Security Firm with Bank Roots Seeks Web Stardom

Certco LLC, one of a handful of digital security companies hoping to be a star on the electronic commerce stage, isn't waiting to go for broke.

Though still early in the run, Certco is making the confident noises of a company that has seen the future work according to its script. It is calculated to resonate with banks.

"Banks are uniquely qualified, even beyond governments, to act as brokers of trust in electronic commerce," said Charles S. Walton Jr., the New York-based company's chief operating officer. "It gets at banks' historical role in certifying trust, as well as underwriting riskand assuming liability."

Certco, a specialist in the digital certification technology that is expected to be a key ingredient in the commercialization of the Internet, is not alone in making this kind of pitch.

Some competitors may even be said to have established stronger marquee names while this drama is still in Act One. They include the GTE Cybertrust unit of GTE Corp., a former employer of Mr. Walton; Verisign Inc., a spinoff of the data encryption technology leader RSA Data Security Inc. and the beneficiary last Friday of a $42 million initial public stock offering; and Entrust Technologies Inc., a profitable and fast-growing Texas-based property spun off in 1997, and still controlled, by Northern Telecom of Canada.

Certco tries to set itself apart in at least two ways.

Emphasizing the hierarchical nature of the certificate authority infrastructure all these companies are vying to build, Certco aims for the brass ring. If the certification market were a pyramid, Certco wants to start by controlling the top, defining the general framework and providing the system for root keys that would filter down through the network.

Second, Certco stresses that it is uniquely rooted in, and knowledgeable of, banking. A spinout from Bankers Trust New York Corp., it vows not to let the Internet commerce business go the route of so many others from which commercial banks have been disintermediated.

Senior vice president Jay T. Simmons, who previously spent 12 years managing Citibank's North American cash management business, said, "Banks have an opportunity to reintermediate themselves in areas of commerce they have been obviated from for years. Liability-absorption and mitigation is what banks have the ability to provide."

Many commentators say security worries are hindering Internet transactions. Mr. Simmons said it comes down to lack of trust.

Certco's approach to "business-practice-driven certification," Mr. Simmons said, "provides a straightforward way for trusted third parties to provide liability-bearing certification services. Banks and other trust institutions are obvious candidates to become those trusted third parties, given their historic fiduciary and risk management roles."

"We are talking about a change in the way commerce is done, relating to the Internet," said Mr. Walton, who helped GTE sign MasterCard and American Express to its SET certificates for credit cards and later worked for the encryption hardware specialist Spyrus. "We are educating banks about a return to the basics of their business."

The message may be bank-friendly, but this will be no competitive cakewalk. Large-scale, enterprisewide data encryption systems were all the rage at the RSA Data Security Conference last month in San Francisco, which Certco used as the coming-out event for what it calls the CertAuthority Solution.

Verisign, Mr. Walton's nemesis from his GTE days-it is the preferred SET provider for Visa and Discover cards-announced at RSA with great fanfare that it had signed NationsBank Corp. to a multifaceted digital certificate contract.

Word got around that Entrust had a similarly extensive deal with Citicorp. It has not been publicly confirmed, but the two companies have been linked in a digital certificate interoperability trial sponsored by the National Automated Clearing House Association. Most leading vendors, including Certco and International Business Machines Corp., will participate in the trial.

Certco does have its share of early victories. Hewlett-Packard Co. provided a credibility boost by making Certco's technology a part of its International Cryptography Framework.

CertAuthority Solution is also the basis for the state of Utah's public key infrastructure, which underlies the administration of one of the first legislatively mandated programs to make digital signatures legally binding.

Under that Utah infrastructure, Digital Signature Trust Co., a subsidiary of Zions First National Bank of Salt Lake City, will be using CertAuthority in its trusted third-party role.

Root CertAuthority, a subset of the flagship product, was chosen for managing the crucial root keys of the MasterCard-Visa SET-the Secure Electronic Transactions standard. Certco won that contract jointly with Spyrus. They devised an intricate system of distributing fragments of encryption keys to bolster security while keeping costs manageable. There is no single point of vulnerability; the fragmentation of keys would tend to foil the much-feared attacks by insiders.

Both card associations had high praise for Root CertAuthority. MasterCard senior vice president Steve Mott called it "an ingenious solution to the complex task of managing authentication for multiple brands." His Visa counterpart, Steve Herz, said Certco was able to meet "certification authority requirements (that are) among the most demanding in the world of commerce."

