GlobalSign Certificate Authority
by Paul Grosse - June 1999
Introduction
As companies start to realise the importance of e-business and e-commerce - the fact that if they fail to take advantage of the situation now, their market position may suffer irreparable damage - the need for a neutral, trustworthy, third party manifests itself. The saying goes 'on the Internet, nobody knows you are a dog' and without such a trusted third party, an organisation that can vouch for the validity of the identity of both parties to a contractual agreement, e-commerce and e-business could not happen on a truly global scale.
Certification Authorities (CAs) provide a means by which two parties can trust each other because the CA has either confirmed the identity of both parties itself or trusts another CA that has done so - this confirmation being in the form of a digital certificate. With a hierarchical network of CAs, each trusting each other or a common third party (CA), both parties to an agreement know that the credentials of the other have been checked. In addition to being able to confirm the identity of parties to an agreement, the encryption technology used in the production and verification of the certificates can also be used to verify the contents of an agreement - something that a written signature on a piece of paper cannot do. With such a network of trust and a technology that provides the verification of the contents of documents in addition to the ability to conceal them completely if required, the five basic requirements authentication, authorisation, confidentiality, integrity and non-repudiation are met.
A company's requirements regarding the production and use of digital certificates will vary according to each company's situation - ranging from the production of certificates though partially outsourced certification authorities to a completely in-house CA. GlobalSign is able to provide all of these levels of service along with consultancy services and seminars.
Products
Digital certificates are meant to be a form of proof that a certain authentication process has occurred that identifies the company or person to whom is was issued. Basic information regarding the identity and status is condensed and encrypted using a key that is kept secret by the certification authority. Using a key, this certificate can be read by others and its contents verified. The only way that this can work is through a method of encryption called asymmetric encryption.
Symmetric encryption is the method that we are all familiar with - it uses the same key to decrypt a message as was used to encrypt it analogous to your front door key. In this case, the keys cannot be distributed but must be kept secret - passed only to the authorised recipient of the message via a trusted and secure route - usually by meeting face to face. If this was the primary method used by CAs in digital certificates, everything would be open to fraud as people without the key would not be able to verify the credentials of the other party and people with it could claim that the CA had done things that it had not.
Asymmetric encryption is a method that requires two keys - one to encrypt a message and the other to decrypt it - it does not matter which key is used for which process but a message can only be decrypted with the other key. Under these circumstances, the CA keeps one key of the pair private and is able to distribute the other key to all. To sign a certificate, the CA's private key is used and anyone can verify the signature by using the CA's public key.
In addition to this, there is a function called a message digest or hash function. It is able to take a message and reduce it to a 128 bit string of characters (in the case of MD5) or similar and has the property that it is virtually impossible to predict the output string from the data without using the function itself. Simply changing one character in the input data can change the whole output string so adding an extra zero to a fee will produce a completely different result. In this way, it is possible to sign an MD5 hash of a document or file without the signer seeing the contents of the file.
Electronic documents that need to be tamper evident but not secret can have a signed message digest attached to the document thus confirming that a particular document - such as deeds or a will - has not been altered in any way. If privacy is required, the message is encrypted with the sender's private key and the recipient's public key therefore recipient knows that there is only person who could have sent it and the sender knows that there is only one person who can read it. Thus, using asymmetric encryption and message digests, communications between two parties involved in e-commerce or e-business can be just as secure as if they were to sign the agreement face to face and, if the country's legislation is in place, they can be as legally binding.
Digital Certificates
GlobalSign offers five types of digital certificates according to use: Class 1, 2 and 3 personal certificates; Secure server certificates; and, Object publishing certificates.
Class 1 Personal certificates for demonstration purposes are issued for 1 month and costs only the time to download it. Allowing the user to familiarise himself with at least part of the process of obtaining a certificate is of particular importance to companies using the Internet for e-commerce where the user population has to be confident with the technology. By providing demonstration certificates, GlobalSign is getting end users started and gaining confidence - something that is important if e-commerce is to grow to its full potential.
