Listen to this article
If I was a revolting baron sending a message to King John in the late Middle Ages I would be likely to use a wax seal. I would take my letter, fold it, and then use wax to join the folds in such a way that an attempt to open it would crack the wax.
I would then imprint the wax with my seal which could be a ring or some other complex stamp. In this way the King could be reasonably sure that the message had not been tampered with and that I was the sender.
In a strange twist of “progress”, most electronic messages today have much less authentication than even a simple wax seal. The information in a plain e-mail, including details of the sender, can be modified without restriction.
E-mail spoofing of this sort is used to try to crash and compromise systems, obtain information by deception or simply to disguise unsolicited advertisements or spam. One variant of this that I find particularly annoying is the rejection messages that end up in my inbox because my e-mail address has been spoofed as the return address to a message whose delivery fails.
A method of message authentication, which could greatly reduce such issues, has existed for many years in the form of digital signatures. A mathematical computation provides the “wax” to prevent tampering with the message and a cryptographic key provides the “seal” to verify the sender. The keys for signatures are usually obtained from trusted third party companies such as Thawte or Verisign who have their public keys preloaded into many applications to make the process easier.
While the average medieval gentleman would be expected to recognise the Great Seal of the Realm and other important seals it is probably a bit much to expect anyone to recognise my digital signature. So how does a recipient know the signature is mine?
One solution (as used by CAcert and Thawte) is the “Web of Trust” which uses a community-based scheme. To validate my digital ID I have to meet several “notaries” in person with suitable documents to build up “points”. Once sufficient points have been accrued a validated digital signature is issued. In other methods the user has to be validated before the signature is issued but unfortunately this adds an extra step, and usually expense, that puts the average user off.
Interestingly one of the documents suggested for the web of trust is a passport. In the UK, new passports contain electronic biometric information intended to allow positive identification of the holder. This could allow very direct linking of real and digital identities, although whether this is a good idea is another issue entirely.
Unfortunately, probably because of lack of knowledge, incentive or a widely accepted distribution method, digital signatures are rarely used outside security circles. Microsoft is addressing the issue of digital identities with the CardSpace (formerly InfoCard) framework intended to simplify identity management for users. However Microsoft Passport, a previous initiative of this type, never really took off.
As with most such projects there is an open source equivalent or complement in the shape of the Higgins Trust Framework that has gained support from Sun, IBM, Novell and others. Whether this will bear fruit is open to doubt.
The scope of Higgins and CardSpace goes beyond simple digital signatures and includes single sign-on (password management), e-commerce (credit card information) and personal data.
If current initiatives bring digital signatures into widespread use then maybe we can bring e-mail communication up to 14th century standards.
■ James Bowers works for Pentest, an IT security company providing consultancy services in the UK, Europe and North America. www.pentest.co.uk