Title:
Secure electronic commerce : building the infrastructure for digital signatures and encryption
Personal Author:
Edition:
2nd ed.
Publication Information:
Upper Saddle River, N.J. : Prentice Hall, 2001
ISBN:
9780130272768
Added Author:
Available:*
Library | Item Barcode | Call Number | Material Type | Item Category 1 | Status |
|---|---|---|---|---|---|
Searching... | 30000004531764 | QA76.9.A25 F67 2001 | Open Access Book | Book | Searching... |
Searching... | 30000005167725 | QA76.9.A25 F67 2001 | Open Access Book | Book | Searching... |
On Order
Summary
Summary
Co-authored by the leading e-commerce security specialist and a leading legal specialist in e-commerce, this book offers a complete blueprint showing companies how to implement state-of-the-art e-commerce while minimizing all the security risks involved. This new edition has been completely updated to reflect today's latest developments in digital signatures, public-key infrastructure, EDI technical standards, certification, and authentication. The book begins by introducing the underlying technologies and inherent risks of electronic commerce. It considers the role of computer networks, the Internet, EDI and email, and the challenges of ensuring that electronic transactions are resistant to fraud, traceable, and legally binding in all jurisdictions. From network security to cryptography and today's latest secure Web and messaging protocols, all of today's latest security technologies are explained in detail, from a business perspective, in language non-specialists can easily understand.
Author Notes
Warwick Ford, M.E., Ph.D., is Vice President for Strategic Technologies and Chief Technology Officer at VeriSign, Silicon Valley's premiere provider of identity, security, and payment services for e-commerce.
Michael Baum, J.D., M.B.A., CISSP, is Vice President for Practices and External Affairs at VeriSign.
Excerpts
Excerpts
Preface Our entry into the twenty-first century has been accompanied by the emergence of electronic commerce (e-commerce) as both an enabler and a component of business reengineering. E-commerce offers great rewards for all who embrace it. However, it also brings considerable risks for the unwary. While new technologies, with their complexities and explosive adoption rates, can be largely blamed for creating these new risks, new technologies also represent a large part of the solution, in managing and mitigating these risks. The latter technologies include, in particular, digital signatures and public-key cryptography. However, achieving secure electronic commerce requires much more than the mere application of such core technologies. It also depends upon interdependent technological, business, and legal infrastructures that are needed to enable the use of these core technologies on a large scale. Our goal in this book is to describe the ingredients and recipe for making e-commerce secure, with emphasis on the role, practical deployment, and use of these infrastructures. Why have an engineer and a lawyer teamed up to write this book? The answer is that secure e-commerce can only be achieved through a delicate interweaving of technological safeguards and legal controls. The most critical issues cannot be understood by studying either the technological or legal aspects in isolation. Therefore, an effective treatise on this subject must draw on both technological and legal expertise. This book is targeted at a broad audience, including business professionals, information technologists, and lawyersÑanyone who is concerned about the security of e-commerce. Readers are not expected to have substantive technological or legal backgrounds. To make this book valuable to businesspersons, consumers, bankers, product developers, service