|
What
exactly is the GTA?
The GTA is a financial sector grouping that provides
an environment in which cross border e-commerce transactions
may be conducted securely and where liability is accepted
for the transacting parties.
Why
do we need the GTA?
The Internet offers the opportunity for a wide range
of global e-services (e-commerce, e-payment, e-business,
etc.). These e-services need underlying functions that
guarantee the credentials of the parties in a transaction,
the electronic equivalent of existing contractual relationships.
Users of e-services need mechanisms that provide reliable
on-line identification and authentication of the participating
parties in the transaction and a means of redress if
the mechanisms fail. PKI can facilitate these requirements
through the creation of certificates for unambiguously
identifying end-users. The majority of current PKIs
accepting liability are for closed user groups; for
parties wishing to subscribe to a particular scheme;
or on the basis of national boundaries. Interoperability,
on a global and cross-sector/cross-scheme basis, is
not widely catered for. There is, therefore, a need
for an entity that can enable, in the virtual world,
the interoperability that is already evident in the
real world. The Global Trust Authority (GTA) is such
an entity. GTA provides a structure for interoperable
e-services that will not be distorted by the requirements
of a single scheme.
Who
are the members?
GTA's members list
What is the GTA offering?
The GTA will offer an ID certificate and a minimum level
of Certificate Policy for an interoperable infrastructure.
The infrastructure will comprise the GTA, under which
resides, typically, national CAs that provide certificates
to banks and other bodies who deal directly with end
users. The GTA, in this scenario, provides the bridge
between national schemes through the creation of standards
and rules for protocols and policies respectively.
What liability does the GTA accept?
The GTA will accept liability for the identity certificates
it issues. The liability is nevertheless limited in
line with the European Directive. Those lower down the
GTA hierarchy will accept liability for the certificates
they issue. Risk and liability therefore cascades down
the hierarchy. This means that users of applications
under the GTA umbrella can do so in the knowledge that
liability is accepted at both ends of the transaction.
Is GTA still necessary now that
the e-business hype is over?
Although the major hype in e-business is over and dot-com
companies have to make profits like 'normal' companies,
it can be expected that the Internet will always be
an important carrier for consumer or business transactions.
There are still many e-services that need mechanisms
that provide reliability, security and liability acceptance.
Why
should a bank become a member of the GTA?
Besides having access to the GTA technology and being
able to use the infrastructure, becoming a member of
GTA offers various advantages to banks and other financial
institutes. Members can accredit their applications
under the GTA and then have access to a large market
of users. Members can, in the first instance, be interoperable
with GTA without reissuing existing certificates and
can profit from the co-operation with other sectors.
Finally GTA offers a selection of recognised providers
to assist members in their implementation.
What
is the difference between GTA and Identrus ?
The GTA and Identrus are complementary propositions.
The GTA has an "open" policy regarding membership
that will permit other sectors to become GTA members
in the future. The GTA is also "open" in the
mode of operation so that the certificates issued under
the GTA umbrella can be relied upon by all recipients,
including those who do not have a business relationship
with a GTA recognised body.
Are
the GTA and Identrus competing with each other for the
e-commerce market?
No. The GTA and Identrus are two complementary undertakings
that cater for different aspects of the e-commerce market.
The GTA is providing the infrastructure within which
competitive commercial applications may evolve. These
applications may be marketed by the financial or other
sectors. Nevertheless, the scope of certification is
still evolving and the banks, being in both cases shareholders,
will have the possibility to manage the respective areas
of intervention for both organisations.
Can
a bank be a member of both Identrus and the GTA?
Yes. There is no reason why a bank should not be a member
of both. Indeed being complementary initiatives, both
organisations are needed and it makes sense to be a
member of the two organisations to cover all markets.
Examples of banks that are members of both are BNP Paribas,
Société Générale and BSCH,
to name but three.
What
is the relationship between the GTA and S.W.I.F.T.?
There is considerable possibility for synergy between
the GTA and S.W.I.F.T. PKI strategies. It is anticipated
that, in due course, GTA will be able to use TrustAct
to secure inter-bank e-commerce messages exchanged under
the GTA umbrella
What is the difference between the
interoperability offered by the Card Schemes and the
GTA?
The Card Schemes offer interoperability for card based
payments. The GTA does not seek to encroach on this
domain. The GTA provides an umbrella for the authentication
of participants to a transaction. This facility may
be used to support any cross border transaction.
What is the market that the GTA is
seeking to cater for?
The GTA infrastructure can be used by all markets, specifically
Business to Consumer, Administration to Consumer, Administration
to Business and small Business to Business, where other
initiatives focus more on the high value B2B market.
