No. 154 / Oct 18, 2021
In a digital environment, people use digital certificates to prove their ownership. However, there have been significant changes in Korea since authorization certificates were introduced with the enactment of the Digital Signature Act in July 1999. It was widely used in two categories: electronic commerce (e-commerce) and electronic government services (e-government services). Meanwhile, in the 2013 drama My Love from The Star, many people sympathized with the scene with Chun Song-yi was wandering when shopped online because of an authorization certificate. In May 2014, authorization certificates were omitted during e-commerce.In August 2019, 22 public institutions deleted the ActiveX plug-in, which is essential for the use of authorization certificates during e-government services. Finally, with the revision of the Digital Signature Act on December 10, 2020, authorization certificates issued by six specific institutions may be replaced with certificates from private companies.
There were several reasons for the revision. First is the inconvenience of using authorization certificates. It had to be renewed on a yearly basis and registered every time it was used elsewhere. However, private certificates have to be renewed only every 3-5 years, and can be certified anywhere and anytime via one’s mobile phone. Second, there were many security vulnerabilities in the use of authorization certificates. When Korea introduced authorization certificates, a specific security system was needed. Korea adopted ActiveX, the Microsoft’s Internet Explorer (IE) browser’s own plug-in, because IE was almost exclusive at that time. As Chrome became more used, Chrome’s Netscape Plugin Application Programming Interface (NPAPI) was also adopted. Thus, Authorization certificates can be used only in certain browsers. However, Microsoft and Chrome stopped supporting ActiveX and NPAPI in 2015. Moreover, authorization certificates are simply stored in the general folder of the user’s storage device, named National Public Key Infrastructure (NPKI). That is the reason passwords had to include upper case letters, special characters, and numbers. As such, there were many security vulnerabilities. In 2014, about 7,000 Korean authorization certificates were leaked from overseas servers. Therefore, private certificates are stored in the cloud of the Korea Financial Telecommunications & Clearings Institute (KFTC) instead. Passwords have also been simplified into biometric recognition systems, Personal Identification Numbers (PIN), and patterns.
Nowadays, according to the revision, several private certificates are being used. First, there is a financial certificate in a collaboration between the KFTC and banks. However, KB Kookmin Bank and Hana Bank also introduced their own mobile certificates and a face authentication system. Second, Kakao Wallet of Kakao Pay and PASS of mobile carriers. These two are “Built-in” certificates. PASS is automatically installed when buying a cell phone, and Kakao Wallet can be used as long as KakaoTalk is installed. In January 2021, PASS surpassed 22 million downloads, and Kakao Wallet secured 10 million users within three months of its launch. Finally, there are Naver, Toss, and Payco certificates.
Digital certificates are becoming more and more convenient, but there were concerns about the change. In response to peoples’ worries, the evaluation and certification system was introduced with revision as well. However, since it is a signature, one should remain cautious.
By Noh Hyun-jin, AG Reporter
noh0605@ajou.ac.kr
Comments