1 2 3 4 5 6

banks. (In fact, European proposals for trusted third parties have tended to assume that those parties would be the traditional banks.) The original Clipper proposals expected that keys would be escrowed with two government departments; one objection to these centralized stores was how much of a target they would be for criminals and spies. It would be more in keeping with the decentralized nature of the Net to opt for diversity and user choice. Some people ask a friend to hold copies of their house keys or store their money in the freezer; why shouldn't I choose to store a copy of my cryptographic key in my lawyer's safe or in a friend's kitchen drawer? With or without mandatory key escrow, building an infrastructure for escrowing and managing keys is an area demanding a carefully thought-out legal framework. No company--and there will be businesses built on key escrow services even if they don't become mandatory--is going to go into this sort of business without a clear understanding of what its liability will be in a case a key is lost, damaged, or stolen.

John Brimacombe, managing director of Cambridge-based Jobstream PLC, a company specializing in financial services with a particular interest in cryptography, is one of those energetic individuals who sees commercial opportunities for even small companies everywhere he looks. Of trusted third parties, he says, "One of the essences of trust is that it's a personal relationship. The bigger the organization the more impersonal it is. The desire to understand the organization you've trusted with your secrets is a reason for having smaller escrow providers" (telephone interview, 1996). Governments may be thinking in terms of banks, but if you have something as private and sensitive as the key to your most intimate communications, who would you rather kept it for you? Your bank, where probably no one knows you? Microsoft? Brimacombe, who is interested in becoming a trusted third party, believes that along with that go a panoply of ancillary services, such as authenticating transactions along the lines of notaries public, providing data backup and storage, and mediating contract negotiations online.

Companies are already beginning to operate in the related area of certification. Here the idea is that an individual Net surfer could be issued a certificate that guarantees some particular fact or group of facts about that surfer's identity. In the case of Adult Check, the service that sprang up in the wake of the passage of the Communications Decency Act, you pay $9.95 (by credit card) for a one-year ID certifying that you're over twenty-one. Then, when you want to visit any of the roughly 200 (rather sleazy) Web sites that accept Adult Check, you just type in the ID number and the site checks that it's valid without having to know anything more about you. Adult Check promises to keep all data confidential, and the Web sites can show prosecutors they are making the effort to keep out minors.

A more interesting example of third-party digital identification is the RSA Data Security spin-off VeriSign, the first commercial certificate authority.[7] As of early 1997, they offered three classes of certificates, the simplest of which just attests that a user's email ID is unique. The next level verifies your street address and a few other personal details. The third requires personal presence or registered credentials.

When someone applies for an ID, VeriSign uses a public-key cryptographic system to generate the usual pair of public and private keys (see chapter 4). The company then sends the registrant a personal identification number via email, which, when entered at the Web site, unlocks access to the user's new digital ID. This ID contains the user's public key--the one the user can give out--along with whatever public information about the user is appropriate for the class of certificate the user has chosen. The ID is signed with VeriSign's private key, which is kept on a secure server. Any time someone wants to check the ID's authenticity, they can do so, through facilities at the Web site.

VeriSign's IDs are intended to be used for all sorts of authentication, such as verifying the source of email, identifying paid-up customers to Web sites, gaining access to virtual private networks (secure business-to-business networks operated over the insecure public Internet), and guaranteeing the origins of downloaded software. In early 1997 VeriSign claimed to have issued 500,000 such IDs to individuals and another 14,000 to Web sites.