The leading company in issuing digital IDs for the Net, VeriSign, has published a list of its procedures and practices on its Web site in an effort to overcome any doubt among users that digital certificates make their world a safer place.
Called a certification practice statement or CPS, the draft document is intended to explain in gory detail to Net users and businesses how VeriSign issues class 1, 2, and 3 certificates that authenticate the identity of parties in an electronic transaction.
What's more VeriSign seems to want to show how digital certificates should be done.
"One of the major barriers to secure electronic commerce is that there is no legal infrastructure, so end users and corporations are uneasy on the Internet," said Gina Jorasch, director of product marketing. "The Verisign CPS is a model that we hope will set the standard to allow for secure electronic commerce."
VeriSign, which consulted widely on the document with international and legal bodies, including the American Bar Association, expects that publishing its practices will help its digital IDs become accepted as digital signatures to bind contracts and other legal documents.
VeriSign, a spin-off of encryption firm RSA Data Security, is the first company to issue certificates commercially as what it calls Digital IDs. As a certification authority or CA, VeriSign is establishing itself as a trusted independent agency able to vouch for someone's identity in cyberspace.
"It's important that we explicate fully our procedures so that people can know how they can trust their signatures," said Greg Smirin, a VeriSign product line manager. "Technically, one could issue Digital IDs without any procedures. You need to have the document underpinning."
VeriSign is not the only certification authority, but it is the most experienced. GTE has announced its CyberTrust CA service, due later this year, and the U.S. Postal Service is running a beta test of its own certification authority. IBM also intends to enter the CA arena.
With the CPS, VeriSign appears to have established a precedent that its competitors will have to follow.
"The creation and publication of the VeriSign CPS is a huge step forward for Internet authentication," Jeff Treuhaft, director of security product marketing at Netscape Communications said in a statement. "We hope to see other CAs follow Verisign's lead."
VeriSign believes other certification authorities, when they begin operations, will need to publish their own certification practice statements, as VeriSign has done. The company says it will license part or all of its procedures to others.
The company also wants to submit its practices document to an appropriate standards body so a neutral party can set minimum standards.
The document, formally introduced today, is not the final draft; VeriSign has already posted a proposed 1.1 version that is to take effect August 22.