On-Line Banking: Valicert Tackles Flaw in E-Commerce Security

A group of Silicon Valley entrepreneurs has set out to correct a flaw in the digital certification process that many Internet experts have been counting on to make Internet commerce secure.

The solution, called a certificate revocation tree, is the property of Valicert Inc., a Sunnyvale, Calif., company formed last year and officially opened for business this week.

In a sign that Valicert may be on to something that could bring added security to Internet transactions, three vendors in the data encryption field have given endorsements, and Netscape Communications Corp. has made a provision for Valicert's technology to "plug in" to the SuiteSpot server software.

The advent of Valicert indicates that digital certification-a cryptographic technique that is believed to be on the road to broad public acceptance through Internet security protocols such as the credit card industry's SET-needs further refinement.

"Today there is no way to know if a certificate is valid at the time of a transaction-it is known only that the certificate was valid at the time of issuance," said Joseph "Yosi" Amram, president and chief executive officer of Valicert.

He said that if not for the Valicert method of keeping revoked certificates from being approved-it will be available in the form of a tool kit for system developers, a server system, and a service from Valicert- electronic commerce could collapse under the weight of millions of digital certificates that cannot be adequately validated.

SET, the Secure Electronic Transactions protocol adopted by MasterCard and Visa for on-line credit card transactions, illustrates the problem in the extreme. SET requires issuance of digital certificates to all parties to a transaction. They are the E-commerce equivalent of a driver's license to verify a cardholder's identity or a certification that an on-line merchant is what it claims to be.

The complexity of processing transactions with those multiple certificates is widely seen as slowing the adoption of SET.

But digital certificates have already been issued by the millions through Netscape and Microsoft Corp.'s Internet browsers. Verisign Inc. and GTE Corp. are prominent certificate vendors. GTE, Entegrity Solutions, and Entrust Technologies, the leader in public key infrastructure systems, have each agreed to some form of collaboration with Valicert.

Valicert's efforts can "expand the security infrastructure available for commerce," said Tom Carty, vice president of marketing and business development at GTE. "Given our focus on providing all of the pieces of the infrastructure required to make Internet commerce possible, it makes great sense for us to partner with Valicert to fill in one of the most essential pieces of the infrastructure puzzle-the digital credential checkpoint."

In a recent interview, Mr. Amram and Valicert chairman Chini Krishnan said the problem is akin to what the credit card industry faced before electronic authorization systems.

"A merchant would get a book, which came once a week or once a month, full of bad credit card numbers, and credit cards presented at the point of sale would have to be looked up manually," said Mr. Amram, who joined Valicert in August after being involved in other high-tech start-ups and in the Silicon Valley venture capital scene. "It was a big hassle and it slowed down checkout."

The digital certificate equivalent of the hot-card list is known as the certificate revocation list, or CRL.

Mr. Krishnan, the Valicert founder, said CRLs are "unscalable," meaning they become cumbersome, if not impossible, to manage as they approach mass- market proportions. The lack of scalability "has posed a barrier to widespread deployment," Mr. Krishnan said.

He claimed that the invention of the certificate revocation tree brings a "1,000-to-1 advantage" that solves the problem of revocation and validation in a tamper-proof and economical way.

"Developers need a cost-effective, one-step solution for building applications that can check the validity of digital certificates," Mr. Amram said. "By providing a clearing house network into multiple certification authorities, and by delivering a robust technology combined with a liberal licensing policy, Valicert will enable the widespread development and use of applications that will make the Internet and corporate intranets safe to conduct business."

"Certificates are the only way to deal with identity in any meaningful way," Mr. Amram said. "They will take off in a big way. But certificates without validation are like a car without brakes."

Mr. Krishnan said the development of Valicert's technology had "a lot of rocket science elements," which is why it took the company 20 months to reach the launch stage. Enhancing its credentials, Paul Kocher, a leading cryptography researcher, is credited with inventing the underlying technology. Martin Hellman, a Stanford University professor and half of the Diffie-Hellman team that invented public key cryptography, is on Valicert's scientific advisory board.

Commercializers of cryptographic security have been intrigued by Valicert's proposition. When he heard about it during American Banker's Online '97 conference in Phoenix, Scott Dueweke, a marketing manager in International Business Machines Corp.'s Internet division, said, "They should call us."

Another expert, who asked not to be identified, said Valicert's biggest problem is that it is a few years ahead of its time.

"The market has fallen down with respect to revocation management, relying on relatively short expiration dates" to minimize invalid certificates, said Victor Wheatman, a California-based analyst with Gartner Group, Stamford, Conn. "Valicert fills a void and hopes to develop technology before the leading players move forward with their own revocation capabilities."

Valicert's server and tool kit are available now, and its service to certificate acceptors will enter field trials later this year, the company said. The tool kit can be downloaded from the valicert.com Web site free for noncommercial use and evaluation purposes. Application development licenses are a flat $995 with unlimited sublicense rights. The server can be deployed on corporate intranets for $9,995.

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER