CHAIN ID, ActiveX, and South Korea’s Authentication Nightmare
South Korea has always been technologically progressive. In fact, the world’s first smart city is situated 40 miles southwest of the country’s capital, Seoul. Thus, it’s no surprise that South Korea was one of the first countries to encourage Internet banking, shopping, and other services in the late 1990s.
It’s hard to believe now, but shopping and banking on the Internet was a completely new technology in the not so distant past. With this new way of carrying out business, both customers and businesses were wary of fraud. To dispel this fear, the South Korean government implemented a nationwide digital authentication system in the Digital Signature Act of 1999.
Authentication Certificates in South Korea
There are two types of certificates in South Korea — private and accredited.
Private certificates are issued by institutions that are not accredited, or certified, by the South Korean government, and are only valid for specific services. For example, a bank might issue a private certificate to a customer that is only valid for services within the bank. Compared to accredited certificates, private ones are impossible to verify, valid only by mutual agreement by the parties involved, difficult to get compensation for, and are only valid for a limited scope of services.
The only advantage of private certificates are that they are often easier to obtain.
Accredited certificates are issued by institutions that are accredited by the government. Currently, the following institutions can issue accredited CAs — KFTC, KOSCOM, KICA, KECA, and KTNet. Accredited certificates, while more difficult to apply for, offer quite a few advantages when compared to private certificates. Accredited certificates are seen as legal binding endorsements, are valid for compensation in the event of damages caused by the certificate, and can be used for a variety of Internet services without the need for multiple certificates. Thus, the accredited certificate is by far the most popular authentication in Korea with over 33 million issued certificates.
How Accredited Certificates are Generated
Accredited certificates are issued by government-accredited institutions through a process of manual verification of a resident’s National ID and other documents. Following verification, a resident’s identifying details are hashed into a public/private key pair along with the issuing authority’s digital signature. This process places burden of proof on the issuing CA.