Field Trials Set for Valicert's Certificate Validation System

Less than two months since it officially opened for business, Valicert Inc. has announced global field trials for its digital certificate validation service.

Proponents of the technology say it could give Internet commerce a necessary boost, and Valicert's initial implementations could be an important proving ground.

The system revolves around technology called a certificate revocation tree, designed to overcome a flaw in the authentication process that many banks and other companies will be deploying as on-line commerce takes off.

Digital certificates, which can authenticate a computer user, are known to be valid at the time of issuance. Uncertainty creeps in at the time of a later transaction, however, and Valicert offers a way to test the validity.

Valicert said Monday it will operate the system on a service bureau basis, a program it markets under the name Valicert Service. This was not available in October when the Sunnyvale, Calif., company announced two other products, Valicert Toolkit and Valicert Server.

Three international certificate authorities will participate in the field trial beginning next month: Baltimore Technologies of Ireland, Belsign of Belgium, and Thawte of South Africa and the United States.

Baltimore Technologies operates the Eurotrust electronic commerce infrastructure serving the European Union and sees the "cooperation among leading security providers accelerating the global expansion of electronic commerce," said chief executive officer Fran Rooney.

"Valicert will provide an ideal opportunity to further explore the logistics and operational issues of a global certificate authority network," said Jack Nagle, general manager of Eurotrust Services.

These companies, well regarded in the data security industry, add to the credibility Valicert earned with a previously announced group of supporters: Entegrity Solutions, Entrust Technologies, GTE Corp.'s Cybertrust certificate authority unit, and Netscape Communications Corp.

Tom Carty, vice president of GTE, said his company intends to do pilots with Valicert. "It's great to see a compromise-recovery system in the marketplace," he said, adding it is probably better suited to electronic mail or financial service network security than for SET, the MasterCard- Visa certification standard that is already bolstered by an underlying transaction authorization infrastructure.

Belsign CEO Anthony Belpaire said the work with Valicert can help "make the Internet a safe place for electronic commerce."

"Given our focus on the creation of a simple, robust trust model for Internet commerce, the partnership with Valicert makes enormous sense as we cooperatively play a role in the growth of secure on-line commerce," said Thawte CEO Mark Shuttleworth.

Valicert president Joseph "Yosi" Amram and chairman Chini Krishnan use a credit card analogy to explain how certificate validation works.

"To be truly useful, a credit card must be able to be validated anywhere in the world, no matter where it was issued," Mr. Amram said. "In the same way, issuers and users of digital certificates need a quick and cost- effective clearing mechanism to assure the validity of these electronic credentials anywhere in the world."

The current reliance on unwieldy certificate revocation lists, or CRLs, is akin to retailers in the early days of credit cards checking each cardholder account number against those listed in a printed "hot card" bulletin.

The Valicert executives say their certificate validation method, based on an invention by the scientist who developed the security system used in Netscape browsers, is equivalent to on-line credit card authorizations. The Valicert Service is to certificate validation what a third-party processor such as First Data Corp. is to credit card authorization.

"The nice thing about the revocation tree is it minimizes bandwidth, has scalability, requires minimal processing, and is transparent to the user," Mr. Krishnan said.

Mr. Amram said he was not ready to announce pricing of Valicert Service, but "there will be different levels and some aspect of it is likely to be free."

The company adhered to a relatively nominal Internet pricing model for the tool kit, which is free for noncommercial downloading. Application development licenses are $995 with unlimited sublicensing rights.

The Valicert Server cost for corporate intranets was $9,995, and the package could be available from partner companies like Netscape or GTE on a reseller basis.

While Valicert enters into partnerships with such "industry insiders," Mr. Amram said likely initial buyers are banks and telecommunications companies that are developing certificate authorities, and potentially Internet service providers.

For the Valicert Service trial, live data will be fed in from existing certificate revocation lists. The company said the trial will be able to handle more than 30 million validation requests a day.

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER