After four years in the planning, the post office has unveiled Trust Centre, a digital authentication service that provides reassurance of legitimacy in digital transactions and communications.
Trust Centre serves as a certificate authority (CA) that issues digital certificates and holds the public key infrastructure (PKI) that provides user authentication and ensures trust, and legal status, in electronic transactions and communications.
A digital certificate is a secure way for computers or users to prove to others that they are who they say they are. Certificates allow a CA, which acts as a neutral third party, to vouch for the identity of the computer by using their own digital certificate to sign the certificate of the computer making the request.
Entities like Trust Centre act as digital passport issuers. In the same way that a passport is recognised by foreign authorities — because it has various security measures that denote its authenticity and the issuer is trusted — digital certificates contain security features that allow them to be authenticated by trusted third-party CAs.
PKI, meanwhile, works by assigning a pair of keys — one public and one private — to a computer or user. The keys are a string of letters and numbers created by running an algorithm against a certificate.
These digital keys allow for confirmation that requests are legitimate. PKI creates, stores and distributes digital certificates. These certificates are used to verify that a particular public key belongs to a specific entity.
Post office CEO Christopher Hlekane says the Trust Centre is the “latest in a number of developments aimed at positioning the South African post office for the future — both from a technology perspective and in terms of delivering more relevant, customer-focused solutions”.
Hlekane says digital capabilities are now “a prerequisite rather than a luxury” for local businesses and it is important to “create a digital environment that has trust and a clear legal status and where customers have the comfort of knowing that their communications and transactions are secure”.
Hlekane says the Trust Centre also offers secure socket layer, or SSL, certificates, which provide authentication of servers and websites.
The Trust Centre is housed in a “secure perimeter with eight levels of encryption security”, Hlekane adds. “The control of each [level]lies with a number or reputable and independent people and organisations, including government, audit houses and private companies.”
Using its PKI, the Trust Centre will authenticate users, ensuring they are who they claim to be; validate the transaction to ensure non-repudiation; protect messages from tampering; encrypt messages to protect the message from unauthorised access; and digitally sign transactions and communications to authenticate code, data messages and documents.
Charl van der Walt, MD of information security specialist SensePost, says it’s important for government to put a system and infrastructure in place through which people can be identified and their identity confirmed.”
He says it also seems appropriate that the post office has been tasked with the job. “The post office has existing branch infrastructure, which is important because there you can present yourself, and your documents, and validate your identity.”
In terms of infrastructure, procedures and other requirements for creating a CA, Van der Walt says there are a “broad set of global technical standards that have to be complied with” in addition to the requirements set out in the Electronic Communications and Transactions Act.
“What I think is maybe a bit concerning is that while we’re finally getting on the wagon in establishing a centre like this, many of the applications of this kind of technology have fallen into disrepute,” Van der Walt says.
“What’s also interesting is, if government can issue certificates a Web browser inherently trusts, that requires a paradigm in which people inherently trust the government.”
Van der Walt gives the example of a Google service in somewhere like Syria. “You want to interact with Google and trust the identity of the site purporting to be Google, not necessarily a site that the government says is Google. Some governments have allegedly been issuing certificates to authenticate fake sites.”
He says a system like this works, and it’s appropriate government plays this role, “if the relationship between citizens and government is healthy”.
“Fundamentally, this is a good and appropriate move for government, but there are three issues peaking over the horizon.”
The first is questioning whether SSL is still a reputable and appropriate technology. The second is asking whether citizens trust government. As demonstrated in recent weeks with the revelations about mass electronic surveillance by the National Security Agency in the US, Van der Walt says this relationship “can be tenuous”.
Finally, there’s the question of appropriate skills. Van der Walt says it’s important to ask whether the government departments and subcontractors mandated to look after this infrastructure are suitably equipped to do so.
Some CAs have been hacked and, because of the power they afford the wielder, they remain attractive targets.
“The entity mustn’t just be trusted, but be capable of protecting that trust,” he says. “That’s not a simple thing to do. Reputable CAs have been compromised in places like Holland and the US. There’s a big burden on government to maintain that trust.” — (c) 2013 NewsCentral Media