As both B2B and B2C e-commerce are fast becoming a reality in India, a number of companies, like Satyam and HFCL, are planning to develop Public Key Infrastructure (PKI) to carry out Internet based commercial transactions. PKI is a vital element of e-commerce as it ensures the security of electronic transactions and the exchange of sensitive information between parties that do not have a prior established business relationship through digital certificates. As the stage is set for large scale PKI implementation in India, it is important to analyse what opportunities and challenges lie ahead for PKI solution providers, especially in the context of distribution of digital certificates.

Anyone who uses e-mail regularly knows how easy it is to hide a true e-mail account behind an alias or an assumed identity. Anonymity and role-play can be tolerated for simple e-mail messages. However, when it comes to serious business, a strong verifiable identity is required. Digital certificates grew out of PKI and use asymmetric cryptography to authenticate users. In face to face transactions, there is a high level of trust between the participants as it is easy to verify the identity of the participants. As more and more organisations use the Internet to conduct business, it becomes necessary to build trust among people who have never met and who cannot meet each other.

A Certification Authority (CA) is a trusted third party entity whose central responsibility is certifying the authenticity of users. In essence, the function of a CA is analogous to that of the passport-issuing office in a government. A passport is a citizen's secure document, issued by an appropriate authority that certifies that the citizen is who he/she claims to be. It is effectively that person's "paper identity". Similar to a passport, a network user's "electronic identity", issued by a CA, is proof that the user is known by the CA. Therefore, through third-party trust, anyone trusting the CA can have confidence in the user's identity.

How can we trust a CA? In countries like the US and Canada, CAs like Verisign and Entrust have established their credibility using the first-mover advantage in an unregulated environment. In India, the Controller of Central Certifying Authority (CCCA), which has already been set up by the Government of India, invites applications from third party PKI solution providers and grants licenses for CA, based on certain eligibility criterion.

There are two distinct segments which require digital certificates. First, there are corporations that need digital certificates for carrying out secure intra-company transactions through Virtual Private Networks. Certificates are also needed to authenticate a company's commercial transactions, done through extranets, with their clients and other business partners. Since electronic business and B2B e-commerce necessarily require authentication and security, there is an immediate need for companies to get digital certificates. It is relatively easier for the CA to issue certificates to corporations as verification of the identity of companies is easier.

The second segment is of individuals who can also get digital certificates from the CAs. As more and more activities such as electronic trading, Internet banking and B2C electronic commerce are deployed, digital certificates might become the default authentication mechanism of the future. However, registering and issuing digital certificates to individuals is a daunting task, especially in India. Before issuing the certificates, the identity of the individuals who have applied for certificates needs to be verified by examining traditional forms of identification, such as a passport or company records. The verification step is crucial, as the trust framework will break down if certificates are wrongly issued. In countries like the US, which have a structured computerised Social Security System, it is easier to distribute certificates to the masses as their identity can be easily verified. The identification proofs in India, viz. passport, Permanent Account Number (tax ID) and driving license, are not widely available or accessible. Hence, CAs will thus have to identify their target market as those individuals whose identity can be easily verified for issuing certificates.

A viable option for certifying individuals is to first target corporations and through them give certificates to their employees. Each company will be responsible for maintaining the validity of the certificates issued to its employees. Distribution of digital certificates within the company will also help the organisation to keep track of access control to various information resources and create audit trails of resource access. The company will also manage the revocation and renewal of digital certificates through its own PKI. As more and more corporations come into the PKI, the chain grows. Another option is to use financial institutions like banks to provide certificates to their account holders. Nevertheless, as there is no thorough verification of traditional documents like the passport at all banks, the CA might have to cross check the identity of the users to determine their true identity.

Distribution of digital signatures to end-users is a challenging task. In the U.S., Canada, and Europe, CAs have initiated the distribution of digital signatures through Smart Card technology. Smart Cards form an easy-to-use, secure platform for carrying the complex digital signature data. With the success of Smart Petro-Cards as a preferred payment instrument at gas stations in India, Smart Card technology might prove to be crucial in the distribution of digital signatures. Banks and financial institutions that are allowed to issue Smart Cards in India are in the strongest position to form partnerships with retailers, transport & petrol companies and utilities, to effectively distribute digital signatures through Smart Cards. With the emergence of a common standard, Smart Cards will become inter-operable and hence a convenient instrument to conduct authenticated electronic transactions across business entities. This inter-operability will also lead to a faster increase in the user base. Once issued, the digital certificates will gather mass acceptance, becoming the sole structured identification method. As the number of digital certificate owners reach a threshold level, its acceptability and use in business and non-business transactions will grow faster due to the multiplier effect of using a standard product. India has about 1.5 million Internet subscribers and is one of the fastest growing subscriber bases in the world. However, providing certificates to individuals will mean higher volumes but lower profits per certificate due to increased verification costs.

In conclusion, there are two ways by which digital certificates could be deployed and adopted in India. First, CAs should issue digital certificates to business entities, which will give a thrust to B2B e-commerce activity in India. Second, CAs should target individuals through business entities so that digital certification will migrate from a simple online authentication mechanism to a structured proxy Social Security System. Technology permits bundling PKI in small convenient systems which will aid in its proliferation and usage.

V Sridhar is an associate professor
at IIM Lucknow, Arjun Ramdas and Shashank Rathi are both MBA students at the same institute.