With the WIM, private encryption keys can be stored at the
device, while the corresponding public keys are made available to
recipients. With this arrangement, it's possible to add a digital
signature to messages, which provides additional end-to-end
encryption (and hence integrity), and also provides for
non-repudiation.
Applications such as e‑commerce require the ability to provide
persistent proof that someone has authorized a transaction.
Although WTLS provides transient client authentication for the
duration of a WTLS connection, it does not provide persistent
authentication for transactions that may occur during that
connection.
To support this requirement, the browser provides a WMLScript
function, Crypto.signText(), that asks the user to sign a string of
text. A call to the method displays the exact text to be signed and
asks the user to confirm it. After the data has been signed and
both the signature and the data have been sent across the network,
the server can then extract the digital signature and validate it,
and possibly store it for accountability purposes.
For verification of the digital signature, the server must have
access to a user's certificate that's signed by a Certification
Authority (CA) recognized by the server. There are several ways for
the server to get access to the user's certificate:
1. The certificate is
appended to the signature.
2. The public key
hash is appended to the signature. The server is able to fetch the
corresponding certificate from a certificate service.
3. A URL for the
certificate is appended to the signature. The server is able to
fetch the certificate using Internet methods.
4. The server knows
the user certificate based on previous data exchange with the user
(from a previous digital signature, for example).
Enhanced Security for Consumers
A number of trade organizations are working together to promote
PKI:
Ø The PKI Forum
operates as an autonomous, unincorporated entity within the Open
Group. Founded by Baltimore Technologies, IBM, Microsoft, Entrust
Technologies, and RSA Security, it is a non-profit organization
committed to promoting PKI and increasing confidence in the
technology.
Ø Radicchio, founded
by Sonera SmartTrust with GemPlus and EDS, promotes PKI in secure,
wireless e‑commerce - becoming the industry voice and
authority in this space. One of its stated goals is "to enable a
dynamic global market for secure wireless e‑commerce through
high-level regulatory processes and technical collaboration and
consensus between members."
Ø The Mobile Electronic
Signature Consortium, formed in January 2000, is an association
of companies and organizations from the mobile phone and Internet
sectors. The basic pretext for forming the group is that the
founder members assume the current separation of mobile
telecommunications and the Internet as implemented in WAP will not
last. Members are all working on the integration of mobile
telecommunications and fixed-connection Internet technologies to
generate services that will require a mobile digital signature as a
way to establish legal security for transactions performed.
One proposal is to add a special "signature" button to mobile
device keypads. This will help to create in the mind of the end
user the notion that only mobile devices with such a button provide
access to secure electronic/mobile commerce.
Email TopXML