Everything you need to know about digital IDs

A digital ID is used to prove who you are on the Internet--much as you use a driver's license in the physical world. A certificate authority (CA) issues digital certificates to individuals, companies, and other organizations to authenticate their identities. The CA does some checking, then issues and signs a digital certificate that vouches for who they are. Digital certs are designed to foster trust on the otherwise anonymous Internet.

What is a digital certificate?
Call it an identity card for cyberspace, your electronic credentials for the Internet. It says, "This person is who she or he claims to be." Same goes for Web sites. On the largely anonymous Net, people want proof of who they're dealing with--particularly if there's money or an exchange of information involved.

But what exactly does a digital certificate consist of?
It's an electronic document, technically called an X.509 certificate, saying who you are, who issued the certificate, and roughly how much checking was done. It contains a "public key" (a term from the crypto guys) that's issued to you alone. Your public key links to your unique "private key."

What are public and private keys?
These keys--basically scrambled numbers--are based on public-key cryptography, a complicated science. Basically, an individual or organization gets both a public key, which is embedded in the digital certificate, and a private key. Your public key is shared with the world. Your private key should be guarded carefully--just as you would your passport if you're traveling overseas. To verify your identity, you need both.

Who issues digital certificates?
Issuers are called certificate authorities or just CAs. They're the Internet equivalent of the department of motor vehicles, the immigration authority, your bank, or your employer.

Why would I need one?
On the Net, you never know for sure whether you dealing with a legitimate business or a crook, a charming prince or an impostor. A digital certificate vouches for the identity of a person or company, confirming that he is really who he claims to be.

So can I trust anyone who has a digital certificate?
Not necessarily. A digital certificate vouches for your identity, not your character. Remember, even a bad driver can have a driver's license.

But isn't a digital certificate supposed to establish trust?
A digital certificate can help create trust by letting you know whom you're dealing with, but not much else. You still need other measures. You have to make up your own mind about trusting them.

What about my privacy? I don't always want sites to know who I am.
Unlike "cookies" in browsers, you control who sees your digital certificate.

Will I need to have more than one digital certificate?
Definitely. You'll have one for general purposes (secure email, Web site log-in), one for your job or school, and one for every credit card in your wallet. You might have one for any special group you belong to--frequent flier program, secret society, whatever.

How do I keep track of all these IDs?
Mostly you won't have to. Today digital certificates are stored on the hard drive of your computer. Some day, your digital certificates may be stored on a smart card, a plastic card with a chip on it. Then you can carry it around and just insert it in a network computer, kiosk, PC at the library, or even a smart card reader at the store on the corner.

Why can't I just use my password and PIN?
You can, but digital certificates should be easier and more secure. With a digital certificate, you don't have to remember a different password and personal identification number for every Web site. Passwords and PINs can be stolen. Nevertheless, you'll still need a password even with a digital certificate so someone else can't impersonate you just by using your computer.

What's a SET certificate?
It's a special kind of digital certificate specifically for making credit card purchases over the Net. You'll get it from your bank or card issuer, one for each credit card you use on the Internet. It's how merchants and banks know you're really authorized to use your credit card. SET stands for Secure Electronic Transactions, a new protocol from Visa and MasterCard for paying over the Net.

What's the down side of these certificates? They sound almost too good to be true.
Remember, they are software, so expect some glitches. People will be confused about what digital certificates are and how to use them. Issuing millions of digital certs to people and merchants also will be a daunting task. And some fly-by-night operator may issue digital certificates to swindlers who take advantage of people, just like in the physical world.

go to Big names battle for digital IDs