PKI Benefits & PKI Benefits & ApplicationsApplications

Lisa Pretty

Executive Director

PKI Forum

“The PKI Forum is an international, not-for-profit, multi-vendor and end-user alliance whose purpose is to accelerate the adoption and use of Public-Key Infrastructure (PKI). The PKI Forum advocates industry cooperation and market awareness to enable organizations to understand and exploit the value of PKI in their e-business applications.”

Agenda

PKI Benefits & Applications PKI Technology & Interoperability PKI Vendor Panel Q&A

Source: Aberdeen Group, PKI Multi-Client Study, December 1999

PKI Applications

68%

62%58%

43%

21%

Web

VPN

E-Mail

Custom

ERP

Source: Datamonitor, “Public-Key Infrastructure 1999-2003”, December 1999

PKI Market Forecast, 1997-2003by Revenue Category

$0

$500

$1,000

$1,500

$2,000

$2,500

$3,000

$3,500

1997 1998 1999 2000 2001 2002 2003

Re

venu

e (

$M

)

Maintenance

Professional Services

System IntegrationPKI Services

PKI Products

The Speakers

Financial: Sven Hammar – Celo Healthcare: Justin Kromelow – Phyve Government: Bill Wehrmacher – DataKey Europe: Steve Matthews - Netlexis

PKI in the Financial PKI in the Financial MarketMarket

Sven Hammar, CEO

Celo Communications

Why PKI in Finance?

PKI + Finance = Logical relationship Banks = TRUST…

– Take advantage of trust – biggest strength!– PKI proving to become security standard– Online transactions require security– Manage risk– Vital to embrace new technology– Can afford to be one step ahead – Customer loyalty

PKI for Customer Loyalty

Use PKI as customer tool Build loyalty relationship with customers PKI enables added service offerings:

– Online banking – Stock brokerage– Loans– Online payment of bills

Threats…

PKI a new technology– Understand value in order to reap benefits

Leverage existing brand – Image, relationship & Infrastructure – PKI enable legacy applications

Customer understanding value of PKI– Always keep it simple for the customer!

Banks moving fast enough?

Banks challenged by “non-banks”– Retail industry already “e-savvy”– Infrastructure in place – Customers in place, worldwide access

Online Competition– Web Portals, ISPs offer Internet Banking– Yahoo, AOL issue certificates…– Telco’s – Superior Infrastructure

PKI Strategy in Finance

Use the advantage of TRUST!– Work out brand management system

Create PKI business alliances– Identrus the right path – Global presence

Think long term– Market landscape is changing fast

Work with open standards– PKI Forum a step in the right direction

New revenue opportunities

Certificates; A new revenue opportunity Banks can market active certificate list These customers are already:

– Online– Trusted– Banking/Payment/Credit-Worthy– Early Adaptor Mentality

PKI Applications in Finance

Digital Signatures – a vital PKI feature– Legally, binding mechanism to digitally sign

documents and transactions remotely U.S Senate approved the E-signing Law

– Removes legal barriers for e-business– Bill Clinton signed E-Signing bill June 30– E-Signing law effective October 1st

Digital Signatures in Finance

Enables non-repudiation– Verify identity of customer– Revocation– Storage of signatures

Customer user-friendly– Sign online transactions with a single click– Sign HTML web forms & contracts– Stronger sense of security for customer when

performing online transactions

Digitally Signed Bank Transaction

Overview

Smart Cards / USB Tokens

Smart Cards as relationship device– Tool to leverage relations to customer– Creates stronger tie to customer– Bank’s brand always present (on card)– Customer offer for higher level of security

USB Tokens – Competitive option to smart cards– PC hardware not yet supporting card readers

PKI is the Future!

Predictions for the overall market are huge. Potential in Financial Sector is unlimited! – Both IDC and Frost & Sullivan put PKI as one

of the fastest growing markets in the Internet security space in coming years.

– According to Aberdeen Group, 98% of the Global 2000 enterprises will be using PKI before 2003.

Summary

PKI and Finance is a marriage made in heaven – Logical and obvious relationship

The Trust issue puts Financial institutions in pole position

Digital signatures enable a stronger position on the market as well as with customers

Keep it simple for the customer! Start now – PKI means money!

PKI Benefits in Healthcare

Justin Kromelow

Phyve.

Why PKI in Healthcare

HIPAA TCO maximization objectives Adoption and implementation of technical

standards Large diverse, distributed organizations and

groups of users

Benefits

The Internet Administrative savings

– Paper vs EDI, Electronic report delivery Enhance information systems delivery plan Data mining/disease management Cornerstone for data driven efficiency

Contact Information

Phyve2200 Bridge Parkway

Redwood City, CA 94065650-620-5100

http://www.phyve.com

justin.kromelow@phyve.com

PKI: Your government PKI: Your government working for youworking for you

W.H.(Bill) Wehrmacher

Datakey, Inc.

Not the first, but certainly a very public step

In 1997, Vice President Al Gore published Access America, a report which outlined actions the Federal government is taking to promote the electronic delivery of services, and electronic

transactions between agencies and trading partners, over open networks such as the Internet. The report made it clear that providing a proper

security infrastructure was essential for electronic transactions to flourish.