To obtain a Class 1 certificate, using the browser, the user simply fills in a form online, telling GlobalSign his email address and giving GlobalSign a password and a prompt should that be required. An email with a URL and a PIN is sent to that address and the user then accesses the new URL and gives tells GlobalSign the password - the certificate is then downloaded to the user's browser.
This demonstration certificate contains only the email address as it only confirms that there is a connection of some sort between the computer on which the initial form is filled and the computer that receives the email - the email address need not exist as many email programs will pick up all incoming mail on a particular POP3 account regardless of whether or not that particular user exists thus james@doe.com will be picked up along with john@doe.com and all other @doe.com mail even if james@doe.com does not exist as such.
Class 2 certificates require that the user sends a copy of their passport or driver's license and a signed copy of the user agreement to be verified. Provided that there has not been any enrolment fraud at the passport or driver's license issuing offices, this is verification that a person does exist - full name, country and email address appearing in the certificate. In recognition of this, GlobalSign puts a liability cap of $2,620 or 2480 EUROs on communications and transactions involving Class 2 certificates. GlobalSign anticipates that a Class 2 certificate will cover most electronic communications of this sort.
Class 3 Pro certificates requires further stringent identification including an obligatory physical appearance of the applicant at the Local Registration Authority (LRA) and the professional context of the user's appearance. Full name, organisation (optional), country and email address appear in the certificate and in recognition of this, GlobalSign puts a liability cap of $39,320 or 37185 EUROs on communications and transactions involving Class 3 certificates. Class 3 certificates are only available in countries where GlobalSign has a local RA and LRA partner - currently: Austria; Belgium; Greece; Italy; Lebanon; Luxembourg; and, the UK.
Secure Server Certificates are required by the web server in order to enable SSL thus giving users confidence in the identity of the server and confidentiality of exchanged data such as addresses, transaction values, credit card details and so on. To obtain a Secure Server Certificate, your email address, passport, professional context and proof of ownership of the domain name are required. The certificate contains the full domain name, the organisation, country and email address with a liability cap of $39,300 or 37,185 EUROs
Object Publishing Digital Certificates are used for signing applets distributed over the Internet, making the end user absolutely certain that the object received is the same as the one that was certified. Companies sign their applets with either Microsoft Authenticode or Netscape ObjectSigning - both methods being supported by GlobalSign certificates.
Enterprise Suite
For a company to set up its own CA, serious consideration has to be given to factors such as the time to market, the cost of such an exercise, in terms of cost of new computer hardware, software, upgrading buildings, additional employment costs relating to the increased security required to protect the root key and the fact that employees involved with the security of the CA may find themselves under attack. Such a financial investment and the additional cost of training staff and protecting them may be unacceptable to many companies - preferring instead to outsource the CA but retain the management of digital certificates.
Enterprise Suite allows companies to issue their own certificates, effectively becoming a Registration Authority and letting GlobalSign have the responsibilities of running the CA. The company's customers seeing the company as their trusted third party. Via a web based administrations interface, the administrator acts as a remote user of GlobalSign's CA infrastructure, issuing, deferring or revoking his own corporate certificates using the GlobalSign CA Backbone.
The Enterprise suite operates in three areas. At GlobalSign, there is a separate application running on their secure back-end for managing the company's certificates and there is access to GlobalSign certificate signing services and GlobalSign's directory services (CRL/LDAP/Web). On the company's site there is a 128-bit version of a browser, a smartcard reader and 1 smartcard per administrator - these cards being used for storage of the administrator certificate, and a set of web enabled administration pages for performing virtual CA functions - issuing, deferring and deleting certificate requests and revocation list management. The end user has a web-based registration procedure for each type of digital certificate to be issued by the RA - these pages may be branded to conform with the RA's corporate identity.
