EDGAR will embrace PKI

EDGAR will embrace PKI

SEC: New version of filing system will be simpler, cheaper and more flexible

By William Jackson

GCN Staff

The Securities and Exchange Commission staff will order in turkey dinners when they cut over to the new Internet-friendly version of the Electronic Data Gathering Analysis and Retrieval System.

The new system will be online Monday, Nov. 27.

'We'll all be here over Thanksgiving,' EDGAR program manager Rick Heroux said.

The Internet version is the third phase in the modernization of the 8-year-old records filing system. Giving EDGAR a Web browser interface will free it from specific operating systems and should simplify the job of filing the myriad documents SEC requires from publicly held companies.

EDGAR program manager Rick Heroux says he expects filing via the Web to increase as users catch on.

A public-key infrastructure makes the Internet practical for filing sensitive financial information. Digital certificates issued by VeriSign Inc. of Mountain View, Calif., will mutually identify the filer and the SEC server to each other. Documents can be encrypted and digitally signed using public-private key pairs, and SEC examiners will use filers' public keys to verify signatures and ensure that documents were not altered after signing.

The move to the Internet with PKI is not an effort to improve security, Heroux said.

'What we're replacing was a pretty secure paradigm with dial-up modems,' he said. 'It was working fine. We had more fraudulent reports being filed on paper than on EDGAR.'

Out with the old

The idea was to replace the old, reliable MS-DOS, ASCII filing system and its 14.4-Kbps modems with an equally secure but simpler, more flexible system that costs less to maintain.

The prime contractor for the $22.5 million modernization is TRW Inc.

The first phase was to bring EDGAR data in-house to reside on servers from Stratus Computer Inc. of Marlborough, Mass. The second phase introduced 56-Kbps modems plus document submission in Hypertext Markup Language or Adobe Portable Document Format.

The final phase, Internet filing, will use a mixture of Web server hardware running SunSoft Solaris and Microsoft Windows NT.

EDGAR still will support dial-up connections, Heroux said. Users who dial in will identify themselves with a log-in name, a password and another code. Those filing over the Internet will use digital certificates.

'We authenticate anyone interested in getting a certificate to make sure we know who you are,' Heroux said. An EDGAR user gets a pass code from SEC that works with a VeriSign certificate and the public-private key pair for encryption.

The certificate software binds the identity of the user to the public key and other information. When the user logs on to file a document, the session is encrypted with a 128-bit key using the Secure Sockets Layer. SEC servers verify the VeriSign certificate.

The document sender can digitally sign the document using the private key. The digital signature is a series of digits linked to the signed message by the sender's private key.

Although the new version of EDGAR will encourage Internet filing, Heroux said, many filers probably will continue to dial up.

'People wait to the last minute to file, so they are going to go with what they understand,' he said.

Thousands of filers have downloaded the software to convert documents for SEC filing via the Internet. But few companies have yet sent documents that way.

'But we are getting more and more test filings every day,' Heroux said, and he's confident Internet filing will catch on.

Here's how a digital signature works
When a document is signed by the sender:

' An algorithm generates a hash'a series of zeros and ones derived from the digital contents of the message. Any change in the contents will change the hash.

'The hash is encrypted using the signer's private key to make a digital signature.

'The signed document can be encrypted for transmission using the recipient's public key. The signer's digital certificate can travel along with it.

When the signature arrives at the other end:

' The signer's digital certificate is verified by the issuing authority.

' The recipient decrypts the document using a private key.

' The recipient's computer uses the hashing algorithm, which can be contained in the signer's digital certificate, to regenerate the hash.

'The signature is decrypted using the signer's public key, also contained in the digital certificate.

' If the decrypted hash from the signature and the new hash generated at the receiving end are identical, it confirms that the document was signed by the proper person and that the contents have not changed since the signing.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.