April 2, 2001
Josephine Scarlett
Office of the Chief Counsel
National Telecommunications and Information
Administration
Room 4713 HCHB, 1401 Constitution Ave., NW
Washington, DC
20230
Re: Docket No. 010222048-1048-01; Request for
comments on Section 105(a) of the Electronic Signatures in Global and National
Commerce Act
Register.com welcomes the opportunity to respond
to the National Telecommunications and Information Administration’s request for
comments on section 105(a) of the Electronic Signatures in Global and National
Commerce Act. Register.com is an ICANN accredited registrar and provider of
online products and services, including digital certificates, one of the
leading technologies for providing identity verification online.
The creation of the Electronic Signatures in
Global and National Commerce Act (ESIGN) was a positive step toward using
technology to advance efficiency and economic growth. By establishing the validity of electronic signatures and
contracts, Congress has created a legal framework that encourages the use of
existing, reliable methods of Electronic mail and document transfer systems,
providing inexpensive and rapid communication.
Section 105(a) addresses the effectiveness of
delivery of electronic records to consumers using electronic mail, as compared
with the delivery of written records via the United States Postal Service and
private express mail services. The effectiveness of any electronic delivery
system depends upon its ability to maintain confidentiality, ensure data
integrity, verify identity, and offer an easily deployable standardized system
for communication. A hierarchical
electronic verification system, such as a public key infrastructure (PKI), not
only offers all of these elements of security and efficiency, it creates a
framework for electronic document delivery and storage that meets or exceeds
the dependability of traditional forms of delivery.
Register.com is one of the leading domain name registrars on the Internet, having registered over 3 million domain names since June 1999. Last year, in its effort to develop tools and services that complement domain names, register.com joined forces with Baltimore Technologies, a leading security technologies provider, to jointly offer digital certificates to Internet users.
Although digital certificates are not yet a widely used consumer product, this public key technology is increasingly recognized as an intrinsic element in e-commerce and other online transactions. Digital certificates are used in the establishment of secure socket layer (SSL) connections, which enable e-commerce transactions involving credit cards payments or other private information, Secure Multi-Purpose Internet Mail Extensions (S/MIME), which permit secure transfer via email of confidential information (such as legal, medical, or insurance data), and virtual private networks (VPN), which provide the foundation for employee intranets and supplier/partner extranets.
RegistryPro – the
domain for professionals
Register.com is also an equity partner in a new
company, RegistryPro, the registry that was selected by ICANN to operate the
.pro TLD[1]. Marketed toward professionals, such as
accountants, doctors, and lawyers, RegistryPro will provide a verification
process designed to ensure the qualifications of .pro domain holders. In order
to enhance the utility of the .pro domain name, RegistryPro will offer security
services, such as secure e-mail and digital signatures. This will help prepare
registrants to comply with regulatory frameworks, such as HIPAA that call for
privacy protections for patients’ computerized medical records, and facilitate
the increasing electronic communication of financial information (e.g. online
tax filing).
PKI
and ESIGN
Almost all digital security services in use on the Internet employ a type of encryption called public key cryptography. This technology allows for two users to exchange information securely even if they have not had the opportunity to exchange a secret password prior to their communication. Public key cryptography enables both encryption, which scrambles information to prevent eavesdroppers, and authentication, which allows a recipient to verify that the contents of a message are valid and originate from a trusted source. Public key cryptography also ensures that the data inside the message is the same as it was when it was created. These systems rely on the distribution of public keys, pieces of information generated by each party prior to a secure exchange of information. In order for a successful communication path to be created, both parties must have access to the other’s public key and have a mechanism to ensure that the key is valid and is associated with the intended party.
To facilitate the distribution and validation of
public key information, digital certificates were created. A digital certificate contains information
about an individual or organization, including its public key. This information is digitally signed by a
trusted third party, known as a Certification Authority (CA). The CA verifies the information contained
within the digital certificate and its signature allows both sides of an
exchange to check the validity of the public key contained within the
certificate. To date, the most common
use of digital certificates on the Internet has been for e-commerce websites on
the Internet.
Although many consumers make use of this
technology without realizing it, it is desirable to continue to offer customers
a choice of delivery mechanisms, both electronic and traditional, until all
customers are familiar and have access to electronic security and delivery
methods. Nevertheless, the products
currently on the market have evolved sufficiently to give consumers and
business the level of security and variety of choices needed for the transition
to secure electronic communications.
The use of a public key infrastructure associated with the domain names will further aid this transition. Many Internet users associate their online identity with either their email or website address. A PKI that mirrors the domain name system (DNS) allows consumers to continue using a system that they know, understand and trust. Furthermore, because domain names are already widely used as an identifier within digital certificates and other forms of public key technology, the continued linkage of the two will allow the Internet community to build on prior experience.
PKI
as Compared to Other Electronic Security Systems
In our experience at register.com, public key cryptography systems offer the best combination of security and consumer-friendliness, in addition to being one of the most ubiquitous security technologies on the Internet. We have worked with password based systems, but have found that passwords create the risk of being discovered by a third party or forgotten by the user. We also have experience with biometrics, which we use, among other security checks, in the protection of our technical infrastructure. However, this technology is occasionally unreliable and does not provide for a clear way to way to communicate in a well-deployed, standard format across the Internet.
While we think these experiences will help guide the market to select a secure easily manageable framework, such as PKI, ESIGN does not allow government selection of the technology used in the implementation of the Act. In this way, ESIGN allows existing standards setting bodies, such as the Internet Engineering Task Force (IETF), to continue their work independently and allow the market to determine technology.
[1] A TLD is a domain name address, such as .com, .net, and .org. ICANN selected seven new generic TLDs: .pro, .info, .biz, .name, .aero, .museum, and .coop.