A typical interaction between the CA, the RA and the end user to create a certificate starts with the end user creating the key pairs. A certificate request is then sent to the CA and a set of credentials is sent to the RA (or the end user turns up in person - dependent upon the requirements of the certificate type to be issued). The RA then verifies the credentials and notifies the CA via a 128 bit encrypted secure channel that the certificate issuance is approved. Upon receipt of this the CA creates the certificate and signs it using its private key. Then the end user is sent a URL from which he then downloads and installs the digital certificate.
CAVIAR
CAVIAR is the full-blown CA for companies that have decided to do everything in-house. Unlike a number of CAs, CAVIAR was designed to manage a number of types of certificate with a number of applications - it has not started from a single type, single application system that has then had to cope with growth. CAVIAR also supports signed logging and auditing, load balancing and component redundancy along with key splitting to ensure extra security around the CA's private key.
CAVIAR is based upon open systems such as ITU X.509 v3 certificates, RSA and PKCS standards and so on. By adopting these open standards, the system is able to work with other PKI systems and the customers are not tied down to one particular system. CAVIAR supports indirectly any hardware tokens that comply with any of the secure web browsers available on the market (such as Netscape Communicator and Microsoft Internet Explorer) thus giving support to GemPlus, DataKey, Schlumberger, Uti-maco and Bull devices. By storing the certificate on a smartcard, a user carries around with him authentication information thus allowing CA administrators workstation independence.
The attributes of certificates produced by CAVIAR may be customised according to the CA's needs with completely automatic or completely manual RA procedures (or a mixture) implemented according to a number of conditions defined by the CA's policies with the number of types of certificates extended to any number of classes of certificates.
Platforms
Browsers:
Tokens/Smartcards:
Pricing
Certificates | ||
Class 1 Demo | Free | |
Class 2 | $20 or 19 EUROs per year | |
Class 3 Pro | $65 or 60 EUROs per year | |
Secure server certificates | 210 EUROs per year | |
Object publishing certificates | 305 EUROs per year | |
EnterpriseSuite | ||
Start-up costs | from 5,000 EUROs | |
Yearly operation cost | from 1,000 EUROs | |
Certificate prices | (dependent upon volume) | |
Class 2 | less than 15 EUROs | |
Class 3 Pro | less than 50 EUROs |
Opinion
Companies are beginning to get the idea that they need to get involved with e-commerce and e-business in order to survive in the long term. However, getting end-users to become confident in the procedures that are required in order to obtain a certificate can be quite a hurdle. GlobalSign has overcome this by providing a Class 1 certificate that installs on the end user's browser in the same way that the other certificates do but costs the end user nothing more than the time for the Internet connection. Getting the user to make this first step is of particular importance if high volume e-commerce it to manifest itself in any significant way.
The use, by GlobalSign, of open standards ensures that users are not tied down to any specific vendor and that any faults detected in the standards used will be corrected as soon as possible. The standards used are: CCITT X.500 and X.509 (v2 and v3) certificate content; PKIX (IETF); RSA (512/1024 bit) public key encryption; DES and 3DES 56/128 bit symmetric encryption; MD5 and SHA-1 hashing algorithms; LDAP v2, v3 directory services for databases; PKCS #7, #10, #11, #12 - certificate request, delivery, signature, storage format specifications; Crypto-API - Microsoft certificate management application programming interface; S/MIME secure email standard; SSL v2 and v3 along with the newer TLS v1+ secure web server standards; and IPSec for Virtual Private Networks (VPNs). Information pertaining to all of these standards is available for inspection on the Internet.
A certificate is only as strong as its weakest link and Object Publishing Digital Certificates (used for signing applets or other programs distributed over the Internet) could give the impression that they are safe to use just because they have been signed. Although a signature will show if a program has been altered or substituted since it was signed, a correct signature cannot be a guarantee that a program will work properly and will not erase or otherwise damage your files, it can only make the end user certain that the object received is the same as the one that was certified. Unless some extensive testing procedure is undertaken as part of a program certification process, there can be no guarantee of safety. Any company signing programs must make sure that the program that is being signed has been tested, and compiled and linked using clean routine libraries otherwise an apparently secure system may be compromised by something as simple as a linker library routine that has a backdoor built into it.