providers, legal counsel, policymakers, and students alike, we include introductory material to virtually all topics, with a view to bringing all readers up to a base knowledge threshold before addressing the more complex issues. Since the first edition was published, there has been enormous progress in the field of secure e-commerce. While the core technologies have not changed materially, there have been significant advances in software tools and packaging, standards, legislation globally, and experience in applying the technologies described in the first edition to real-world e-commerce. In the standards arena, for example, we have seen the completion and widespread adoption of the S/MIME secure messaging specifications, IPsec virtual private network specifications, and IETF PKIX specifications for public-key infrastructure. Notable legislative activities have included diverse national and state digital signature laws, and the U.S. Federal E-Sign Act. There has also been solid progress on the assessment and accreditation of secure e-commerce infrastructure components, such as certification authorities. These advances have occurred in conjunction with a massive increase in e-commerce deployment generally, in particular, the rapid emergence of business-to-business Internet commerce. Consequently, in this edition we have focused more on those aspects of the field that are proving most important in todayÕs marketplace and that require rigorous analysis to ensure successful deployment. We have written this book with an international audience in mind. However, the reader will observe, especially in our coverage of practices and legal issues, a predominance of coverage from the U.S. perspective. In general, we believe the problems faced globally are much the same as those faced in the United States, so we anticipate that our coverage of problems and progress in the United States will map meaningfully to developments in other nations. If we sometimes fall short in this respect, we apologize to our international colleagues. Excerpted from Secure Electronic Commerce: Building the Infrastructure for Digital Signatures and Encryption by Warwick Ford, Michael S. Baum All rights reserved by the original copyright owners. Excerpts are provided for display purposes only and may not be reproduced, reprinted or distributed without the written permission of the publisher.Table of Contents
| Forewords | p. xv |
| Preface | p. xxiii |
| Chapter 1 Introduction | p. 1 |
| 1.1 The Upside | p. 2 |
| 1.2 The Downside | p. 3 |
| 1.3 E-Commerce Compared with Paper-Based Commerce | p. 5 |
| 1.4 Making E-Commerce Secure | p. 6 |
| 1.5 Book Road Map | p. 8 |
| Chapter 2 The Internet | p. 11 |
| 2.1 Computer Networking | p. 11 |
| 2.2 Internet Applications | p. 16 |
| 2.3 The Internet Community | p. 19 |
| 2.4 Internet Commerce | p. 26 |
| 2.5 Example Transaction Scenarios | p. 30 |
| 2.6 Summary | p. 32 |
| Chapter 3 Business and Legal Principles | p. 39 |
| 3.1 The Electronic Commerce Transaction | p. 40 |
| 3.2 Creating a Binding Commitment | p. 41 |
| 3.3 Validity and Enforceability of Agreements | p. 44 |
| 3.4 Enforcement | p. 52 |
| 3.5 Other Legal Issues | p. 56 |
| 3.6 Dealing with Legal Uncertainties | p. 64 |
| 3.7 Two Business Models | p. 67 |
| 3.8 Business Controls in a Digital Environment | p. 69 |
| 3.9 Summary | p. 70 |
| Chapter 4 Information Security Technologies | p. 93 |
| 4.1 Information Security Fundamentals | p. 93 |
| 4.2 Introduction to Cryptography | p. 101 |
| 4.3 Digital Signatures | p. 109 |
| 4.4 Key Management | p. 114 |
| 4.5 Authentication | p. 120 |
| 4.6 System Trust | p. 132 |
| 4.7 Summary | p. 133 |
| Chapter 5 Internet Security | p. 141 |
| 5.1 Segmenting the Problem | p. 141 |
| 5.2 Firewalls | p. 146 |
