In October 2013, Kenyans will be in a position to carry out more business transactions online. The National Public Key Infrastructure (PKI), funded by the World Bank under the Kenya Transparency & Communications Infrastructure Project (KTCIP) will provide the legal basis for both natural and legal persons (people and companies regarded by law to have status of a person) to perform verifiable transactions. The PKI will establish a certificate authority that will issue people with certificates that they will use to verify transactions which they perform.
Currently, online transactions performed in the country do not have a legal basis. This means that it cannot be verified whether the person purporting to perform transactions are the people who they claim to be. A person can also claim not to have performed a transaction that they did such as send an email they did. This has resulted in people still having to resort to pen and paper, even with widespread availability of Internet in the country. One can also opt for digital certificates issued by authorities such as Verisign. Such digital certificates however lack a legal basis in Kenya, exposing those who use them to legal risks.
The certificates will therefore be digital signatures, equivalent to physical signatures. Unlike physical signatures though, digital certificates are almost impossible to forge. Even when stolen, perhaps through hacking or a misplaced device, they still require a password before use.
Those registering for SIM cards have to turn up physically at mobile operator outlets to perform the same. When issued with a digital certificate, one can apply for such services online, then upload their certificate which will verify the identity of the person performing the transaction. With certificates, you can email instructions to your bank with a digitally signed email, a process that currently requires a letter.
Evans Kahuthu - Project Manager, Information Security at the Kenya ICT Board, which is implementing projects under KTCIP says that with PKI, liability in regard to online banking transactions will lie with your bank. A user can thus claim refunds on an online transaction performed on their bank account without their certificate. Likewise, banks can ensure the safety of online banking by requiring such transactions to be signed with a digital certificate.
The project will be implemented by Samsung SDS and their joint venture partner, the Korean Information Certification Authority (KICA), who won the tender for implementation of the project. KICA is the oldest certification authority in South Korea. In Korea, insurance companies use digital certificates to exchange information between them. This contrasts with Kenya where businesses use courier firms to exchange such documents.
The certificate will consist of two parts, a private and public key. The private key is known only to the person who owns the certificate and will require a password before use. The public key component is available to the public and is used either to verify information sent by a person to guarantee information intended for a certain person is only visible to that person. An email coming from your bank will be signed using the bank's private key. You will then use the bank's public key to verify that the email actually came from your bank and not someone impersonating your bank.
Such certificates can also be used to make communication safer and to keep it from unintended recipients. When sending an email or other information to a person or company, you can download their public key and use it to encrypt the information. The information will be jumbled up and only those in possession of a private key (only known to the owner) can decrypt them. A bank emailing you your ATM PIN can use your public key to jumble up the email. The email will only be readable by the recipient. Even in a case where someone else logs into the person's email account, they will be unable to read the email without the recipient's private key and password.
The Communications Commission of Kenya (CCK) will be the country's Root Authority, which plays the role of licensing certificate authorities (CA). CCK will come up with and publish the requirements and accreditation process of CAs, which will be private entities. CCK will also come up with the legal framework of the National PKI and the standards, which will ensure certificates issued by the various CA's will be inter-operable.
The government will be issuing CA in before CCK licenses private players to become accredited CAs. Eventually, the government's role will be reduced to a CA for its departments and agencies. The pilot will also see the Kenya Revenue Authority become the first organisation to accept and use certificates for its processes, though on an optional basis.