COSACC Services
The partners in the COSACC project, i.e. Chambers of commerce and technical system providers have set up different interoperability models for Public Key Infrastructures (PKIs). The models are:
(b) Trust Transitivity Service (TT Service): It is a service that enables the customer to check the trustworthiness of any certification authority (CA) by relying on the own root-certificate only. The own Certificate Authority (CA) has established cross certification relationships with other trusted CA's through the certificate of the TT Service. Thus the customers of participating CA's can check the validity of received certificates just by relying on their own CA.
(c) Trust Referral directory service: The goal of this directory service is the same as above. It displays the mutually trusted CA's (i.e. their root key certificates) on a secure directory.
In addition the COSACC partners have developed:
(d) Digital Seal Service: This service has been developed to provide users with trust that they have visited a site with certain security and quality standards. Involved sites are accredited, according to some predefined quality and security criteria, by a COSACC community member. Sites meeting these criteria are carrying a digital seal on their web pages confirming that they have been successfully accredited. As a result, satisfied users may demand on their future transactions with other Chambers of commerce to be COSACC accredited.
(e) Time Stamping Service: This service has been developed to provide COSACC users with a verification service that proves the time and date a certain document existed. When this document is transmitted a special token can always prove the time it was 'timestamped'.
All these models imply a trust model, which is based on established partnerships between the participating CA's. This partnership may consist of contractual agreements or may depend on publicly available information e.g. business registers. We have enhanced the COSACC results by combining them with the results of a former EU project EDIRA.
Reference to the EU-TEDIS project EDIRA
In 1994/95 the Zurich chamber of commerce participated in the EDIRA project. EDIRA stands for EDI Registration Authority. The scope was to set up an umbrella for numerical schemes that identify companies i.e. partners in EDI relationships. Thus an EDI partner could acquire a worldwide unique numerical identifier to be used in EDI envelopes. But this unique identifier can also be applied in a much broader area. The intention is to use these numerical identifiers in public key certificates issued by COSACC related services. Our vision is:
- Business-to-business electronic commerce will be dominated by software agents
- Software agents will search centralized indexes to locate distributed information
- Products and services will be coded to a global commodity classification standard
- Businesses, products and locations will be identified through globally unique identifiers
These identifiers allow applications to use these identifiers when processing the certificates within E-commerce applications. E-commerce in an automatic environment between Business-to-Business partners (B2B) will need such numerical codes. They will be used by electronic agents. Such numerical codes may also refer to products, postal addresses, and web site contents. The E-Commerce Code Management Association (ECCMA) manages such codes and is setting up a directory service which allows to reliably check the identity of participants. See:
http://www.edira.org, http://www.eccma.org. EDIRA has concluded a strategic alliance with ECCMA.
Implementation with EDIRA code numbers
Such a unique identifier of an organization is actually an Object Identifier (OID) which identifies any object unambiguously. OIDs are specified in ISO 8824. The object can be an organization which is registered by a registration authority like a Business register, a Chamber of commerce or the Dun & Bradstreet company (see
http://www.dnb.com). The third arc in the OID 1 (ISO) 3 (identified organizations) nnnn is a 4 digit number which is allocated to an organization which registers identification schemes according to ISO 6523. E.g. the OID of Dun & Bradstreet is 1 3 0060. The ICD values are allocated by the British Standards Institute BSI on request of a so called Sponsoring Authority. The EDIRA association is a sponsoring authority acknowledged by BSI. E.g. the unique identifier of the company 'Dr. Otto Müller Consulting' registered with Dun & Bradstreet is 1 3 0060 481453301. The forth arc '481453301' was allocated by Dun & Bradstreet. In another scheme, e.g. the Value Added Tax number scheme the same company was allocated the number '348 557'. By going into the website of Dun & Bradstreet 'http://www.dbswiss.ch' the allocated number '481453301' can be verified. The answer is 'Dr. Otto Müller Consulting' with its business attributes.
By using the ICD values and the code values a very powerful authentication system can be set up. It is a two level directory service which allows to find the second level registration service by just using the ICD value. In the second level directory service the actual identifier value is entered and the credentials of the owner of the identifier pop up.
Applications of EDIRA code numbers
Such identifiers of organizations specified with a qualifier number (ICD value) and the specific number
can easily be implemented in any e-business related document like an XML document, an EDIFACT message or in a X.509-v3 public key certificate. The necessary syntax is already existing. EDIRA supports the semantic for unambiguous identification of organizations. The implementation of such numbers in X.509 v3 public key certificates facilitates the registration service for certificates of corporate identities.
Conclusion
We believe by using such identification processes of established services like Business registers, rating companies like Dun & Bradstreet or professional organizations like Chambers of commerce the so called 'new economy' and the 'old economy' can be merged. Thus the goal of the COSACC project CO-ORDINATION OF SECURITY ACTIVITIES BETWEEN CHAMBERS OF COMMERCE can be enhanced by using EDIRA identifiers in X.509 v3 certificates issued by COSACC members.
