Search our
entire site
Enter your search
terms below, or visit
our search page

Search case
studies only
Enter your search
terms below:

For the table
of contents and
hyperlinks to
general topics
proceed to toc

Digital certificates grow up
As market matures, public-key technology offers more security solutions

March 1, 1999

No longer a technology in search of a function, digital certificates are becoming entrenched in extranet, electronic commerce and business-to-business applications, as the Internet becomes a vehicle for more and more business-critical applications.

Certificate authorities as well as developers of security hardware and software that use digital certificates are aiming to simplify the use of these identification keys. Whether a company operates its own PKI (public-key infrastructure) or outsources the service, the bottom line for end users and customers is the ease of retrieving and using digital certificates.

"In 1999, we are trying to make the certificate authority less prominent and really speak to the business problem," said Joyce Fai, product manager for GTE CyberTrust Solutions Inc., in Needham, Mass. Last month, the company started shipping Enterprise CA, a PKI that automates authorizations and certificate signing to simplify certificate distribution and usage.

Global Trust Enterprise, a consortium of banks, hopes to facilitate use of digital certificates in e-commerce by guaranteeing authentication and payment similar to the way automated teller machines and credit cards work today. Supported by certificate authorities Entrust Technologies Inc. and VeriSign Inc., Global Trust Enterprise is deploying a worldwide PKI using CertCo Inc.'s certificate authority system (see chart).

"The reason the credit card network works is because the merchant doesn't have to know who the issuing bank is and make a judgment on if they can stand behind their representations," said Jay Simmons, senior vice president of New York-based CertCo. "You can use a credit card anywhere because they are all issued under the same system of rules."

Similarly, the Global Trust Enterprise--consisting of ABN AMRO, Bank of America, Bankers Trust, Barclays Bank, Chase Manhattan, Citibank, Deutsche Bank and Hypo Vereinsbank--plans to establish standards for the use of digital certificates. "What we have set out to solve is how two strangers, on an ad hoc basis, can come together on the Internet and enter into a contractually bound commercial transaction," Simmons said.

Applications based on Global Trust Enterprise are expected by year's end or early next year.

As companies move from pilot projects to products, the use of digital certificates is expanding into real-world business solutions. "We've seen e-commerce Web sites using certificates to protect customer information, but that is now broadening into enterprise intranets and ISPs [Internet service providers]," said Richard Yanowitch, vice president of marketing for VeriSign, in Mountain View, Calif. "People are using Web site certificates to protect intranet information, and now large ISPs and service providers that are hosting tens of thousands of Web sites for others want the protection of certificates to make sure information is confidential."

Mail without stamps

One such project expected to reach fruition this year is the U.S. Postal Service's Information Based Indicia program, which will enable customers to download two-dimensional bar-code postage over the Internet. Based on Cylink Corp.'s PrivateWire PKI, the program will give customers 24-hour access to postage.

Companies issuing certificates are working to make them more functional with a variety of applications. Entrust, for example, plans to add a roaming feature to its Entrust PKI digital certificates by the third quarter of this year that will let users log on to a secure server to retrieve private keys.

One user of Entrust PKI, Scotiabank of Toronto, is testing a new receipt acknowledgment feature. In addition to providing two-party authentication, Entrust PKI will allow users to verify that a message was opened. "When you send electronic mail, Entrust sends an acknowledgment that you received it. What we are testing right now is [the ability to know that] you opened the mail," said Albert Wahbe, executive vice president of electronic banking for Scotiabank.

Scotiabank now offers all of its services, including discount brokerage stock trading, over the Internet through the use of digital certificates. "With Entrust, a small, mathematical grid formula is downloaded to the customer and stays on his PC. The mathematical grid will produce an encrypted, random number every time a new transaction is launched," Wahbe said.

Simplifying the use of digital certificates also involves easing the installation of a PKI. With Version 3.5 of its SiteMinder secure user management software, Netegrity Inc. plans to take some of the complexity out of PKI installation. When it ships this month, SiteMinder 3.5 will support digital certificates for the first time and allow companies to implement a PKI more gradually.

"Installing the entire PKI infrastructure is complex, and customers are looking for a gradual way of deploying certificates," said Sumner Blount, product manager for Netegrity, in Waltham, Mass. "We have been moving aggressively into supporting certificates and working with all the major PKI vendors."

Previously, SiteMinder supported authentication through passwords and token cards.

"Customers asking for certificate support would use them primarily for trading partners, distributors and internal employees. They see the benefits of a single sign-on and password management" found in SiteMinder, Blount said. By adding certificate support, "you don't have to worry about forgotten passwords. It's like having a double layer of security," he added.

SiteMinder 3.5 will also eliminate redundant administration of digital certificates. "We extract information from the certificate and authenticate the user based on that," Blount said. Once a user is identified with a unique name, SiteMinder will access any directory or database to determine which workgroups that person belongs to. Rules associated with those groups will then be applied to the individual user.

TABLE OF CONTENTS