Software Eases Use of Digital Signatures

New technology could make it easier to do busness on the Web.
Jennifer CaplanDecember 12, 2000

Could you boost your business if Internet transactions with customers or suppliers were easier and safer to make? Odds are that the answer is yes.

Online security, or the lack thereof, has thwarted the widespread use of the Internet as a tool for doing business. Consumers are still reluctant to punch their credit-card digits into vanishing Web pages that carry valuable information into a cyberspace twilight zone. And although companies recognize the benefits of doing business online, they are wary of going into Web-based contractual agreements, which remain difficult to enforce with customers and suppliers.

There are signs, however, that this may all be changing. On November 29, software giants Microsoft Corp., VeriSign, and webMethods announced that they have developed technology to make it easier to use digital signatures and other online security tools, like online authentication and data encryption, with E- commerce applications. The new technology, called, XKMS (XML key management specification), is based on XML, short for extensible markup language, a standard which many believe has the potential to extend the Internet beyond simple information delivery by making it more responsive.

Drive Business Strategy and Growth

Drive Business Strategy and Growth

Learn how NetSuite Financial Management allows you to quickly and easily model what-if scenarios and generate reports.

Microsoft, VeriSign, and webMethods have teamed up to make XKMS an open Internet standard, and have submitted the technology to Web standards bodies for consideration. Although XKMS became available on November 29, analysts contend that it will probably not receive much attention from standards bodies until the fourth quarter of next year.

Microsoft has announced it will build XKMS into its Microsoft.NET architecture to ensure broad and rapid adoption of this framework in both business-to-business and business-to- consumer environments.

How Does It Work?

XKMS enables a broad range of software developers to integrate digital signatures and data encryption into E-commerce applications. It simplifies the integration of PKI (public key infrastructure) and digital certificates with XML applications.

PKI enables users to decode encrypted data transferred over the Web. Because most E- business applications currently don’t have PKI built in, developers who make security software must first buy and integrate specialized toolkits from a PKI software vendor. The toolkits tend to work only with that vendor’s PKI system. According to Ronen Olshansky, a manager with Arthur Andersen’s Internet Services Group, that is a significant limitation.

“If you are a company and you want to communicate securely with customers or other partners in your supply chain,” says Olshansky, “you need to make sure that they are using the same PKI as you are. If not, this creates a problem of compatibility.” This incompatibility, is to a large degree, what has jeopardized the reliability, and impeded the widespread use of digital signatures. “XML, however, is an open standard that can communicate across different platforms and systems,” Olshansky adds.

XML is a structured data framework, or language, that allows applications to communicate on the Internet, and it’s quickly becoming the preferred infrastructure for E- commerce applications. XKMS relies on an XML framework in order to function.

“XML is a middle layer of data abstraction,” says Olshansky. “It’s a way of translating data so that you can communicate it to systems that speak different languages.”

Corporate executives know what language their back-end systems use, continues Olshansky, but they don’t know the language that some of their partners, customers, and vendors use. To solve this asymmetry, companies can set up an XML layer that sits in the middle of internal and external systems, and translates between the two. This advantage has propelled “a significant percentage of companies to jump on the XML bandwagon,” he adds.

Janet Daly of the World Wide Web Consortium (W3C), an organization that promotes the Web’s evolution, tells “We’re now seeing more and more companies building products based on W3C standards for XML, and getting customers to buy in.”

Much touted as the language of the second- generation Web, XML underlies the way XKMS works. Part of the impetus behind the development of XML, says Daly, was the drive from business interests to go beyond merely having a presence on the Web to being able to use the Web as a transaction tool.

W3C has called XML “a universal syntax for expressing structure in data.” Structure in data is that which is tagged for its content, meaning, or use. Currently, the Web’s main language is HTML, which describes how a Web browser should arrange text and images on a page.

“HTML is extremely limited in what it can do,” says Daly. “If you wanted to introduce a tag that signifies `phone number,’ for example, you would be unable to do so because there is a limited amount of tags you can use.” HTML, she adds, expresses only the way text appears on a page; XML, on the other hand, expresses the text’s meaning. This difference, many claim, holds the key to unleashing the full capacity of the Web as a business tool.