| 5.3 IPsec and Virtual Private Networks | p. 147 |
| 5.4 Web Security with SSL/TLS | p. 152 |
| 5.5 Other Web Security Protocols | p. 157 |
| 5.6 Secure Messaging and S/MIME | p. 160 |
| 5.7 Other Messaging Security Protocols | p. 167 |
| 5.8 Secure Payments on the Internet | p. 168 |
| 5.9 Summary | p. 173 |
| Chapter 6 Certificates | p. 181 |
| 6.1 Introduction to Public-Key Certificates | p. 181 |
| 6.2 Public-Private Key-Pair Management | p. 187 |
| 6.3 Certificate Issuance | p. 191 |
| 6.4 Certificate Distribution | p. 196 |
| 6.5 X.509 Certificate Format | p. 198 |
| 6.6 Certificate Revocation | p. 216 |
| 6.7 X.509 Certificate Revocation List | p. 226 |
| 6.8 Key-Pair and Certificate Validity Periods | p. 235 |
| 6.9 Certificate Formats Other than X.509 | p. 238 |
| 6.10 Certification of Authorization Information | p. 238 |
| 6.11 Summary | p. 243 |
| Chapter 7 Public-Key Infrastructure | p. 251 |
| 7.1 PKI for the Typical E-Commerce Enterprise | p. 251 |
| 7.2 Certification Authority Structures: Traditional Models | p. 253 |
| 7.3 Certification Authority Structures: The Generalized Model | p. 259 |
| 7.4 Certificate Policies | p. 263 |
| 7.5 Name Constraints | p. 269 |
| 7.6 Certificate Management Protocols | p. 271 |
| 7.7 PGP's Web of Trust | p. 275 |
| 7.8 Some Multienterprise PKI Examples | p. 277 |
| 7.9 Pragmatics of PKI Interoperation and Community Building | p. 284 |
| 7.10 Summary | p. 285 |
| Chapter 8 Legislation, Regulation, and Guidelines | p. 289 |
| 8.1 General E-Commerce Legislation and Regulation | p. 290 |
| 8.2 Digital Signature Laws | p. 302 |
| 8.3 General E-Commerce Guidelines | p. 310 |
| 8.4 PKI-Related Standards and Guidelines | p. 311 |
| 8.5 Summary | p. 317 |
| Chapter 9 Non-repudiation | p. 333 |
| 9.1 Concept and Definition | p. 333 |
| 9.2 Types of Non-repudiation | p. 337 |
| 9.3 Activities and Roles | p. 342 |
| 9.4 Mechanisms for Non-repudiation of Origin | p. 346 |
| 9.5 Mechanisms for Non-repudiation of Delivery | p. 351 |
| 9.6 Trusted Third Parties | p. 353 |
| 9.7 Dispute Resolution | p. 361 |
| 9.8 Summary | p. 365 |
| Chapter 10 Certification Policies and Practices | p. 385 |
| 10.1 Concepts | p. 385 |
| 10.2 CP and CPS Topics: Introduction of a CP or CPS | p. 393 |
| 10.3 CP and CPS Topics: General Provisions | p. 395 |
| 10.4 CP and CPS Topics: Identification and Authentication | p. 404 |
| 10.5 CP and CPS Topics: Operational Requirements | p. 407 |
| 10.6 CP and CPS Topics: Physical, Procedural, and Personnel Security Controls | p. 414 |
| 10.7 CP and CPS Topics: Technical Security Controls | p. 416 |
| 10.8 CP and CPS Topics: Certificate and CRL Profiles | p. 418 |
| 10.9 CP and CPS Topics: Specification Administration | p. 419 |
| 10.10 Systematizing CP and CPS Development | p. 420 |
| 10.11 Summary | p. 421 |
| Chapter 11 Public-Key Infrastructure Assessment and Accreditation | p. 433 |
| 11.1 The Role of Assessment in Public-Key Infrastructure | p. 434 |
| 11.2 Evolution of Information System Assessment Criteria | p. 442 |
| 11.3 Noteworthy Assessment and Accreditation Schemes | p. 447 |
| 11.4 Rationalization of Assessment Schemes | p. 459 |
| 11.5 Summary | p. 460 |
| Appendix A Forms of Agreement | p. 471 |
| Appendix B The U.S. Federal E-Sign Act | p. 489 |
| Appendix C ASN.1 Notation | p. 503 |
| Appendix D X.509 in ASN.1 Notation | p. 511 |
| Appendix E United Nations Model Law on Electronic Commerce | p. 541 |
| Appendix F How to Obtain Referenced Documents | p. 551 |
| Appendix G Legacy Application Security Standards | p. 555 |
| Appendix H PKI Disclosure Statement | p. 561 |
| Appendix I Repudiation In Law | p. 563 |
| Appendix J Public-Key Cryptosystems | p. 569 |
| Appendix K European Signature Directive | p. 589 |
| Index | p. 595 |
