As e-business evolves, new business models are bringing about a plethora of changes. One of the primary concerns in e-business is the potential loss of assets due to security breaches within this mode of transaction.

In the brick and mortar world, responsibility to mitigate these risks is well understood. To sustain an equivalent level of risk management under new business models that rely on the electronic flow of sensitive information, new infrastructure and trust models must be established.

The Mauritian Government has already set the necessary legal framework by enacting the Electronic Transaction Act 2000. The enforcement of the Electronic Transaction Act depends on the setting up of a Public Key Infrastructure (PKI) to enable a strong form of protection, providing the required digital evidence for a transaction, protecting the business process and making it legally binding. In fact, the adoption of PKI makes available the comprehensive set of secured processes required for secure electronic transactions, in terms of Authenticity, Integrity, Confidentiality and non Repudiation functions.

Recalling that the responsibility of the Infrastructure is to deliver the services in a trusted fashion, the following questions should now come to mind:

• Who binds the identity of the secret to the individual?
• How is the entity’s identity established in the first place?
• How do I know if an individual’s secret has been compromised?

Most of these questions go back to the basic business need for trust. To build trust, the Public Key model for an infrastructure centers on the Certification Authority, the Registration Authority, the Root Certification Authority and their relationship to the applications they serve, to the individuals they subscribe, and the policies that they support.

Certification Authority (CA)

The Certification Authority (CA) is the heart of the PKI, responsible for creating the certificate that binds a subscriber’s identity to their public key. The Digital Certificate is an electronic document issued by a trusted party that binds the physical identity of an entity (user, organization or computer) to their public key. In security systems (especially in a public key cryptographic system), a digital certificate is used to authenticate the parties involved in a transaction, to electronically sign documents used to ensure the integrity of contents and the non-deniability of transactions conducted electronically. ITU-T X.509 Recommendation defines the format for a certificate. The figure below shows a simple diagram of an X.509 certificate.

The evidence required to assure the accuracy of the binding depends on the applicable security policies. These policies are based on an enterprise’s risk assessment of their business environment. The end-user registration process may require in-person interviews or it may rely solely on information publicly available and provided such as an email address. The value of the binding is determined by this procedure (as is true with any binding of an entity to a secret in any infrastructure). One of the strengths of a PKI is that it can be used to support multiple registration models, including the most restrictive requirements.
The CA also bears responsibility for the revocation of certificates. Although most certificates are issued and remain valid for their lifetime, there are occasions when the privileges associated with the certificate become invalid. This can be a result of normal activities, like the closing of an account or changing jobs. It can also be necessitated because of the potential compromise of the private key component.

Registration Authority (RA)

A Registration Authority (RA) can be used to offload many of the administrative functions from the CA, including end-user registration. This is especially useful in large, geographically dispersed organizations that require their end-users to register in person. Rather then forcing all end-users to a centrally located registration site, RAs an be distributed so that personal travel and inconvenience is minimized.

Controller of Certification Authorities (CCA)

Under section 37 of the Electronic Transaction Act 2000 of Mauritius the CCA shall operate the following:

• a publicly accessible database containing a certification authority disclosure record for each licensed certification authority

• the Controller shall be deemed to be a licensed certification authority

Under section 18 (z) of the Information and Communication Technologies Act 2001 the ICT Authority is to act as the Controller of Certification Authorities. The Controller of Certifying Authorities as the “Root” Authority certifies the technologies, infrastructure and practices of all the Certifying Authorities licensed to issue Digital Signature Certificates.

In order to enforce this role, the Mauritian PKI needs to be deployed with the CCA acting as the linchpin of this PKI. It is ICT Authority’s responsibility to monitor that certification-service-providers comply with the obligations imposed on them in the law.