Take an order form for a T-shirt on an E- commerce Web site, for instance. HTML reads the information the user inputs as boldface, paragraph, row, and column. XML, on the other hand, has the capacity to read price, size, quantity, and color. This capability enables a software program to recognize this particular document as a customer order form. Thus, it can do with this information what it is programmed to do: send the order to the manufacturer or, for example, ensure that the T-shirt goes out to the customer on a specified date.

Frank Prince, of Forrester Research says: “The idea of XML is for pre-agreed-upon transaction types to have a common form so you don’t have to have exactly the same systems at both ends.”

What Are the Implications for Companies?

Digital signatures do not look like the handwritten autographs used to sign credit card bills. Instead, they are encrypted algorithms that must be used with a password. A key is a necessary piece of software that takes an algorithm—a mathematical set of rules—and decrypts that information. The fact that a specific key is needed to access information increases security in an insecure environment such as the Web. Using an XML- based framework that can operate across operating systems and applications allows suppliers and consumers to exchange encrypted information in a safe manner.

Forrester’s Prince remarks: “Once you have a common language for transactions such as XML, you still have security concerns associated with making transactions over the Web. In that case you would need an extension of XML that [allows] you to have an agreed upon way [among] all players to move security information. And that is what XKMS does.”

In terms of boosting the bottom line, analysts claim that XKMS will make it possible for companies to verify and accept signatures electronically, reducing the costs currently associated with less secure business transactions.

Prince claims that companies are saying, “Digital signatures are a type of security transaction we need—[but,] can we agree upon what the common vocabulary will be for this type of transaction?” XKMS is merely one proposed standard vocabulary for security transactions on the Web.

But what does this mean in terms of cost?

John Pescatore, research director for Internet security at Forrester Research, tells that XKMS will enable companies to use digital signatures to replace physical signatures on paper. “The Holy Grail for companies is getting rid of paper,” says Pescatore.

“Moving to digital signatures can certainly provide a major cost saver,” Pescatore says. “There have been a number of major studies on how much savings a company can gain simply by eliminating paper and the people who do nothing but move the paper.”

Another key advantage for companies is the capacity to use XML applications seamlessly across platforms or technologies. This means that a personal computer, hand-held computer, or mobile phone can all read an XML-based file.

“An HTML table cannot be easily read on a cell phone that has a tiny screen,” says Daly. By using a platform-independent language such as XML, companies are able to do transactions with consumers across a broader spectrum of devices.

In addition, because XML-based programs rely on a new standard called Unicode, which allows for the interpretation of text in all the world’s major languages, it can allow companies to extend their global reach. In HTML, if a company’s software cannot read other languages, it cannot use documents written in those languages. Software that reads XML, however, can interpret any combination of characters, enabling companies to exchange information not only between different computer systems, but also across national borders. The implications for the bottom line are potentially huge.

According to Olshansky, it is the extensible nature of XKMS that will really help companies cut costs.

“The costs in the future that companies will need to incur whenever they add on new lines of secure communications will be reduced by adopting an XKMS framework,” he contends. This technology will help companies reduce the costs associated with buying new vendors’ toolkits and training IT staff on a continual basis. “With XKMS, companies can minimize the risk of having to invest in future technologies and other forms of public key encryption,” Olshansky adds.

Because XKMS is not yet a mature standard, the degree to which it will be adopted by businesses will depend on the response from what Pescatore calls the “ABM” or “anything but Microsoft” crowd, the Suns and Oracles of the tech world.

“Right now it’s a narrow camp of big guys backing this standard,” adds Pescatore. For this technology to be meaningful, companies like Oracle, iPlanet, Entrust, and other PKI vendors need to leap on the standard, and it must be endorsed by standard-setting bodies like the W3C and Oasis, Pescatore adds. “This is a good first step, but the real indicator of success is how many of the traditional Microsoft haters sign on to this effort.”

Pescatore predicts that over the next 18 months we will see trial reference applications but no meaningful production use before late 2001 or the first quarter of 2002.