Identrus: Trusted e-Business for Traditional Commerce
By Stephan Paxmann • September 2000

Originally published in Treasury Management International

E-business is a  driver of change. The new virtual world provides a lot of business opportunities to traditional corporations as well as to companies. There is a particular need for established businesses with existing processes  to actively face the challenge of the new digital and global market.

But this opportunity can also be a threat - transparency of business partners and transaction security are major barriers to e-business, if not  addressed properly. Applying trust and security as a fundamental component of e-business is the answer to this threat and Identrus is Deutsche Bank's strategic solution to the problem.

 What Did The Internet Really Change?
The easiest way to become a millionaire these days is to go to a venture capitalist firm, selling the idea of a company, working in the field of e-commerce - it is a  sure bet to raise as much money as required for retirement. That's the theory and, astonishingly, it has been the reality very often, too. But Klondike times are nearly over. Investors and businesses now ask for  revenue, return on investment, solid financing and a real business case with comprehensive numbers. Suddenly, the New Economy centred around e-commerce looks more traditional again.

Selling goods over the Internet -  this is new. Who is taking the liability for this order? - that is an old question.

Paying online Euro 50,000 for a delivery from Asia to Europe - this is new. But who authorised the payment? - this is certainly the  traditional business, too.

In the traditional world, the pre-identification of business partners is standard practice. Who would accept a letter of credit without proof that the person who signed it really exists and  is authorised to do so? The same requirements for conducting business in the traditional world are valid in the online world as well, certainly in a different dimension, but using the same principles.

 These principles are based on security and trust between business partners:

  • The security that the retrieved message is the same one which was sent, without modifications.
  • The security that pricing information via the Internet has not been visible to competitors.
  • The trust that the counterparty of a business transaction is the person he or she claims to be - preferably before the transaction is processed.

Trust Me - I'm a Bank!
Banks are in a traditional trusted relationship with their customers. Clients do disclose their 'private' and 'corporate' financial situation to banks. Hence, banks have access to  corporate accounts and financial information; they are partners for many financial requests. Building up a trusted relationship takes time and costs a lot of effort.

Trust Services need an entity, which can act as a  trusted party and - at least as important - which is accepted as trustworthy by a large group, too. Especially in the New Economy of the Internet a national border is non-existent, the reach is truly global.

Therefore  global financial institutions are perfectly positioned to provide this trusted role and extend it from the traditional world into the virtual world. This acceptance has to be taken into account when looking at trusted  solutions. Who in the US would rely on a German virtual seal "Trusted Application", if issued by a German private authority?

Identrus as Global 'trusted' Trust Provider
Over the past two years,  several financial institutions have worked to form a corporation which provides global Trust Services for corporate clients on the Internet.

The corporation, known as Identrus, LLC, was set up in April 1999 with eight  founding members, including Deutsche Bank, Bankers Trust, Bank of America, Citibank, Chase, ABN AMRO, Barclays and HypoVereinsbank. Since that time, around 30 new member banks have joined Identrus, with a further 50  financial institutions soon to join. They have created a global customer reach across nearly 100 countries with currently more than 13 million corporate customers.

These financial institutions have developed operating  practices, a global legal framework and the technology to carry out verification of identity for corporations doing business over the Internet. Identrus offers these Trust Services based on Public Key Infrastructure  technology. PKI technology provides unique key pairs. One of the keys (the private key) is used to digitally sign a message, and the other (the public key) to decrypt the digital signature in order to validate the  original message.

Basically, the digital signature is the electronic counterpart of a handwritten signature. It can be created only by the owner of the private key.

But the signature alone is just one component of  the infrastructure. The public key proves that one particular person has signed a message. But is this public key really trustworthy?

Certificates Enable the 'e' of E-commerce
For this trustworthiness, each  bank's Certification Authority serves as Trusted Third Party, which issues a Digital Certificate for each customer. Digital Certificates attached to a message can provide verifiable identification of the sender of the  information. Checking that certificate can ensure that the party on the Internet is who he says he is. Technically speaking, the certificate can prove that the public key was issued to exactly that person who signed the  message initially (using the private key).

Certificates can also provide assurance of integrity of message content and non-repudiation so that parties cannot deny that they sent or received messages.

The Identrus  Trust Service is organised in a hierarchy of trust. The Identrus root certifies the identity of banks (Level 1 banks, like Deutsche Bank, Bank of America or Royal Bank of Scotland), which, in turn, issue Digital  Certificates to employees of corporate clients so that they can do business over the Internet. When requested, the contacted bank will check the status of certificates to ensure that messages have been sent by parties  who hold valid certificates from their employers.

The 'touch' of Trust
The trust infrastructure presents excellent security features, which will be a mandatory requirement in any future e-commerce  engagements. But the virtual world of digital signatures and digital certificates applies a physical medium for an even higher level of security: the smart card.

The smart card is a physical entity which holds an  embedded microchip. This microchip contains the private and public key, which is used for the generation and the validation of the digital signature. Therefore a small processor is also part of the chip. Hence, the  creation of the signature is performed on the chip and only the final signature 'leaves' it. All other information is kept secure on the smart card.

In order to actually sign a message or transaction, the owner has to  enter a specific PIN-code (6 or 8 digit number) which is the starting point for the signature generation. Without entering this PIN number, the user will not be able to apply the digital signature.

Furthermore, the  chip also stores the Digital Certificate, which can be read from and forwarded to an Internet business partner when required. This additional hardware-based security medium, together with the Identrus framework,  provides the highest trust and security standard currently available.

The Next Generation
The next generation of personal identification will most probably be based on biometrics. A fingerprint, for example,  has a unique pattern, which can be used for an individual identification. The iris of the human eye has an even more complex pattern.

Some of these 'next generation identifiers' will probably substitute the physical  smart card at some time in the future, because of one very simple reason: everywhere a person goes, these identifiers are with him or her and cannot be copied.

Currently, a lot of investigations and experiments are  being undertaken to look for these alternatives. Some solutions are already on the market, but for the foreseeable future, a robust, customer friendly and affordable alternative is not expected to be available for a  broader market.

To Trust or Not to Trust - This is the Question!
Trust is the enabler, but not a stand-alone feature which solves all problems. To understand the role of trust it is also important to know  what trust alone is not able to deliver. Trust provides identification of business partners, provides non-repudiation services and data integrity. Trust does not encompass the authorisation of capabilities for the  identified partners.

Certainly, trust can and will be the entry point for this authorisation (entitlement systems), but the interaction between those two components has to be done first. A trusted entitlement system  opens the Internet for a highly secure and trusted infrastructure.