Soon, criminals will be as keen to steal their victims' identities to penetrate bank accounts, bypass corporate security systems or obtain loans as they are to nick physical possessions, according to the Department of Trade and Industry.
In the US, it is already so pervasive that this year, an estimated 700,000 Americans will fall victim. If identity management is such a hot issue, why have solutions been so slow to get in to the mass market? We know the technology exists to solve the problem: digital signatures, deployed in the context of a Public Key Infrastructure (PKI). Yet PKI remains virtually unused in today's business environment. Why? PKI is too complicated for end-users, administrators and managers. A technical person can download and install a certificate (a kind of digital identity) in their browser, but a lay person will never make it through the process, especially since they don't understand what a certificate is anyway. It is too expensive. Not just the cost of buying and installing the software from Baltimore or whoever, but the cost of support as well.
As an infrastructural investment, PKI needs a strategic approach. Using it to solve a username/password problem is like using a sledgehammer to crack a nut. Yet another reason could be that many people still do not understand what digital signatures can and can't do. PKI isn't a single technology: it is more like a complex grouping of technologies.
In essence, a digital signature allows me to do two things: I can send a message to my bank, for example, confident that only the bank will be able to read it. That's called encryption. In turn, the bank will be confident that my message came from me and was not altered in transit. That's called authentication. These two key functions are being developed by digital signature legislation in various jurisdictions.
PKI has become the de facto standard, particularly in Europe, and most legislation is based on PKI, even though there are other ways to implement digital signatures. A certain amount of digital signature legislation has been passed in Europe and the US, meaning that digital signatures have legal status. But a digital signature isn't really the same thing as a written signature on a piece of paper. In fact, even calling it a "signature" can be misleading for a number of reasons. First, there are verification problems. When I use a pen to sign a physical piece of paper, I can see the paper I'm signing. But when I'm presented with a document on a computer screen and sign it by, for example, inserting my smart card encoded with my private key into a reader attached to the computer, I could be signing absolutely anything.
Second, there are identity problems. Unless the use of my private key is unmistakably linked to me - say, through a biometric identifier such as my fingerprint - then even if a document does carry my digital signature there is no proof I actually signed it. Third, I could always be able to claim that someone else used a copy of my key. If, for example, a bank generates a private key for me and gives me a copy, I might claim I did not actually sign a document, and that someone in the bank must have given my key to a third party. So is it possible to imagine a time when the problems of identity, trust and reputation will be solved? Yes, absolutely. But not yet.
One day, digital identities and digital signatures will be central to life online. But to imagine that PKI will instantly solve all the problems of e-commerce and e-crime is not just premature, but plain wrong.