Strengths
Weaknesses
Conclusions
GlobalSign provides Digital Certificate services at all levels from simple digital certificates for vendors and customers in e-commerce to a fully blown certification authority. The inexorable growth of electronic business of one kind or another is forcing companies into a position of needing a working, fully functional solution as soon as possible or see their market share fall.
GlobalSign's open standards based PKI means that its products and services are able to work with other products in a way that is seamless to the end user. In addition, the company has increasing representation in Europe and the Middle East with further expansion planned. Using the ubiquitous browser and taking advantage of an increasingly global presence, GlobalSign appears to be in a good position to take advantage of the growth in Internet based trade that is forecast over the next few years.
Company Profile
Originally founded in 1996 by Netvision and the Federation of Chambers of Commerce and Industry of Belgium, Belsign, developed the GlobalSign network as part of its international strategy of expansion in August 1998 as a result of the vast majority of its certificates being issued outside Belgium. With three regional investment companies: GIMV; SRIW; and, SRIB adding capital in October 1997 followed by KBC in October 1998 and more recently, ING-Barings, the company has a sound basis from which it has been able to spread across Europe - it now having representation in: Austria; Greece; the Lebanon; Luxembourg; the Netherlands; Italy; Turkey; and, the UK amongst others and is continually looking at expansion into other countries both inside and outside the EU.
The company recently announced an increase in annual turnover from 2.5 million BEF to 34 million BEF (from $65,000 to nearly $900,000) with a fivefold increase in its number of employees over the same period. The breakdown of the use of digital certificates or digital signatures issued by GlobalSign is approximately: 20 percent for certificates intended for communications between companies and services in the public sector; 70 percent for certificates concerning the exchange of information between companies; and 10 percent are issued to private individuals.
GlobalSign's products and services include: Personal Certificates - ranging from confirmation of an email address through to proof of identity required by a Local Registration Authority; Secure Server Certificates - allowing Secure Socket Layer (SSL) capable web servers to communicate with customers and business partners; Object Publishing Certificates - allowing the distribution of software via the Internet; Partially outsourced Certification Authorities - Enterprise Suite, allowing companies to use the facilities of a CA without the security requirements of actually running one; and, a Full CA - CAVIAR. In addition to these, GlobalSign offers consultancy services and training seminars covering the basics of CAs through to the management of a CA.
The company has strategic partnerships with Al Erishadia Est. of the United Arab Emirates and Kuwait; the British Chamber of Commerce; the Chamber of Commerce, Industry and Agriculture of Beirut; CIMAD; GemPlus; IBM Global Network; Price Waterhouse Coopers; Oracle; Sun Microsystems; SSE (Irish Siemens Nixdorf subsidiary); and Uti-maco. The company is also a 'Recognised CA' by Netscape with root certificates included by default with the browsers. Microsoft does not include any CA root certificates in this way but Microsoft does refer the user to a link on the GlobalSign site for downloading this certificate.
GlobalSign is also involved in a number of European projects which includes TIE (the Trusted Information Exchange) which makes recommendations to the European Commission relating to the regulation of Certification Authorities dealing with business, technical and legal issues. This consortium consists of: Baltimore; BelSign; ICL; Shell; Uti-maco; ICRI; Trusted Information Systems; and, the UK Postal Service.
In Europe:
GlobalSign NV/SA
Arts-Madou Building
Kunstlaan 1-2
1210 Brussels
Belgium
Tel: +32 2 209 06 00
Fax: +32 2 209 06 09
Email: sales@globalsign.net
WWW: http://www.globalsign.net/
Copyright (c) 1999 P. A. Grosse. All Rights Reserved.