Digitally Incorrect?

Regarding the December 2000 issue CIO, page 84 of, "Sign on the Digital Line": I am unsure whether or not this sub-article within the larger article "Covering Your Digital Assets" was checked editorially or not, since it definitely contains some simple and obvious errors. These errors could easily lead CIOs to a wrong understanding of the technologies involved and thus to the provision of wrong advice to business managers.

Let's look further.

"These technologies are often considered the most secure and reliable form of electronic signature because they use public-key infrastructure technologies to ensure that the electronic message has not been altered during transmission."

A PKI scheme, as currently understood in industry, is not essential for e-commerce at all. Indeed, its predecessor, Electronic Data Interchange, or EDI, still in use (particularly in Europe), offers all this without a certificate-based PKI. Indeed, a simple "Trading Partner Agreement" for B2B e-commerce, with exchange of crypto keys at the time of agreement, is a simple, proven and effective technique with a long history. Alternative, simpler and more scalable schemes using trusted directories are also available.

"You also receive two digital keys - one private and one public."

Well, this is obviously pointless. If you receive a "private key" from another party then that party also has a copy. It ceases to be private and the whole point of public key technology is destroyed. The other party now has your identity. The keys must be created by you, the user, and a certificate authority simply attests to the "public key" part ONLY and an associated identity.

"To sign a document, you enter a password or PIN and affix your electronic signature - the private key - to the document."

No, the private key is used as separate data to a program that creates a digital signature using that key along with a processed ("hashed") version of the document to be "signed". You must trust all of the following: a. the correct operation of the signing program itself, and that means a "trusted" operating system in the computer used, particularly if it is an office PC, b. the safe and secure storage of the signing key, hopefully on a Smart Card which is then read by the signing program, and c. that what you think you are signing, as, say, displayed on a screen, is correct and complete and fully matches what is being stored and used in memory, again requiring a trusted operating system.

The important point about this sentence is that the whole security of the scheme is limited, not by the crypto and keys used, but simply by that password or PIN used to activate the scheme and the trustworthiness of the operating and computer system used. Very dangerous on a PC. This points to the need for a new generation of PC operating systems and hardware that have a high trust level, a parameter not considered in the first 20 years of the personal computer world.

"Digital certificates"

The article seems to advocate the use of certificates without considering the problems. A major one is simply that of "certificate revocation". If a user's private, signing key is compromised then all copies of all certificates with the associated public key need to be withdrawn from usage. In addition, all previously signed documents could now be called into suspicion if challenged in court, depending on how widespread the exposure of the signing key has been. This is a massive problem that is not yet fully resolved and could, indeed, be the "Achilles Heel" of the whole scheme.

In summary, electronic commerce security based around public-key infrastructure (PKI) needs to be carefully considered and its implications fully understood before managers rush headlong into deployment. For example: a. what form of trust in generation, storage and usage of "private signing keys" will be used?b. what "trust levels" are possible, if at all, in commodity PC-based operating systems? c. are certificate structures really necessary or would alternative services suffice? d. what about certificate revocation plans if certificates are to be used?

The list gets longer the more it is considered.

Professor William J (Bill) Caelli, FACS, FTICA, MIEEE Head - School of Data Communications Member - Information Security Research Centre Queensland University of Technology Brisbane QLD w.caelli@qut.edu.au Thanks for your feedback. We do check all our articles for accuracy, but, as with most things in life, nothing is perfect. The sidebar you refer to - "Sign on the Digital Line" - was not written by contributing editor Sue Bushell who wrote the feature story; it was adapted from CIO US. While I'd never take the stance that material from the US is 100 per cent correct, I do know that my US colleagues are meticulous fact checkers. Since receiving your letter, I have checked with them to see if they have had any response regarding the information in this piece, and to date they have not.

Alive!

Is e-tailing a non-event? Not at Myer Direct.

Australia's most trusted mail order shopping company, Myer Direct, extended into online shopping last March. This move was warmly embraced by our customers, particularly those who are unable to get to the shops this Christmas.

As a mail-order business, Myer Direct has been meeting the shopping needs of millions of Australians for more than 10 years and is established as Australia's most trusted home-shopping brand.

Myer Direct (www.myerdirect.com.au) particularly appeals to shoppers who are unable to go into a traditional store because they live in remote, rural or regional Australia, or are simply too busy.

Myer Direct currently ranges almost 1500 items online, more if the Gifts to Go (www.giftstogo.com.au) range of personal and corporate gifts is also included.

By putting the Myer Direct range online customers are able to browse the entire product range on offer regardless of whether they are in receipt of our catalogue or not. The Myer Direct range changes seasonally and customers can stay up-to-date with new offerings via e-mails that link to the Web site.

One of the benefits of an established brand is the ability to expand into a new channel efficiently and with the minimum of fuss, which is why I can report that e-tailing is very much alive and well at Myer Direct.

Tony Kynaston

Managing Director

Myer Direct

I agree with you regarding the importance of an established brand since that was one of the major points of my editorial. However, as an inveterate shopper, I still insist that if someone is "simply too busy" to shop, they simply are not cut from the same cloth as those of us who were "born to shop".

TO LANDS' END AND BACK

I read your December editorial regarding e-tailing. It's all too true what you espoused about shopping with the real items in front of you.

With regards to Lands' End I have always felt their Web site has been streets ahead of everyone else. I am an Australian married to an American, and lived in LA for six years. I fell in love with catalogue shopping and became a huge fan of Lands' End. I religiously devour each catalogue (to this day!) and regard it as a wonderful showcase of marketing. Of course, the clothes are great, too.

We returned to Australia 10 years ago, but I couldn't do without my Lands' End catalogue so we bought via their clothes either on the Internet or by fax. I was very excited when they were "in" Australia. When they left, like you, I thought I was the only one devastated.

I was quite interested to read your comments about them. I have never had a bad experience buying off their site, and other sites would do well to learn by example. With the Australian dollar so low, it was a lean Lands' End Christmas for us, but I will persist with using their Web site only because I am sold on their premise, and I can't buy the same thing here in a store.

I saw an interview with Gerry Harvey a few months ago on Business Sunday talking about the Harvey Norman Web site. He said that he couldn't see how any unrecognised "store" could survive because after throwing buckets of money developing the Harvey Norman site, turnover still only equalled a "small" retail branch. He justified a continuing online presence because he was advertising the physical stores anyway, and was not relying solely on the Web.

It would be interesting to know how successful the Lands' End Web site is versus their mail-order cat-alogue. It could be a sign of how the future of e-tailing is heading.

Sarah Pruss sarah.pruss@shadforths.com.au Thanks for your letter. It's good to know I'm not alone anymore.

What do you think?

Send your thoughts and feedback to linda_kennedy@idg.com.au Letters may be edited for length or clarity