Skip to main content Skip to navigation

Electronic Law Journals Journal of Information Law & Technology

JILT 1998 (3) - Matthew Ford

Identity Authentication and 'E-Commerce'
Matthew D. Ford

Table 1: U.S. PKI Technical Working Group Certificate Assurance Levels

Type

Identification Requirements

Validity Period

Minimum Key Length

Key Protection

Low Assurance

Driver's License, passport, etc

Two Years

768 bits

Floppy Disk

Medium Assurance

Driver's License, Passport, etc. With signed authorisation from superior

Four Years

896 bits

Floppy Disk or FIPS 140-1 Level 2 cryptographic token card

High Assurance

Government Identification card. With signed authorisation from superior

Four Years

1024 bits

FIPS 140-1 Level 3 cryptographic token card
Source: Ford & Leech (1996)

Table 2: Required Certificate Application Information

Class of Certificate

Required Certificate Application Information

Class 1

Individuals:

Required Information
(a) Common name (or alias)
(b) Subject public key
(c) E-mail address
(d) Executed subscriber agreement
(e) Credit card information (if applicable)
(f) Challenge phrase (to later authenticate subscriber to the IA)
(g) Other information as prescribed by the IA

Optional
(h) Demographic data (Registration Field Information)

Method of Communicating Application: The IA communicates a certificate prototype (unsigned) and a subscriber agreement to the certificate applicant. By completing this on-line dialog via a secure Web channel, the certificate applicant then affirms that (i) the certificate applicant information is accurate and (ii) he or she has read, understands, and agrees to the term of the subscriber agreement. Upon completion of specified validation procedures, the IA sends E-mail to the E-mail address that was provided by the certificate applicant in the certificate application. This E-mail message contains a PIN (and optionally, a draft of information content to be included in the certificate) that authorises the certificate applicant to obtain a certificate from the IA.

Business Entities: Class 1 certificates are issued to individuals only.

Class 2

Individuals:

Required Information
(a) Legal name (in the form of a common name)
(b) Proposed distinguished name
(c) Street, city, state, postal/zip code, country (of residence)
(d) Voice telephone numbers (of residence)
(e) E-mail address
(f) Subject public key
(g) Credit card information
(h) Spouse's first name (if applicable)
(i) Social security number
(j) Date of birth
(k) Employer (if applicable)
(l) Challenge phrase (to later authenticate subscriber to the IA)
(m) Executed subscriber agreement
(n) Previous address (if changed within last two years)
(o) Driver's license information (if applicable)
(p) The 'software publisher's pledge' (for individual software publisher certificate applicants only)
(q) Other information as prescribed by the IA

Optional
(r) Demographic data (Registration Field Information)

Method of Communicating Application: Same as Class 1.

Business Entities: Class 2 certificates are issued to individuals only.

Class 3

Individuals:

Required InformationSame as Class 2, plus:
(a) Subscriber agreement acknowledged by a notary or LRA (to fulfil the "personal presence" requirement) upon presentation of three (3) forms of identification by the certificate applicant.

Optional
(b) Previous employer

Agents/Authorised Representative: Class 3 permits businesses (but not individuals) to have an agent apply for a certificate, naming the principal (business) as a subscriber.

Method of Communicating Application: TBD

Business Entities:

Required Information
(a) Domain name
(b) Organisation
(c) Organisational unit (if applicable)
(d) Technical and billing contact persons
(e) City, state, country, postal/zip code
(f) Proof of right to use name (via third-party database checks and out-of-band verification)
(g) Proof of organisational status (such as proof of articles of incorporation, where applicable, or comparable proof)
(h) Proof of agent's authority
(i) The "software publisher's pledge" (for commercial software publisher certificate applicants only)
(j) Server serial number (for non-U.S. based Export Control Certificate applicants only)

Agents/Authorised Representative: See above

Method of Communicating Application: The completed application (and subscriber agreement) shall be submitted in electronic form.
Source: VeriSign (1997) pp.36-37

Table 3: A taxonomy of commercially-available digital certificates with regard to their identity authentication procedures

Company

Cert. Name

Ind./ Org.

Stated Purpose

Identity Authentication Procedures

BelSign

Class 1

Ind.

Personal e-mail

Simple check of the non-ambiguity of the subject name within the BelSign repository, plus a limited verification of the e-mail address

BelSign

Class 2

Ind.

E-Commerce

Identity information confirmed with 3rd party databases

BelSign

Class 3

Org.