The Certco-Spyrus relationship got closer last month when the companies announced that CertAuthority would be integrated with Spyrus' encryption hardware, the Lynks Privacy Card.

Mr. Walton characteristically put that arrangement in a banking context: "This agreement allows Certco to provide solutions that combine the cryptographic and technological innovations of both companies with the trust infrastructure provided by traditional banking transactions. These solutions can foster the rapid growth of global commerce while enabling financial institutions to offer a new line of secure, high-value certification services to their customers."

"We have had a lot of validation from banks," Mr. Walton said in a recent interview. "Our model rings true with the business sides of the organizations that drive information technology businesses."

"I think banks ultimately believe there is a business in being a CA," the certificate authority or trusted third party, Mr. Simmons said. "It is not just an incremental expense."

Certco comes by the banking affinity honestly, having begun with seed money from Bankers Trust. Peter C. Freund, a former Goldman, Sachs & Co. investment banker who invented Bankers Trust's credit derivatives business in 1991, is Certco's founder and chairman.

Certco grew out of a nascent electronic commerce business unit that Mr. Freund headed. Bankers Trust officially spun it out in late 1996 with $30 million in funding from the likes of the Tisch family and encryption pioneer Addison Fischer, with Goldman Sachs in the role of placement agent.

"There are abundant applications for Internet transactions," Mr. Freund said at the time. "None of these applications are grounded on a solid generic foundation. Without strong support from financial institutions acting as trusted third parties, electronic commerce cannot flourish. Certco's products are aimed at addressing that missing piece of the infrastructure."

In the accelerated passage of Internet time, Certco can claim some degree of maturity. After a methodical two-year march to its recent product unveiling, its staff size is approaching 100, and it has branched out, both conventionally and in the way of a "virtual company," with representation in Albuquerque; Cambridge, Mass.; Salt Lake City; Washington; and the United Kingdom.

The company prides itself on bringing together people of diverse backgrounds-bankers and business people like Mr. Simmons, others from legal, law enforcement, and even counterintelligence backgrounds. The company claims a higher staff concentration of cryptographers than can be found anywhere except places like Sandia National Laboratories and the National Security Agency. Some Certco people previously worked in such places.

It falls to the business and marketing types to get the message across to what Mr. Walton admitted is still a "very early adopter market."

"I am one of the few bankers who can understand and explain in English what a digital certificate is," said Mr. Simmons.

"Education is an important part of the Certco mission," Mr. Walton said. "This is a very sophisticated message, and we have a hard job ahead of us."

He credited Verisign with having "done a wonderful job educating the market about certificates and their value-we just don't agree with their business model."

Certco's root authority, he pointed out, underlies both Verisign-Visa and GTE-MasterCard transactions.

He is not shy about attacking Entrust Technologies, which stakes a claim to market leadership. He said its focus on desktop computing makes it a "client company ... we are an infrastructure company. In the high-assurance end of the market, we will be the alternative."

"This stuff is of little value unless it is connected to applications" like cash management, Mr. Walton added. He predicted certificate issuance will strongly emerge first within corporations and in business-to-business commerce.

"The business case we are advocating is not coming from the technology side, but more from the business side," he said. He described the certification competitors as "taking their shots. Their business models are evolving. But without a top-down public key infrastructure, it will be more difficult for commerce to evolve."

"Top-down" is what Certco is selling. Its primary market targets, Mr. Walton said, are the top 10 to 20 banks in the world. Certco claims that competitors, with which it is more than willing to coexist and cooperate, cannot put all the most important pieces of the puzzle together the way it can.

"The question is, 'Where do you want interoperability to occur?'" Mr. Simmons said. "We think the most efficient way to do that is with a root structure.

"Most large organizations are distributed geographically and organizationally. We don't see them wanting to establish multiple CAs. A single root allows certificates to be interoperable across domains"- corporate funds transfers and consumer banking, for example.

Entrust has promoted the idea of cross-certification to ensure that any two CAs would be compatible. Mr. Simmons and Mr. Walton contended that cross-certification, though a valid step, will become impractical as CAs proliferate into tens of thousands, and Certco would have the answer in its root hierarchy.

"You will see multiple technologies in a bank," Mr. Simmons said. "Our strength is our openness."

"The power of SET is in the root system," Mr. Walton said. "One unifying root defines the SET hierarchy across brands.

"In the end, both models (root and cross-certification) will exist and must work. Our point is that a strong financial-community-sponsored root is essential for e-commerce."

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER