developing e-commerce Ecosystems: A Synthesis of Global Experience David Satola Conseiller Juridique Principal Banque Mondiale dsatola@worldbank.org
Outline The Process of Reform Methods of Authentication Legal and Regulatory Enabling Environment UNCITRAL
e-commerce Ecosystem Designing a legal & regulatory enabling framework that responds to local needs and is informed by international experience of which PKI is a part with institutional design to enhance trust Certainty Predictability Increased Confidence and Use
Types of E-commerce Activities Government ( G ) Business ( B ) Consumer ( C ) Government G2G coordination G2B information G2C information Business B2G government procurement B2B-ecommerce between businesses B2C e- commerce in consumer markets Consumer C2G e.g., tax compliance C2B price & other comparisons C2C auction markets Jonathan Coppel, E-Commerce: Impacts and Policy Challenges 4 (OECD Economic Department Working Paper No. 252 23 June 2000)
Legal Framework Design But International Models, Conventions Regional Norms, Initiatives Other Nation s Experience
Current Structure New Structure Stage 1 Reform Process Issue Identification & Resolution Stage 2 Stage 3 Status Quo Issues Strategies Implementation Policies & Objectives LEGAL REFORM Broad Public Consultation Stakeholder Buy-in
Outline The Process of Reform Methods of Authentication Legal and Regulatory Enabling Environment UNCITRAL
Types of E-commerce Activities Government ( G ) Business ( B ) Consumer ( C ) Government G2G coordination G2B information G2C information Business B2G government procurement B2B-ecommerce between businesses B2C e- commerce in consumer markets Consumer C2G e.g., tax compliance C2B price & other comparisons C2C auction markets Jonathan Coppel, E-Commerce: Impacts and Policy Challenges 4 (OECD Economic Department Working Paper No. 252 23 June 2000)
Methods for authenticating users of electronic signatures 1 PKI - asymmetric encryption (a secret (private) key known only to one party, when matched with the public key (held by a 3rd party) forms a pair ensuring data message authenticity. PKI involves a 3 rd party that ensures the encryption of the data message is not corrupted; PKI - preferred authentication method when high levels of certainty regarding the identity of the user are required
Methods for authenticating users of electronic signatures 2 PKI [is ] the authentication method of choice when strong evidence of identity and high legal certainty of the electronic signature is required. The use of PKI-enabled smart cards and the integration of digital certificate functions into application software, have made the use of this method less complicated for users. However, it is generally acknowledged that PKI is not required for all applications and that the choice of authentication method should be made on the basis of its suitability for the purposes for which it would be used. UNCITRAL WG IV Future Work, ACN.9/630/Add.3 The implementation of PKI is situation-specific. Even in EU Member States operating under a common set of Directives, each Member State has a different approach to use of e-signatures, including PKI.
[Other] Methods for authenticating users of electronic signatures 3 symmetric encryption (shared cryptology where the same key is used to encrypt a data message at the point of origin and decrypt it at the receiving end); passwords (1 factor) (symmetric process, e.g. ATM technology); Tokens or 2-factor authentication (similar to passwords embedded in the token tokens can be either physical or electronic); biometrics (such as retinal or other scanning); secure closed systems (dedicated computer-to-computer links or private networks); and blended systems (using one of the above digital technologies combined with an orthogonal confirmation, such as a telephone confirmation).
PKI Countries use different approaches How are certificates isued (Root CA vs. Accreditors, Bridge) Scope of use of PKI How are certificates delivered (e.g., smart cards, file transfer, etc)
PKI cont Limited use of PKI, usually linked to a weak/strong signature environment Strong signatures are appropriate for on-line transaction activities requiring a high degree of verification weak signatures may be appropriate for others (more later)
Root CA Issues Cost Publication of Certificate Practices and Policies Limitation of Liability of Gov t as Root CA Determine Scope of application of DCs Dispute Resolution Highly specialized Training required
PKI Cost cost of PKI should take account of the benefits (certainty of authentication) to be derived through the use of PKI systems Single biggest cost is establishment of the certification process For Root CAs there is additional incremental cost for each certificate issued
PKI Total Cost of Ownership A. Fixed Establishment Costs B. Variable Establishment Costs C. Fixed Annual Costs D. Variable Annual Costs Application related - All costs associated with PKI enablement of the Application, End user related - All costs associated with supporting end users, including help desk, education, and the marketing efforts Certificates - The cost or fee per certificate. RA - Costs associated with front-end registration. CA - Costs associated with the backend Certification Authority operation. Investment in security, cryptographic systems, infrastructure, personnel, facilities and compliance related activities Key media - Costs of the media in which end user private keys are conveyed. Can be close to zero for simple soft certificates, or can entail license fees for roaming soft certificate solutions. Source: OASIS PKI White Paper
Outline The Process of Reform Methods of Authentication Legal and Regulatory Enabling Environment UNCITRAL
Legal/Reg e-com Enabling Environment Basics Functional equivalence of electronic signatures and documents Non-repudiation Authentication For PKI Certification Other Forms - technology neutral. Interoperability (x-border recognition of authentication models) Levels of Security (weak vs. strong signatures) Institutional Arrangements For CA Root CA (certificate issuer) vs. Accreditor Limitation of liability for Gov t Root CA party autonomy - enables parties to establish their own authentication framework scope -types of transactions to which Law applies, exclusions
Weak vs Strong - EU Approach electronic signature : applicable to any authentication of information advanced electronic signature : digital signatures (issued be untrusted or unknown CA issuing digital certificates ) qualified electronic signature : advanced electronic signature issued by trusted CA issuing digital certificates
Legal/Reg Enabling Environment Ecosystem In addition to e-commerce issues, a functioning enabling environment will also feature, e.g.,: Digital data privacy protection Breach Notification Cybercrimes Consumer Protection Critical Infrastructure Protection IPRs Electronic Transfers (banking)
Outline The Process of Reform Methods of Authentication Legal and Regulatory Enabling Environment UNCITRAL
UNCITRAL 2 model laws (with legislative guides) e-commerce Digital Signatures available at: http://www.uncitral.org/uncitral/en/uncitral_texts/el ectronic_commerce/ these contemplate PKI, but not exclusively
UNCITRAL Convention on the Use of Electronic Communications in International Contracts, 2005 Key Features: Applies only to x-border transactions Permits legal recognition w/o changing domestic law Harmonizes e-contracting rules across other treaties Permits members to exclude certain actions through Declarations available at: http://www.uncitral.org/uncitral/en/uncitral_texts/electronic_commerce/ 2005Convention.html