High Security

ID data is supplied on-line. 3 ID documents including the statutes of the organisation must be presented at a Chamber of Commerce for verification

Thawte Consulting

FreeMail Cert.

Ind.

Personal e-mail

?

Thawte Consulting

Basic Cert.

Ind.

E-Commerce

?

Thawte Consulting

Premium Cert.

Ind.

Indisputable on-line identity equivalent to a passport

?

SigNet

Personal Cert.

Ind.

Individual Authentication

Name, e-mail address

SigNet

Server Cert.

Ind./ Org.

Server Authentication

Letter, server name, e-mail address

SigNet

Developer Cert.

Ind./ Org.

Software Developer Authentication

Not yet available

KeyWitness Canada

Class 1

Ind.

Personal e-mail

Low-level identity verification

KeyWitness Canada

Class 2

Ind.

E-commerce

Moderate-level identity verification

KeyWitness Canada

Class 3

Ind.

Application specific

Face-to-face or notarised verification

KeyWitness Canada

Class 4

Org.

Application specific

High-level verification primarily for corporate servers

Certificates Australia

Entry Level Cert.

Ind.

Personal e-mail

Applicant must provide name, address and telephone number. Details are not verified.

Binary Surgeons

Personal Cert.

Ind.

Personal e-mail

?

Binary Surgeons

Server Cert.

Org.

On-line server identification

Typed letter on company letterhead from company director verifying existence of company and applicant's authority to act on behalf of the company. Letter detailing bank account details signed by whoever has authority to authorise direct debits

IKS Germany

?

?

?

Require personal contact and presentation of passport

ICE-TEL

?

Ind./ Org.

?

Evaluation of an authorised ID card

Computer Security Technologies

Low-level assurance

Ind.

Personal e-mail

Specific procedures depend on org. acting as CA. Unverified check of standard documents (letterhead, business cards, etc.)

Computer Security Technologies

Medium-level assurance

Ind.

Professional business documents generally not of a financial nature

Official registration documents: ID card; driving license; passport; etc.

Computer Security Technologies

High-level assurance

Org.

Electronic commerce and financial transactions

Authorisation documents from a higher organisational authority. CAs verified using the official registration documents of the company.

UNINETT

?

Ind.

?

Identity authentication is performed by Registration Authority based on one or more of the following paper credentials: driver's license; passport; Norwegian bank card

United States Postal Service

Self-authenticated Personal Cert.

Ind.

?

Check of uniqueness of name. No verification of applicant's right to use name

United States Postal Service

Basic Cert.

Ind.

?

Review of suitable paper credentials

United States Postal Service

Biometrically authenticated personal Cert.

Ind.

?

Review of suitable paper credentials. Biometric measurements of applicant are used in the initialisation of trusted signing device

United States Postal Service

Organisational Cert.

Org.

?

Fixed policy associated with creation and handling of all organisational certificates

VeriSign, Inc.

Class 1 Digital ID

Ind.

Web browsing and personal e-mail; continuity of communications

Simple check of the non-ambiguity of the subject name within the VeriSign repository, plus a limited verification of the e-mail address

VeriSign, Inc.

Class 2 Digital ID

Ind.

Intra/inter-organisational E-mail; small, "low-risk" transactions; personal/individual E-mail; password replacement; software validation; on-line subscription services

As Class 1 plus third party consumer database cross-reference; postal address confirmation

VeriSign, Inc.

Class 3 Digital ID

Ind.

Provide important assurances of the identity of individual subscribers; LRA administrator authentication

As Class 2 plus personal presence before LRA or delegate (e.g. notary) with documentary identification

VeriSign, Inc.

Class 4 Digital ID

Org.

Electronic commerce applications such as electronic banking, electronic data interchange (EDI), and membership-based on-line services; support software validation

As Class 2 plus review of authorisation records provided by the applicant or third-party business databases, and independent call-backs to the organisation

KeyPOST

Personal Cert.

Ind.

On-line identification of individuals

Personal presence at KeyPOST nominated Australia Post outlet with photographic ID documents, application form, and fee

KeyPOST

Organisational Cert.

Org.

On-line identification of organisations

Personal presence at KeyPOST nominated Australia Post outlet with photographic ID documents, organisation ID documents, letter of authorisation, application form, and fee

UPTIME Commerce

Server Cert.

Org.

On-line server identification

Organisation details verified with 3rd party database (Dun & Bradstreet)

South African CA

See VeriSign

  

See VeriSign

See VeriSign

(Source material for this table was obtained from the web-sites of the certification authorities. Internet addresses used are detailed in the end-matter.)
JILT logo and link to JILT home page