April 2, 2001
Office of the Chief Counsel
National Telecommunications and Information Administration
Room 4713 HCHB, 1401 Constitution Ave., NW
Washington, DC† 20230
Re:† Docket No. 010222048-1048-01; Request for comments on Section 105(a) of the Electronic Signatures in Global and National Commerce Act
Register.com welcomes the opportunity to respond to the National Telecommunications and Information Administrationís request for comments on section 105(a) of the Electronic Signatures in Global and National Commerce Act. Register.com is an ICANN accredited registrar and provider of online products and services, including digital certificates, one of the leading technologies for providing identity verification online.†
The creation of the Electronic Signatures in Global and National Commerce Act (ESIGN) was a positive step toward using technology to advance efficiency and economic growth.† By establishing the validity of electronic signatures and contracts, Congress has created a legal framework that encourages the use of existing, reliable methods of Electronic mail and document transfer systems, providing inexpensive and rapid communication.
Section 105(a) addresses the effectiveness of delivery of electronic records to consumers using electronic mail, as compared with the delivery of written records via the United States Postal Service and private express mail services. The effectiveness of any electronic delivery system depends upon its ability to maintain confidentiality, ensure data integrity, verify identity, and offer an easily deployable standardized system for communication.† A hierarchical electronic verification system, such as a public key infrastructure (PKI), not only offers all of these elements of security and efficiency, it creates a framework for electronic document delivery and storage that meets or exceeds the dependability of traditional forms of delivery.
Register.com is one of the leading domain name registrars on the Internet, having registered over 3 million domain names since June 1999. Last year, in its effort to develop tools and services that complement domain names, register.com joined forces with Baltimore Technologies, a leading security technologies provider, to jointly offer digital certificates to Internet users.†
Although digital certificates are not yet a widely used consumer product, this public key technology is increasingly recognized as an intrinsic element in e-commerce and other online transactions.† Digital certificates are used in the establishment of secure socket layer (SSL) connections, which enable e-commerce transactions involving credit cards payments or other private information, Secure Multi-Purpose Internet Mail Extensions (S/MIME), which permit secure transfer via email of confidential information (such as legal, medical, or insurance data), and virtual private networks (VPN), which provide the foundation for employee intranets and supplier/partner extranets.
RegistryPro Ė the domain for professionals
Register.com is also an equity partner in a new company, RegistryPro, the registry that was selected by ICANN to operate the .pro TLD.† Marketed toward professionals, such as accountants, doctors, and lawyers, RegistryPro will provide a verification process designed to ensure the qualifications of .pro domain holders. In order to enhance the utility of the .pro domain name, RegistryPro will offer security services, such as secure e-mail and digital signatures. This will help prepare registrants to comply with regulatory frameworks, such as HIPAA that call for privacy protections for patientsí computerized medical records, and facilitate the increasing electronic communication of financial information (e.g. online tax filing).
PKI and ESIGN
Almost all digital security services in use on the Internet employ a type of encryption called public key cryptography. This technology allows for two users to exchange information securely even if they have not had the opportunity to exchange a secret password prior to their communication. Public key cryptography enables both encryption, which scrambles information to prevent eavesdroppers, and authentication, which allows a recipient to verify that the contents of a message are valid and originate from a trusted source.† Public key cryptography also ensures that the data inside the message is the same as it was when it was created.† These systems rely on the distribution of public keys, pieces of information generated by each party prior to a secure exchange of information.† In order for a successful communication path to be created, both parties must have access to the otherís public key and have a mechanism to ensure that the key is valid and is associated with the intended party.
To facilitate the distribution and validation of public key information, digital certificates were created.† A digital certificate contains information about an individual or organization, including its public key.† This information is digitally signed by a trusted third party, known as a Certification Authority (CA).† The CA verifies the information contained within the digital certificate and its signature allows both sides of an exchange to check the validity of the public key contained within the certificate.† To date, the most common use of digital certificates on the Internet has been for e-commerce websites on the Internet.
Although many consumers make use of this technology without realizing it, it is desirable to continue to offer customers a choice of delivery mechanisms, both electronic and traditional, until all customers are familiar and have access to electronic security and delivery methods.† Nevertheless, the products currently on the market have evolved sufficiently to give consumers and business the level of security and variety of choices needed for the transition to secure electronic communications.
The use of a public key infrastructure associated with the domain names will further aid this transition.† Many Internet users associate their online identity with either their email or website address.† A PKI that mirrors the domain name system (DNS) allows consumers to continue using a system that they know, understand and trust.† Furthermore, because domain names are already widely used as an identifier within digital certificates and other forms of public key technology, the continued linkage of the two will allow the Internet community to build on prior experience.
PKI as Compared to Other Electronic Security Systems
In our experience at register.com, public key cryptography systems offer the best combination of security and consumer-friendliness, in addition to being one of the most ubiquitous security technologies on the Internet. We have worked with password based systems, but have found that passwords create the risk of being discovered by a third party or forgotten by the user. We also have experience with biometrics, which we use, among other security checks, in the protection of our technical infrastructure. However, this technology is occasionally unreliable and does not provide for a clear way to way to communicate in a well-deployed, standard format across the Internet.
While we think these experiences will help guide the market to select a secure easily manageable framework, such as PKI, ESIGN does not allow government selection of the technology used in the implementation of the Act.† In this way, ESIGN allows existing standards setting bodies, such as the Internet Engineering Task Force (IETF), to continue their work independently and allow the market to determine technology.†
 A TLD is a domain name address, such as .com, .net, and .org.† ICANN selected seven new generic TLDs:† .pro, .info, .biz, .name, .aero, .museum, and .coop.