Notary Public for the Internet
14/12/2011
Carlos Martinez, the engineer responsible for research and development at LACNIC, has been summoned by the Uruguayan Agency for Electronic Government and the Information Society to be a part of the select group of experts who will act as notary publics for the electronic proceedings and Internet websites certified in that country.
Carlos has vast experience in electronic certification, as he is already part of a similar group created at global level to try to guarantee the secure operation of the Internet and avoid various types of abuse and attacks both against users as well as against network infrastructure.
What is your role in the Uruguayan certification authority? Who appointed you to fulfill that role?
The role of the certification authority (CA) is to serve as trust anchor for the entire electronic certification system. This means that the CA is the ultimate trusted party, the entity trusted by all others and against which trust chains are built.
The process of starting up a CA implies generating what is known as cryptographic material, which consists of a set of electronic data that must be created under strict security measures as the public’s trust in the CA depends on this process. In order for those who operate the CA to prove their impartiality, it is customary to invite various representatives to participate in this start-up process.
In the case of the Uruguayan CA, AGESIC chose this particular model and invited government representatives, members of academia, private sector and civil society representatives. In my case, I was invited as a representative of civil society, which somehow reflects LACNIC’s role in the region in general and in Uruguay in particular.
Although all invitations were personal, AGESIC evaluated each person’s professional ties to make sure that the desired diversity was achieved.
Could it be said that you are the notary publics of the Internet in Uruguay?
In some sense, the certification authority is the “notary public” in whom society places its trust. Other countries use the term “electronic notary”.
“The certification authority is the ‘notary public’ in whom society places its trust”
The role of the custodians of the key is not so much to act as notary publics but to guarantee trust in the entire system.
What is the goal behind the creation of a certification authority for the Uruguayan electronic government system?
An electronic signature is an enabling technology. This means that its value lies not so much in itself but in the business it enables.
An electronic signature mechanism can generate a favorable environment for the development of e-government services such as access to personal documentation, motor vehicle records, or real estate purchase and sale transactions without having to physically appear at an office, with all the advantages that this implies for those who, for example, are located far from Montevideo.
E-commerce could also benefit from this type of infrastructure, as, for example, lawyers could start filing their briefs in a fully electronic manner or accounting firms could file their client’s tax returns electronically.
How does electronic certification work in Uruguay? What electronic certification mechanisms are there in your country? Are they 100% reliable?
Historically, the Postal Service operated a certification authority, the use of which was generally limited to providing website security. There have been some other interesting experiences, such as that of the Supreme Court which started to issue certificates to lawyers so that they could send encrypted, digitally signed emails. However, although these experiences were extremely interesting, their very nature meant that they were not general in scope.
Now AGESIC’s certification authority is creating an environment where all CAs that wish to do so can have a single trust anchor.
As to their reliability, it can be said that they are 100% reliable.
Regarding your participation in the group of experts on domain name certification at global level, what is website certification used for?
Domain name certification, or DNSSEC as the technology is known, allows introducing electronic signatures within the domain names that we normally use, such as www.google.com or www.lacnic.net.
Users who query the domain name system can verify the validity of the answers they receive. This is critically important to guarantee the secure operation of the Internet, as it allows avoiding different types of abuse and attacks both against users as well as against network infrastructure.
Which organizations can certify Internet sites?
Each domain must be signed by its operator. However, in order for that signature to be useful it must be possible to build trust chains all the way up to the system’s root.
To do so, intermediate domains (.com, .net, .org) and the root itself must be properly signed. The root was signed in July 2010; generic domains such as .com, .net and .org were signed during the second half of 2010 and early 2011. In the case of country code top level domains (for example, uy, ar, br, fr, de), DNSSEC deployment status is not as consistent, as deployment levels in Europe are significant but much lower in our region (for the time being, only br, cl and co have DNSSEC in production).
Is website certification an expensive service?
Signing DNS zones does not need to be expensive in terms of infrastructure, especially in the case of small zones or domains. It is important for parent zones to offer DNSSEC services, and what we are currently seeing is that those who are providing the service are not requiring additional fees.
Do users have greater trust in certified websites?
It is important to educate users so that they will use every security tool at their disposal, such as making sure that important communications are encrypted (for example, e-commerce transactions) as well as trying to make sure that each domain is properly signed with DNSSEC.
“It is important to educate users so that they will use every security tool at their disposal.”
As DNSSEC deployment evolves, it is expected that users will begin to demand this technology on sensitive sites. However, it must be noted that each person who operates a website or Internet service must guarantee the security and integrity of the service.
What organizations or companies should be the most certified?
Those that transmit or process information that is sensitive in any way.