Your Papers, Please
Hey. Go get your wallet. Extract all the cards and papers that identify you: driver's license, ATM card, credit cards, pass to the gym. If you're a real wallet completist, you may have your Social Security card with you, or even your passport. In the world, you need all these variations of ID for different purposes. In the real world, the sum of your ID defines you.
Then there's the Internet, where (to repeat the cliché) No One Knows You're A Dog. The net's privacy can let you can hide your personal information from merchants, marketers, or other organizations. No driver's license is required for the Superhighway.
But sometimes anonymity is not a good thing. Before you give a company your credit card number, you might like to know that the company is what it says it is, and that it provides you with a secure connection. Before downloading some ActiveX control, you'd do well to know who's vouched for it.
And suppose you needed a way to prove that you, and only you, had sent email to someone? Suppose you required a digital code to log you into a Web site, so you wouldn't have to keep track of dozens of user names and passwords? The ability to require or furnish serious ID could provide a significant advantage over the anonymous and untrustworthy Internet-at-large.
Digital identification comes into play for all these purposes. Digital IDs, formally called digital certificates, are commonly used in secure SSL connections and for digital signatures such as those used by ActiveX controls (soon to be used for Java applets as well). There's no reason an individual couldn't use digital ID to prove that data is yours, or for convenience in gaining access to sites or to data.
A digital certificate (DC) that conforms to the X.509 standard is a complex assemblage of data. Unlike plastic ID cards, DCs are difficult to fake or to misuse. Understanding how DCs work isn't that difficult, but it does involve complex, interrelated topics, including public-key cryptography and the concept of a certificate authority.
Cryptography is the science of encoding stuff so that outsiders can't read it. You've dabbled in cryptography if you ever exchanged coded notes with your grade-school friends. As long as your gang knew the code (more precisely called the key) which symbols translate to which letters, etc. the only problems were making sure the teacher didn't catch you and that your enemies couldn't break your code. Symmetric cryptography, as this is called where a single key is used to both encode and decode the message is still used to encrypt data today.
Public-key cryptography is used to exchange private messages when an initial key isn't known ahead of time or, as in the case of the Internet, a single, global key wouldn't be practical (or secure). Public-key cryptogaphy requires two keys: your private key is kept secret, and your public key is distributed as widely as possible.
To send someone a secret message, you'd first acquire their public key. Then you'd encode your message using that key and send the message to them. Once encoded, it can only be decoded with the recipient's private key. So it wouldn't matter if someone else knew the public key and intercepted the message. (This encoding and decoding is done with special-purpose software that uses cryptographic algorithms way too complex to go into here.)
Conversely and more importantly if you encode a message with your private key, it can only be decoded with your public key. This doesn't work as well for hiding secrets, since anyone can get your public key and decode the message. But it does provide a way of verifying that the message was really sent by you.
Your DC, then the one that identifies you as you is simply your name, or other identifying information, and your public key, bundled up in a special binary format that the right software can read. You "sign" some data with your private key, then you send the data and your certificate to your recipient. The recipient uses your public key to decode the message and to verify that you are its source.
But what about forgery? What's to stop you from, say, assembling a certificate with your public key, but with Microsoft's (or anyone else's) identifying information? Theoretically, you could then pretend to be Microsoft, sign unscrupulous code, wreak havoc all over the Internet. (Wouldn't that be fun?)
This is where the certificate authority (CA) comes in. Essentially, a CA verifies that you are who you say you are.
CAs certify your digital certificate using their own certificate in other words, they encode your DC using their private key. Someone can then verify your identity by decoding your certificate with the CA's public key and checking it against the certificate you've given them. Once the certificate is verified, the recipient can use your public key to decode your message.
Next question: who watches the watchmen? What's to prove that a CA is trustworthy? Fortunately, there aren't many CAs that actually sign digital certificates (Verisign is by far the most popular). These top-level CAs are generally considered to be trustworthy, so there's a point where you can stop checking and rechecking.
You can be your own CA and sign your own certificate if you want. But Internet software (such as web browsers) tends to be suspicious of handmade digital certificates. The software will usually inform the folks you're communicating with that your certificate isn't quite kosher. It's up to the recipient to decide whether or not to trust you. (And if you come across a suspicious certificate, the safe bet is not to trust it.)
The last point about digital ID, for those of you who have not become overwhelmed and gone to vist The Commons, is how to get it. If you're setting up a secure server with SSL, or if you're an ActiveX developer, software included with those environments will help you apply for a certificate and get it signed.
Verisign is offering personal digital IDs. Although these are currently mostly just fun to show off at parties, they have potential for signing email or news postings, for gaining instant access to websites, or for more complex transactions where your identity must be verified.
And, more importantly, you don't have to keep it in your wallet.
Digital ID wll most likely become more and more important, particularly as elecontric cash and payment systems become more widely used.
Do YOU have your own personal digital ID? a PGP key? Something else?
Most Active Topics:
Topic 41 Pointcast
Topic 70 FYI: Fallback Plans
Also in Web Tech:
Speeding Up with HTTP 1.1
WebTV: Better Than You Think
Animated GIFs: Friends or Foes?
electric minds |
virtual community center |
world wide jam |
edge tech |
Any questions? We have answers.