We provided an overview of security management solutions in our book on digital certificates [FEGH98] and covered a number of PKI vendors that offer certificate toolkits, certificate servers, certificate management workstations, and outsourced certification services. Many of these vendors have now enhanced their products to enable secure communications and transactions in B2B marketplaces.These enhancements range from point solutions, such as supplying real-time revocation information or supporting time stamps, to a portfolio of comprehensive B2B trust services. Because most of these PKI vendors are still defining their B2B solutions and are in early phases of integration testing, we will not attempt to analyze the B2B trust services deployed in the marketplace. Instead, we identify authentication, payment, and validation as three broad categories of B2B trust services and provide a brief description of each category, using VeriSign as a third-party trust provider.
VeriSign Authentication services [VERIA] provide identity establishment, credential management, identity validation, and directory services for B2B Net marketplaces. These services address the authentication issues for B2B environments, such as establishing polices for unknown organizations and individuals, implementing delegated authentication, minimizing risk and liability, devising security and auditing process, and providing around-the-clock availability.
The OnSite service provides managed PKI and delegated control over trust polices, enabling organizations to issue digital certificates to partners, customers, employees, servers, routers, and firewalls. The Roaming service provides a network-based credential distribution system by securely storing private keys on the network and delivering them to users who roam and need to access their profiles from any computer terminal attached to the network. The Online Certificate Status Protocol (OCSP) [MYER99] service supplies real-time revocation information for high-value B2B transactions.
VeriSign Payment services [VERIB] address the fragmented Internet payment systems that connect on-line merchants to banks via privately operated, point-to-point networks. The Payment services provide an Internet payment gateway that supports multiple payment instruments, connects to all relevant back-office payment processors, offers uniform interface access to payment functions, and allows merchants to switch between alternative financial instruments and payment processors.
The Payflow Internet payment service supports all major consumer credit card, debit card, electronic check, purchase card, and automated clearinghouse (ACH) transactions. Additional Payment services include functionality for fraud detection and risk management, and application integration with back-office and B2B payments systems through an Extensive Markup Language (XML) application integration layer.
VeriSign Validation services [VERIC] support digital notarization, digital receipts, digital records, and dispute resolution for Net marketplaces. In digital notarization, VeriSign acts as a third-party witness to an e-commerce transaction and archives electronic bookkeeping records needed to later prove that a transaction has taken place. The Digital Notarization service creates an electronic time stamp of a transaction,2 notarizes the transaction by adding a digital signature to the time-stamped transaction to create a digital receipt, and delivers the receipt to the transacting parties.
Digital receipts provide nonreputable proof of transactions by linking authentication, validation, and Internet payment processing. The digital receipt repository securely archives the digital receipts, provides an authenticated access mechanism to retrieve the receipts, and supports a mechanism to determine their validity.
1. Note that the trust infrastructure must ensure that private keys are operationally valid when they are used to generate signatures.
2. The Public Key Infrastructure Working Group of IETF (PKIX) [http://www.ietf.org/html.charters/pkix-charter.html] is developing standards for a time-stamp protocol for the Internet X.509 public key infrastructure.