Internet Society Vietnam Website

 topbar left of language choice Tiếng Việt English version topbar right of language choice
Separation line header and body. Click to skip navigation frame

Link to ISOC Vietnam homepage ISOC Vietnam news site Infomation about ISOC International and ISOC Vietnam Information and materials from our work groups This is the archive with all our documents Join ISOC Vietnam!

Translate this page with BabelFish

Last update:
Tuesday, March 19, 2002 2:15 PM

Contact webmaster

 separation arrow end

Re: [WG-eCommerce] Re: [vnit] VASC launches new e-commerce products

--0-1980620987-1020384946=:94553
Content-Type: text/plain; charset=us-ascii


Good points there, Stefan and Viet. I think what's being attempted here is to provide a technical infrastructure for secure internet transactions. Of course such an infrastructure is a lot more complicated and necessarily linked with a legal infrastructure. It's good start although much more modest than what the press is describing.
To answer some questions. VASC does intend to provide certificates, not just the CA software, which by the way I doubt they develop themselves. To build a PKI (including a CA), the logistical issues are more complicated than just building the software. There're good "free" PKI software.
A good setup for Vietnam would be to have a national PKI infrastructure where a top-level CA run by some ministry level entity, may very well be VNPT & Ministry of Public Security, forms the root of the hierarchy. This infrastructure must have backing of appropriate legislations that govern how a CA is run, what are the values of the certificates issued, etc. (the Certification Policy Statement (CPS) of a CA is the important factor.) The top-level CA should then be recognised by top-level CA of other countries (by cross certification of their own certificate) for cross-border interoperation. Perhaps eventually all popular browsers would have root certificates of all countries' top-level CA's embedded.
What VASC has done is practical to some extent in that they can have their own self-signed certificate as the root certificate. This certificate must be recognised as legitimate by all of their customers, including service providers such as banks, merchants, and end-users. For a user with a browser, this is equivalent to accepting that the self-signed certificate is valid and optionally install it in the browser so that no validation is required next time. The scope of this validity is their own community of users only.
The payment software VASC announced I think is very much a demo prototype. I can see it's still using demo certificate of BEA's WebLogic. And until a bank is involved, and the necessary software link is built between the bank's system with VASC's so-called payment gateway, it's quite useless. I guess strategic partnership with banks may be announced by VASC soon. Then a service by some merchant, possibly VNPT itself for phone bill payment, would follow. However, for a useful service to come into use, it'll take quite a while and much more than those over-hyped announcements, I think.
Regards,
Nam
Stefan Probst <stefan.probst@opticom.v-nam.net> wrote: Hello Viet Tran,

I absolutely agree with you.

My friend in Germany is working on such a solution, where companies with
special IT security needs don't need to hire security companies etc. to
protect their infrastructure. It works on multiple passwords and tokens to
access the system, a double wall with penetration detectors around
everything, every cable hole is specially secured etc. I never imagined.....


There are AFAIK even more issues.
They must be able to certify the authenticity of the certificate holder. I
am not sure how they handle this.

It is quite easy to issue a certificate. The question is who certifies the
issuer. If VASC doesn't get backing from somebody, then their certificate
is quite useless. And the one who backs it will have a look at their
infrastructure...

The article however does not say clearly, whether VASC will be the CA
(which I doubt very much - I expect that to be a ministry), or they provide
only some SW. Which is trivial. Every modern browser has such modules.....

Rgds.
Stefan


At 17:02 02.05.2002 +0700, Viet Tran wrote:
-------------------------
>It is a good initiative, but ...
>My understanding about setting up CA authority is that the CA service provider
>must provide a full-proof, unbreakable, absolute-security infrastructure to
>prevent server and client' CAs being forged over the Internet. The CA service
>provider site must be a multi-million dollars fortress (a CA authority in
>Australia spent 30 million AUD for their infrastructure before they were
>certified by the Aus government to provide such services to Aus. Post Office,
>and other corporations).
>Is this a case here ? Any comments ?
>
>Regards
>Viet Tran
>
>
>Vern Weitzel wrote:
> >
> > Subject: [WG-eCommerce] VASC launches new e-commerce products
> > From: Stefan Probst
> >
> > http://vietnamnews.vnagency.com.vn/2002-04/30/Stories/21.htm


<< Re: VASC launches new e-commerce products

| Archive Index |

Re: [vnit] VASC launches new e-commerce products >>

Powered by Mojo Mail 2.7.2 SP
Copyright © 1999-2003, Justin Simoni.