The GTA stimulates the use of GTA branded certificate
on various access devices, like mobiles, bank cards,
Settop boxes and PDA's.
Is
the GTA going to comply with the EU Directive on Electronic
Signature?
Most certainly. The GTA will comply with, and promote
the Directive. To this end the GTA will set the EU Directive
as a minimum requirement that must be observed by those
who participate under the GTA umbrella. If similar directives
were issued in anther region of the world, GTA would
study how to take these into account.
How
does the GTA provide the infrastructure of trust?
The GTA provides the procedures and standards to member
Certificate Authorities, so that they can implement
services that are compatible with the GTA infrastructure.
Members either certify other Certificate Authorities
as a Master Trust Authority or issue GTA-branded certificates
to end users, as Scheme Trust Authorities.
Are
you planning to expand the GTA membership?
Yes. The GTA members have already commenced making approaches
to banks in other countries. Indeed, even though the
current GTA members are from Europe their sphere of
influence is global with the Spanish members, for example,
having an important role in the banking communities
of South America. New members should join the GTA from
a wide range of institutions in the financial sector
and other sectors may be admitted.
Why
are no US banks members of the GTA?
We anticipate being able to make further announcements
in due course.
Is
GTA exclusive for organisations of the financial sector?
No. Organisations of other sectors can apply for GTA
membership. This will be decided on a case by case basis
by the GTA Board.
Can
non-member organisations profit from the GTA offering?
Yes. All parties can make use of cross validation with
GTA. This means that without immediately becoming a
GTA member and without issuing new certificates, end-users
of an external PKI can validate certificates issued
under the GTA umbrella and GTA users can validate certificates
of the external PKI. This opportunity is subject to
an assessment by the GTA to ensure that the rules and
security of the external PKI are at least to the minimum
level set by the GTA.
What
applications does the GTA offer to the market?
GTA doesn't provide applications. The GTA members do
this. GTA will only accredit applications, to be sure
that the applications meet the GTA rules and technical
requirements. All accredited applications can operate
successfully across the spectrum of the membership.
Potentially applications in the area of e-mail, home
banking, secure downloading of applications to a device,
proxy voting, letter of credit, procurement and auction
are likely to be accredited soon.
When
is the GTA operational?
The GTA has gone live in September 2001.
What
does the GTA offer to vendors and other solution providers?
Those who are able to offer products or services that
facilitate the implementation of the GTA proposition
are invited to participate in the GTA Recognised Providers
Program. The list of Recognised Providers is presented
on the GTA website. Acceptance as a Recognised Provider
opens the market for product or service offerings to
all GTA members and partners, which include many prominent
financial institutes across Europe and ultimately world-wide.
GTA assures the interoperability across the hierarchy
for products/services of Recognised Providers.
Does
GTA make a profit?
The GTA is a not for profit organisation. GTA works
cost-effectively and is based on a low-cost structure.
How
does a transaction work that is facilitated by the GTA?
That depends on the application. In a transaction using
a digital signature, the sender signs the message with
the private key belonging to the GTA-branded certificate.
The receiver validates the signature with the public
key of the sender and checks through his/her Certification
Authority if the sender's certificate is still valid.
How
does validation of certificates work within the GTA
infrastructure?
Validation of certificates within the GTA infrastructures
works via the Online Certificate Status Protocol (OCSP).
For example, an Authorised Relying Party (ARP) receives
a signed message from and end-user, with the chain of
certificates up to the root attached. The ARP checks
if all certificates in the chain are still valid, by
sending an OCSP request to his own Validation Authority
(VA). If the VA is not authoritative for a certificate,
it contacts the VA of the sender, as indicated in the
end-user certificate. For a certificate for which it
is authoritative, it will check the serial number against
an up-to-date copy of the revocation list. Having determined
the status of all the certificates originally requested,
the ARP's VA returns a message back to the ARP. If any
of the certificates is identified as revoked or unknown,
then the ARP should reject the transaction initiated
by the end-entity.
Do
users need special technology to be able to make use
of the GTA infrastructure?
End-users in the GTA infrastructure do not need any
proprietary hardware or software. Of course the end-users
needs client hard- and software to be able to use a
certain application and to be able to validate certificates,
but this is always based on common standards.
What
hardware and software do members need to participate
in the GTA?
Member Certificate Authorities need CA hardware and
software (for example from Entrust or Baltimore), including
a Certificate Directory, OCSP software (for example
from Certco or Valicert) and a Hardware Security Module
(for example from Chrysalis).
|
