People are increasingly making use of Web self-services in their daily lives. This involves interactions between parties who have never previously met (or don’t even reside in the same country), and for whom no pre-established relationship exists. Accordingly, new kinds of networks provide new ways to make business, to enable remote subscription and access to new services.
Today practically all people possess a device which contains a smartcard and which itself is effectively a personal smart card reader – their mobile phone. The mobile phone represents the natural choice for implementation of a socially-inclusive authentication or electronic signature solution for the majority of citizens.
Electronic signatures created in the mobile phone have become known as Mobile Signatures. So far only a small number of these have been implemented commercially, and none have yet been extended to mass-market scale. Interoperability issues have become a restrictive factor, requiring standardization and open standard interfaces in order to avoid walled gardens. Therefore, experienced persons [MCOMM] have defined the Mobile Signature Service as follows:
Mobile Signature is a universal method, which provides a consistent end user experience, the largest interactive community for mobile users and application providers, an architecture promoting interoperability, lowest deployment costs, and the lowest transaction costs.
Base Elements of a Mobile Signature
Mobile signature is applicable to all kinds of applications, not just those which can be accessed through mobile devices or the Internet. Its use is appropriate for applications that require a user’s consent to proceed with the completion of a transaction. The mobile device may be considered as a signing-tool – the electronic equivalent of a pen.
In a mobile phone, signature creation is achieved using a smartcard, such as the subscriber identity module (i.e. USIM/SIM) inside the mobile phone and the Universal Integrated Circuit Card (UICC) that has been adopted for 3rd generation mobile devices. The use of UICC smartcards in the mobile operator business model fits with mobile operator’s role as a Smartcard Issuer.
PKI [PKIX] technology makes use of asymmetric cryptography to create a binding between two distinct elements: an asymmetric public key and a user’s Distinguished Name (or corresponding identity). The important elements of using PKI technology are that 1) the mobile user’s private key is never disclosed, and 2) the binding represented by a certificate can be openly shared with applications.
Applications should be able to trust the certificate. This trust feature is called Level of Assurance (LoA). LoA is achieved by creating a registration process which verifies the mobile user’s identity and keys before it requests a certificate. These elements are managed by entities known as Registration and Certification Authorities, respectively.
In order to use Mobile Signature, three elements are needed: Applications, a Mobile Phone with a Secure Element in a Mobile Network, and a trusted registration process for certificates.
PKI for Assurance, Scalability and Applications
You cannot do any business without some level of trust, i.e. you can always define what the required assurance level is fordoing business. Various authentication methods provide you with various technologies that can give you an indication of the assurance. PKI is the only technology which has been doing it for decades – your Web browser does it every day.
When a user registers a certificate, the registration authority can only request certificates of a specific assurance level. Another key feature in PKI is that at any time a mobile user can disable his/her certificate, i.e. revoke the certificate. The user can ask revocation from any trusted partner in various ways without direct access to some specific resource. This is one critical part of identity assurance.
PKI does not require centralized online services for authentication. Therefore it provides you with an unlimited number of clients and real scalability. Wireless PKI also has an extra benefit: The mobile operator can prevent access to the UICC card whenever the user requests. There are few access tokens capable of 24/7 service for disabling capabilities.
Today PKI is everywhere – banking cards, cars, Internet browsers, e-mail, and so on in all kinds of machines. In the real world there are no applications which could not exploit PKI technology. Multiple applications mean cost efficient infrastructure for all parties in the ecosystem. Mobile Signature Service brings the PKI technology cost efficiency and assurance to all applications.
Authentication of new users has a new challenge - Businesses needs to know the level of assurance. Certificates in PKI are the perfect tool for providing assurance for authentication.
The statement “Mobile Signature Service is a universal method” poses particular requirements. It means that a mobile user can use mobile authentication in the same way he/she accesses Internet services. A mobile user does not need to know in which country the service is, the service language may be different than the mobile user’s preferred language, and required/available assurance levels may vary.
Mobile Signature Service has capabilities to tackle all these problems. It provides additional service elements that can be used to make transactions between entities in different countries. Additionally you need only service implementation guidelines on how these elements must be interpreted. The first country where domestic guidelines have been defined and implemented between mobile operators is Finland [FiCom].
Mobile Signature Service Model
Mobile Signature Service Model defines roles and interconnections between parties.