Hewlett-Packard Co., one of the champions of Internet-technology alliances, said it made a significant addition last week to its Praesidium security lineup.
HP announced an arrangement with Verisign Inc. to make available a powerful form of data encryption through Virtual Vault servers, on which many banks rely for secure electronic commerce.
Virtual Vault, a key component of the Praesidium framework, now affords easy access to Verisign's Global Server ID digital certificates. Under previously negotiated allowances from the Department of Commerce, financial institutions can make use of data encryption keys that are 128 bits long without fear of violating export controls.
Because of the exponential improvement in security with each additional bit, the 128-bit keys are several trillion times harder to break than the 40-bit keys historically authorized for international use. That restriction was widely blamed for inhibiting growth in electronic commerce, and Hewlett-Packard, Verisign, and others in the data security community have been campaigning to break down the barriers.
Verisign, which has issued millions of certificates through both Microsoft Corp. and Netscape Communications Corp. Internet browsers, cooperated with those companies in getting a blanket authorization for 128- bit security when the appropriate "handshake" can be made to verify its Global Server ID.
Mountain View, Calif.-based Verisign recently made a deal with Lotus Development Corp. to embed Global Server ID in the Domino server.
The agreement with Palo Alto, Calif.-based HP gives Verisign another important, though nonexclusive, distribution channel. It is the first to link digital certificate issuance with Praesidium, and "in the future we intend to offer tighter integration with HP products to provide HP customers with complete public key infrastructure solutions," said Verisign marketing vice president Richard Yanowitch.
Together they "offer international banks a more secure solution for providing confidential information over the Internet," said Roberto Medrano, HP's general manager for Internet security operations. "The newer export versions of Microsoft and Netscape Web browsers are programmed to enable strong encryption only when they encounter a Verisign Global Server ID. Otherwise they are limited to 40-bit encryption."
Praesidium combines various HP technologies with those of its Partner Program members, which now include Verisign along with such vendors as Check Point Software and Raptor in firewalls, Gemplus and Schlumberger in smart cards, and Security Dynamics Technologies in single-sign-on security.
Verisign will provide certification functions via the Virtual Vault in a "fairly seamless process," said Carol Upton, Hewlett-Packard security partner manager. Requests would get sent through Web servers to Verisign, which performs all authentication operations.
"Before this, the customer would have had to know exactly where to go" for certificates, Ms. Upton said. The seamlessness extends to the legal technicalities. A Commerce Department exception otherwise would have been required for each use.
Ms. Upton said that as with any Praesidium strategic partnership, HP's and Verisign's "business models and comarketing approaches" are well aligned.
HP owns the payment automation company Verifone Inc., whose e-commerce software has been integrated in HP's network, and Verisign also has a close working partnership with Verifone.
"Verisign is an important partner because of its leadership in the certificate authority world," Ms. Upton said. She expects the relationship to become increasingly fruitful "as the marketplace goes more and more to the use of certificates and they become pervasive in electronic commerce."
That future is closer than many people outside e-commerce circles might assume, said Anil Pereira, Verisign's director of corporate marketing.
He said Verisign's Server ID products are on 65,000 Web sites. "This is a prevalent technology on the server side," he said. With more than 120 companies using the Verisign Onsite certificate service, the technology is beginning to proliferate within enterprises, which is where the HP alliance can provide a further boost.
"We are now seeing a next generation of Internet applications at the enterprise level," Mr. Pereira said. "Organizations are laying down public key infrastructures and want as many applications on them as possible. The action is in extranets," which allow, for example, clients and traveling employees to get authorized access to corporate information over the Web.
"Banks want to make sure they maintain the same level of trust in the virtual world as they have in the physical world, and they can do that with public key infrastructures," Mr. Pereira added. BankAmerica Corp., NationsBank Corp., and Royal Bank of Canada are among those buying Verisign's approaches.
"The strongest encryption is available to financial institutions worldwide right away," Mr. Pereira said of the HP deal. "This is not a vague alliance. This is a very tangible result."
u
The American Bankers Association is within a few weeks of inaugurating the digital certificate program it announced in March.
An ABA contingent led by executive vice president Donald Ogilvie traveled to Digital Signature Trust Co. in Salt Lake City at the end of July for the formal issuance of a root key, which sits atop the hierarchy of certificates that authenticate electronic buyers, sellers, and banks.
ABA associate general counsel Thomas Greco said the service is technically ready, but the association wants to complete a marketing and communications plan and activate a subsidiary with a board of directors to manage the operation.
Scott Lowry, president of Digital Signature Trust, said he hopes the effort galvanizes the banking industry to extend its "trusted third party" role by issuing digital certificates. "Banks are getting killed in this space," he said.
Digital Signature Trust and its parents, Zions First National Bank and Zions Bancorp., are ahead of much of the industry in making such a commitment. ABA officials have said they chose to rely on DST because it is bank-owned.
