-Written by Yeajin Shim
We all have experienced buying things online at least once. Public key certificate is one of payment methods when purchasing goods online. It can be referred to as cyber ID to verify one’s identification. It is widely used in various electronic financial transactions including online banking, securities exchange and so on. The dictionary definition of the public key certificate is electronic information issued by Certificate Authority (CA) which only five institutions are permitted in Korea: Korea Financial Telecommunications and Clearings Institute, Koscom, Korea Information & Communication Co., CROSSCERT, and Korea Information Certificate Authority, Incorporated (KICA). It was first introduced in 1999, and since then, virtually all of the economically active population uses it.
With fourteen years of its history, it has settled as Korea’s enormous infrastructure for electronic transaction system. Though it has contributed a lot to the development of Korea’s online commerce, it has revealed some constraints that even some demanded the abolishment of public key certificate. Now it is one of the major issues in financial sector because the abolishment of public key certificate was officially proposed to the National Assembly. So there is an intense conflict between those who support the system and those who don’t. The followings are the two key grounds from each side of the argument. Let’s first look into the pro side of the abolishment.
Firstly, the public key certificate is vulnerable to cyber security since it is stored in NPKI folder and it uses “Active X” platform. I bet we all have the NPKI folder in our computer which enables hackers easily find and steal our cyber ID. Moreover, the public key certificate system is based on Active-X platform which has a structure vulnerable to malicious codes when downloading codes from an outside source.
Secondly, the public key certificate is not supported by multi-browsers. When introduced in 1999, it was mainly for citizens who use Microsoft Internet Explorer then. Other Web browsers such as Google’s Chrome do not support ActiveX which is very inconvenient in times of multi-browsers. As other web browsers are gaining momentum, people will have to browse through another web and use Internet Explorer for the payment. It’s a waste of time.
On the other hand, there are opponents to the abolishment of the public key certificate. Firstly, it is to protect certificate industry by making it “public” key certificate. If not, various private certificates will be authorized which will make customers more inconvenient and cause confusion. It means that we will have to use different certificates issued from each different website. It will strengthen online security but it will also increase user inconvenience. Moreover, if private certificate system is authorized small and medium sized firms will have difficulties developing it on their own because of relatively weak capital condition and capability.
Second, there is no replacement technology developed yet. In May 2010, the Office for Government Policy Coordination announced that if five conditions are met, it will authorize other security technologies without having to use the key public certificate. The five conditions were identification of the user, server identification, communication channel encryption, anti-forgery and alteration of transactional information and transaction denial prevention. But for the last three years, it is surprising that replacement technology still hasn’t been developed in the country with strong IT technology power. Therefore, technical improved must be preceded before abolishing it without plan B.
Recently, the FSC requested the Financial Security Agency to probe into overall electronic finance certificate system. The FSC is examining the cases of other countries to take care of the security problem the public key certificate bears in itself. It is looking for the most efficient method from the scratch regardless of the current system. Since it’s too complicated an issue, the FSC and the government haven’t decided anything yet. It will be interesting to see how the certificate system will change after all.
By Yeajin Shim (firstname.lastname@example.org)