The probative value of digital certificates: Information Assurance is critical to e-Identity Assurance

Abstract

It is widely acknowledged among all echelons of global organizations and governments alike, that the Internet is a critical global infrastructure to the information society. This critical global infrastructure offers much to the twenty-first century; however, it has already become synonymous with misuse, abuse and the emergence of a new vocabulary that includes cyber terrorism, cyber trust, cyber fraud and identity theft, to mention a few. Furthermore, these vulnerabilities of the information society (information infrastructure) have become more prevalent in recent times. Whilst this is not a desirable state for the information society, it has focused attention on internet identities. In particular, there is a growing body of opinion that shares the view that it is the cloak of anonymity that fuels such undesirable and sometimes illegal use of our information infrastructure (internet). In short, this all adds up to a general mistrust of the internet, especially where it concerns the exchange of sensitive or confidential information. If the internet is to mature into a trustworthy utility-like infrastructure and a medium in which both consumers and producers of information can have implicit faith, then we must look to other trusted utility infrastructures and services and the way they operate. In general, these same producers and consumers use electricity, water and gas, for example, and rarely question the integrity of those infrastructures that provide the lifesupport to economic and social activity. These critical services are regulated because of the potential risk to public safety, and the consumers and producers of such services are not anonymous. In contrast, cyber trust is now considered by many observers to be a risk to public safety because of our increasing dependence on the internet. Yet we really cannot be sure about the genuineness of the identities that participate in information exchanges on the internet. In addition, we cannot be confident that a person claiming to be a doctor, lawyer or police officer, for example, is their genuine role at any given time. There is also general agreement emerging that some form of regulation is now required in order to restore confidence and trust in the internet as a safe environment in which we can exchange information. This leads us to many challenges, not least of which is, how can we regulate anonymity? This article will offer a view that it is the registration business processes, employed to bind real-world personal and professional data to a digital certificate that is crucial. These registration business processes are critical because they have a direct bearing on the probative value of a digital certificate. These registration business processes will need to enable each information society individual to declare his or her (or the organizations’) genuine digital identities (digital certificates) and contribute to a safer information infrastructure by removing the opportunity for identity theft and identity plagiarism that exists on the internet today. Such registration business processes will need to consider carefully regulation and legislation, digital identity (certificate) lifecycle management and information assurance. The registration business processes will need to scale and be available to all real-world custodians of trust: those organizations and employees engaged in the exchange of sensitive medical, legal, scientific and commercial information over the internet. Control of registration would be done as part of a Certification Authorities policy or certification practice. In the United Kingdom, tScheme is the industryled, self-regulatory, not-for-profit organisation that was set up to create strict service criteria and to approve electronic trust services, including qualified certificate services. tScheme plays an important A r t i c l e