Electronic certification

Fears inspired by the dematerialization of documents

Any exchange or type of commerce on a computer network, and particularly on the Internet, requires a function that enables the parties involved to identify each other. Once identified, the parties will then want to participate in transactions, consisting of exchanges of orders, invoices, payments and documents in general.

Consider, for example, the case of buying shares over the Internet from a broker. The problem is for the broker and the buyer to identify each other, i.e. to be sure of the partner's identity. But this is not enough: the broker must be able to prove that the buyer has indeed ordered a given type and number of shares; and the buyer must be sure that his order has been taken into account by the broker.

In order to achieve the same level of trust in exchanges over a computer network as in real life, where physical documents are exchanged with a handwritten signature, it is necessary to reproduce electronically the mutual identification of the parties involved in a transaction, and the signature of the documents linked to it.

Electronic identification of transaction participants

As we will see later in this article, password identification, and even the encryption of exchanged information, are not sufficient to meet the need described above. The answer is provided by a certification process for transaction actors, based on a set of components and functions constituting a Key Management Infrastructure (KMI) and enabling the digital signature of exchanged documents.

This type of process is already being used operationally today for transactional exchanges, notably by healthcare professionals to transmit electronic medical forms over the Internet. The functions and products we will describe in this article will make it possible to carry out any other type of network-based commerce, in the broadest sense of the term, going well beyond the framework of relations with the public administration.

In this article, we will begin by mentioning the security requirements imposed by the dematerialization of exchanges (via the Internet, for example), and then briefly describe the techniques used to meet authentication requirements, and consequently the need for certification.

This is followed by an introduction to the concept of electronic certificates and the functions of certificate-issuing authorities. To illustrate our point, we'll present some standard communication protocols and practical applications using certificates.

We're focusing on the Internet because it's the mode of network use that presents the greatest security risks. However,...