Legal Entity Identifiers in digital certificates
Digital certificates are hugely important in encrypting the internet. Whether it’s for encrypting a website and adding the ‘S’ to HTTPS or it’s encrypting and signing a digital document like a PDF, digital certificates are everywhere. Until now, they have solved some significant security challenges on the internet by encrypting networks and communication channels. However, as we know, encryption is not always enough.
You can keep information encrypted, but if you’re sending it to a criminal, then encrypting it does nothing. As an example, imagine visiting an online shop. The shop is encrypted, so you feel safe to buy something and enter your credit card information. Later, you realize the shop was merely a phishing site, and you’ve sent sensitive information to a cybercriminal. This is a regular occurrence on the internet today.
It’s not enough to know your information is protected. Today, we need to know who is receiving that information and be sure that we can trust them. HTTPS websites used to have the option of adding identity to the certificates. Still, it was far too easy to get one if you were a cybercriminal, and the people doing the vetting were the same people selling the certificates, so there wasn’t much motivation to improve the process. Even code signing certificates (used to protect us from malicious apps) were obtained by cybercriminals to sign apps that would infect our computers and phones.
LEIs are organizational identity
Legal Entity Identifiers (LEIs) are gaining huge adoption in the financial industry in identifying organizations. Any organization trading on the financial market today must have an LEI and declare its parent and child companies on that LEI.
This database of LEIs is open and accessible to the public, who can read and challenge the data. LEIs are obtained from independent Local Operating Units managed by the GLEIF. The power of a third-party identification system is huge and can now be relied upon for global financial reporting to comply with regulations like MiFID II, EMIR, and MiFIR.
Going beyond trade reporting, LEIs have already been dubbed a new tool to help save the Know Your Customer (KYC) and other due diligence processes in customer onboarding. Using LEIs in digital certificates could increase the efficiency of this system even further.
For example, two servers must communicate in Open Banking, where banks are opening up APIs to FinTech companies. eIDAS requires that these communication transactions be signed with a Qualified Certificate, but what if those certificates contained a Legal Entity Identifier? Right now, identity vetting in the Qualified Certificate is done by a certificate authority and is unavailable in an open database. It’s also possible to change company details without changing the certificate details. This can create areas of vulnerability that a hacker can exploit.
What’s available now
Legal Entity Identifiers are not yet integrated with all types of digital certificates. You can still obtain an SSL/TLS Certificate with a LEI and a Digital Signing Certificate with a LEI.
A good use case for digital signing is B2B transactions that involve paper-based document signing, such as contracts and agreements. An organization looking to take these workflows online and make them paperless would benefit from having the additional security of LEI Numbers attached to the certificate that encrypts and signs the document.
This LEI code can be checked against the onboarding data, reducing friction and time associated with transactions between two parties.
Interested in obtaining a Legal Entity Identifier for your business? Get one here today.