Are we moving toward paperless legal transactions? If recent events are any indication, this sure seems to be the case. SafeScrypt, a company promoted by Satyam Infoway and an affiliate of VeriSign, was awarded India’s first digital signature certificate in February 2002. This marked India’s entry into the age of secure electronic transactions. Digital signatures are the backbone on which digital contracts rest.

Watching the events closely were enterprises. While many were educated regarding the benefits of adopting digital certificates and public key infrastructure (PKI) architecture, most others were unsure about the procedural aspects of the same.

Confidence needs to be built
Although electronic mail has replaced paper-based communications in most cases, sensitive documents are still sent the old-fashioned way for greater security. Digital signature-based messaging allows sensitive documents to be sent by e-mail, eliminating the processing costs, mailing costs, and the time delays which are inevitable with traditional snail mail.

A must for organizations Ten procedural aspects that CIOs need to consider before opting for digital certificate deployment While the procedural steps would vary to some extent depending upon the organization type, there are a few concepts that are common. Inventory the transactions that can benefit from the use of digital certificates. This could include employee sign-on, workflow, procurement etc. Identify the applications and technology that currently facilitate these transactions. Identify which applications and technologies are readily integrated with digital certificates. Quantify the risk associated with each transaction category. Based on the above information determine whether to rely on an external third party CA or to create one’s own certification authority. If an external CA is being considered, review their PKI framework. The more private the private key and the more public the public key, the better it is from the point of view of PKI. Compliance with standards is a must. There needs to be the necessary framework to create the certificate policies and the certificate practice statements. Different tiers/ types of certificates need to be associated with each transaction type. Adopt a scalable PKI since future requirements also need to be met. The decision to go for a digital signature should be based on an ROI model and not just security concerns alone. To customize the ROI analysis for an enterprise, it is necessary to determine the number of users expected for the PKI applications and also the time frame in terms of payoff. If the ROI model for an organization suggests substantial cost savings, then the next step of selecting the right technology and right vendor should be taken. Client software: When evaluating digital signature technology it is important to understand to what extent client software is involved in the solution. Is the PKI solution flexible enough to operate with a thin or no client if desired?

Digital certificates can enable one to build the same level of confidence in digital transactions that one would usually associate with physical transactions. This would include the issues of privacy, integrity, non-repudiation, and authenticity.

The key benefit for a CIO in adopting a digital certificate would be to ensure the security of the enterprise’s data and communications. According to Surendra Singh, country manager, RSA Security, digital certificates would be central to two major transitions every enterprise either has begun to make or will make in the next few years. These include the transition from paper-based to completely electronic business processes such as electronic mail, electronic file storage, and electronic contracting with digital signatures. The second would be bridging the gap due to geographical distance via Internet integration and allowing remote employees, customers, and vendors to exchange data with the internal corporate network.

Procedural issues
While there has been one certifying authority (CA) around, there are a number of other CAs coming up including National Informatics Center (NIC), and the Institute for Development and Research in Banking Technology (IDRBT, a subsidiary of RBI). Other aspirants include MTNL, which is being consulted by PriceWaterhouseCooper (PwC). With multiple CAs one question that could be asked is which CA should an organization go in for and would there be issues between them. Neel Ratan, Partner, Global Risk Management Solutions, PwC feels that ultimately it would be the business that would drive different CAs into entering into agreements on cross-certification. The process of cross-certification however, is not automatic as of now. International CAs can also cross certify to ensure international coverage. For example, a multinational bank having operations across different countries would need a cross certification to ensure international coverage.

For an enterprise that has decided to go in for deploying digital certificates, the key issue would be to identify applications that can be PKI enabled. The broad framework would involve need-based assessment, vendor identification, and implementation. This would involve the integration of the system with existing applications. The time taken to implement this is generally from two to eight weeks and would depend on the nature of the application.

"Defining the level of control to be exercised is very important," according to Rajeev Wadhwa, COO, Global Esecure. If a high degree of control is required the organization would go in for an internal or insourced CA model. In case of an external CA being chosen, it would be important to review their PKI framework and make sure that they have performed the task with due diligence.

ROI analysis is also an important element while considering deployment. For this one has to determine the number of users in terms of PKI applications and the time frame in which the payoff of the technology investment would take place. Issues such as scalability, and the ease of use would also need to be considered.

The challenges ahead
The CIO would face some challenges during deployment. Finding the right applications, changing certain aspects of management and finding skilled personnel would be the major ones. According to Rohit Ghai, CTO, Computer Associates," One of the biggest challenges is the fact that many of the applications are not PKI and digital certificate enabled. This itself has a great dampening effect." However, there are SSO (single sign on) type technologies that can create a wrapper authentication layer around such applications to mitigate this problem. The other hurdle is the lack of expertise in both the technical as well as the techno-legal area. If the implementation is for a transaction intensive environment, scalability issues can often haunt the adopter of PKI. This is both in terms of being able to store a large number of certificates but also to enable the transactions to proceed in a reasonable time-frame.

The Indian market is nascent as of now. Most experts feel that it would take at least 18 to 24 months for the market to mature in terms of acceptance. Adoption would occur through careful deliberation and smaller pilot projects instead of a big bang approach. Ghai points out," Though the technology holds a lot of promise, it also carries a lot of baggage in terms of the due-diligence required for a successful implementation. Banking, financial services, insurance, and the government are expected to be among the early adopters of digital certificates and PKI.

With the first CA now operational and the first digital signature certificate having been issued—India has taken a definite step forward. Quicker adoption would give the much-needed boost to e-commerce and help it realize its true potential!

Amit Sarkar in New Delhi