Compared with other information security companies, Xcert International Inc. has had an unusual, downhill kind of run.
Its 2.5-year life, its modest 60-employee size, and even its Canadian roots are not unusual in this developing part of the electronic commerce world.
But Xcert has traveled far from its origins in western ski country.
The American Bankers Association this year found Xcert's proposition compelling enough to endorse it for the ABAecom certification venture.
That alone would solidify Xcert's position as a digital certificate contender, but it also has an international customer list that could be the envy of companies larger and more established. It includes the U.S. Treasury and Department of Commerce, Lockheed Martin, Blue Cross/Blue Shield, the Belgian certificate authority Belsign, and Telecash in Germany, a payments venture of Deutsche Telekom and International Business Machines Corp.
This all happened without much marketing, but Xcert has been beefing up its sales and support team to change that. In the offing are pilots, customer announcements, and "a product launch over the next quarter," said co-founder Patrick Richard.
In a business fraught with challenges around "the ability to scale"-to manage complex public key infrastructures (PKIs) and certificate architectures for tens to hundreds of thousands of users-Xcert claims to have licked them.
Focusing on the business-to-business market and emphasizing a kind of technical neutrality that allows for interoperability with other systems, "we have customers with 50 users up to 130,000-plus," said Mr. Richard. "They are the largest PKIs running anywhere." They pay Xcert less than competitors, he claimed, because of a licensing approach "that is not based on per-certificate" costs.
"We are a glue for linking together disparate security solutions," Mr. Richard said. "That drove the ABA decision because we allow them to drive a meta-CA," or certificate authority.
Among Xcert's strategic allies is Digital Signature Trust Co., the Zions Bancorp. affiliate in Salt Lake City that the ABA selected to assemble a root CA for the financial services industry. The trust company's president, Scott Lowry, praised Xcert for its "flexibility, open architecture, and market-leading adoption of standards."
It also works with Document Authentication Systems of Dallas on groundbreaking digital approaches to lease and mortgage processing.
Xcert's technology is traceable to a system deployed in 1993 at Whistler Mountain in British Columbia. The ski resort was wired for on-line reservations and payments, among other functions.
By 1995, at age 22, Mr. Richard said he "saw Internet applications for the technology," and the next year Xcert Software was born in Vancouver.
The company launched a bid for the big time last year, deciding to incorporate in Delaware and set up shop in Walnut Creek, Calif., with an eye to Silicon Valley talent and funding sources and perhaps an eventual public stock offering.
The new Xcert International acquired the original Canadian company as well as TSSD Inc., a consulting firm owned by Fischer International Systems Corp.
That is the flagship enterprise of Addison Fischer, Xcert's principal investor and a mover and shaker in digital security circles. Thomas P. Nolan, a longtime associate of Mr. Fischer's who served as Xcert's chief financial officer, was elevated to president and chief executive officer. Mr. Richard, still living in Vancouver, took the title of chief technology officer.
Underlying Xcert's Sentry CA product line is what Mr. Richard calls "second- and third-generation" technology that overcomes the efficiency and scalability limitations of earlier systems.
"The first-generation PKI assumed a root and subordinate CAs and a pure hierarchy as a trust model," Mr. Richard said.
Now there are "flatter and more flexible formats" that permit multiple hierarchies and better mirror business practices, such as a bank department's issuing of customer credentials on an as-needed basis.
The certificates are anonymous; the personal attributes that can otherwise bog down CA operations are stored in "back-end directories." To avoid the unwieldy certificate revocation lists (CRLs) that guard against use of expired credentials, Xcert is geared to on-line status-checking akin to credit card authorizations, which makes economic sense for business transactions.
"To people who deployed earlier PKIs, CRL was an afterthought," Mr. Richard said. "We addressed that from the beginning."
The business plan is tied inextricably to the banking market and an assumption that financial institutions will want to bolster their customer relationships with CAs.
"Our timing is impeccable and our approach to the product architecture is unique," said Mr. Nolan, 55. "Banks cannot afford to give this up. If you are going to manage your own security and have interoperability, you have to use Xcert."
