Information Technology Reference
In-Depth Information
Is it any good? No. For some places it is good enough, and by the way in the US our
biggest competition is from electronic signature products rather than digital signature
products. People prefer to use lower quality solutions that are easy rather than to go for
known secure solutions. So there are electronic signatures and there are advanced
electronic signatures, sometimes called digital signatures. Electronic signatures are
anything that you make a decision with, and digital signatures have to be PKI-based in a
proper digital signature. Our Co-sign is a proper advanced electronic signature device.
Are we compliant with Turkey? I do not know, but we are selling our Co-sign in Turkey.
Stanley
: In a recent announcement by the European Commission to adopt two or
three protector profiles, there is a secured signature creation device for the hand user and
the equivalent one for the hardware secured model. There are two faults in the
generation of the protector private key and my first point is that unless in the future you
have a device which is compliant to this, then you do not comply with EU directives.
The second point is that you say the enterprise probably is the problem you are trying to
solve. I say that PKI has already solved the problem. The problem with PKI is
enterprise to enterprise. I walk into a NATO PKI working group and if all we had to do
was to solve the problem of PKI as a sort of NATO HQ type concept, it would be easy.
The problem is we have nineteen nations at the moment so we have to define specific
policy that nineteen countries can agree to. The policy of how you define how you sign a
document and how you generate the private key used in the PKI concept has to be
consistent. What interests us is Roman type. The Microsoft PKI is also about to go to
Roman with software, private keys or a base private key. The big issue is the fact that if
we have an organisation, I can sign this document and then I want to do business with
another organisation, so do they accept that private key? You would like to set any
authentication mechanism which totally fits the object, but I have to know when
company B sends me an order and that the person who sends it uses a similar system to
sign that order as I would expect in my company. If we have an organisation, I sign this
document and then I want to do business with another organisation, do they accept that
private key?
Aharoni
: It is an organisation policy. You decide what your policy is and whatever
you decide, it is fine with me. I am just a vendor here. It is not to say that I think the
users of the password are good enough; this is your decision. The EU directives say that
the generation of keys has to be done under the complete control of the users and the
legal question is where the Co-sign produced is generated under the control of the user. I
claim that access into the key is exclusive to the user. There is always a discussion that
does not appear in legal language. So should the user have a hardware device that
generates the keys on the device held by the user? The digital signature laws do not
require it because they do not want to necessarily force smart card-based technologies.
They want to allow software and they want to leave it at a more general definition. The
definition is under the exclusive control of the user and I claim that we are complying
with the exclusive control of the user part. The Co-sign is basically like a smart card; it
is like a network-attached smart card. It is impossible to get the keys under the device
unless you are the user. Their authentication into that device does not allow you to get
the key out of the device but you are allowed to send material to the device.
For the second comment, I am sorry, but I beg to differ. I have been in this business
for a long time. I have seen in-trust solutions many times but I have yet to see an in-trust
Search WWH ::
Custom Search