The Evolving Federal Public Key Infrastructure, CIO (Department of the Treasury)Richard A. GuidaFinal Draft 4.0, 5-21-2000

What Government Agencies

State U.S. Government

– Federal– Department of Defense

International

State Governments

Electronic / Digital Signature Law– All 50 states have law allowing for the use of digital

signatures, most of which allow or require PKI.• Mandate use of Digital Signatures in inter-government

communication and commerce

• Permits use of Digital Signatures elsewhere

– 43 states have adopted the Uniform Computer Information Transactions Act (UCITA) which references PKI based digital signatures

U.S. Government Federal

Access Certificates for Electronic Commerce (ACES)– General Services Administration contract schedule for issuing

Certificates

– Potential ACES users’: SSA, EPA, and Dept of Education

– Three Schedule awardees: ORC (Operational Research Consultants), Digital Signature Trust, AT&T

Smart Access Common Identification– GSA contract schedule for issuing PKI smart cards

Federal PKI– hosted by NIST

– At core of interoperability and cross certification

– Federal Bridge CA

U.S. Department of Defense

DoD Medium-Pilot Assurance PKI– Sensitive, but unclassified material– 50,000 certificates in use today

Interim External Certificate Authorities (IECA)– IECA program can be trusted by DoD applications– Four IECA vendors: ORC (Operational Research Consultants), Digital

Signature Trust, VeriSign, General Dynamics DoD Class 3 PKI

– CA keys in FIPS 140-1 Level 2 hardware tokens– LRA and RA keys in FIPS 140-1 Level 2 smart cards

Target DoD Class 4 PKI– will require smart cards or other tokens for all certificate holders

DoD Common Access Card– Upgrade ID cards to PKI smart cards

International Law

43 countries have law in place, in draft or are actively investigating PKI based law for digital signatures or e-commerce

German Digital Signature Law– PKI based digital signatures– Oldest and most well known

United Nations Commission on International Trade Law (UNCIRTL)

Why? Because we must!

“Business-to-business and business-to-consumer electronic commerce reached $43 billion and $8 billion respectively in 1998. Estimates predict that by 2003, those totals will exceed $108 billion and $1.3 trillion respectively (Forrester Research). This experience suggests that electronic forms of authentication which are accepted over the Internet – and which include the use of public key technology – be generally accepted as having sufficient legal foundation by the transacting parties to allow e-commerce to proceed and grow”

“In October 1998, Congress enacted the Government Paperwork Elimination Act (GPEA, Public Law 105-277) requiring that when practicable, Federal agencies by October 2003 accept forms electronically with electronic signatures.”

“Federal agency efforts have focused on using public key technology for intra-agency, interagency, and agency to trading partner transactions. The largest potential volume of traffic, and the greatest prospects for service delivery, involves transactions with the general public. Recognizing this, and appreciating that the best approach to use public key technology with the public is to devise a PKI that all agencies can collectively use for that purpose to share the costs of a common infrastructure, the General Services Administration began working in 1996 on an effort called Access Certificates for Electronic Services (ACES).”

Conclusions

The use of Public Key technology within Government and business will continue to grow at an astounding rate.

Public Key Infrastructures to provide and maintain trust must expand to support the the growth of this technology

Government is leading, and will continue to lead, the expansion of PKI technology and service

Please feel free to contact me

W.H.(Bill) Wehrmacher

Director of Technical Services

Datakey, Inc.

bill.wehrmacher@datakey.com

+1 952 808-2337

407 West travelers Trail

Burnsville Minnesota 55337

PKI: A European PKI: A European PerspectivePerspective

Steve Mathews

Netlexis

Where is Europe on the PKI map?

Baltimore Technologies UtiMaco iD2 Axenet Siemens Belsign Bull and others ……………………………….

How about European experiences?

European Commission R&D funding for major security projects since 1991

European Commission R&D and demonstrator funding for PKI projects since 1995

A sample of projects

DIABCARD-3 Smartcard held medical records for diabetes and cardiovascular diseases – Siemens – Austria, France, Germany, Greece

ISHTAR – secure healthcare telematics – R3 (now Entrust), Belgium, France, Germany, Greece, Netherlands, UK

More projects

TRUSTHEALTH I + II implementing PKI and TTPs in international healthcare– I – France, Netherlands, Norway, UK, Sweden– II – Belgium, Denmark, France, UK, Sweden

ICX – international commercial exchange for developing PKI supported trade – ICL, Shell International, Sweden Post, The Post Office

Commercial actions

Axenet announces a CA service for the French electronic marketplace in April 98

Brokat and iD2 integrate PKI and smartcards to provide encrypted payments systems complying with German digital signature law – November 1998

National examples

Finnish citizen card and electronic identification launched using the Finnish Population Register Centre as the CA and Helsinki Telephone Corporation as the directory. Valid for electronic exchange of information for official purposes.

National examples

Netherlands Data Protection office working with ICL/Fujitsu and others to deliver a PKI and smartcard based solution for the protection of healthcare information for access from and transport over the Internet

Commercial examples

Merita Nordbanken – Internet bank using PKI and smartcards

Bankgirot – Giro bank using PKI to support Corporate payments system

www.PKIForum.org