Digital Certificate Role Impressing Itself on Banks

The digital-certificate drumbeat is growing louder as people in the data security industry-and at least a few bankers-become more and more convinced that they can sell trust at a profit on the Internet.

If market research is to be believed, as much as $2 billion of revenues will be up for grabs next year as electronic commerce goes into higher gear and buyers and sellers seek the security and privacy assurances promised by on-line certification techniques.

It is not just money-hungry system vendors who say that banks are in an ideal position to fill this void. There is much talk that this new business could help the banks reclaim intermediary functions that previous technologies conspired to take away, though nonbank competition is also hot on the trail.

The best outcome for banks could be a "back to the future" movement, said New York Federal Reserve Bank official Paul Raines. The market is looking for the kinds of assurances that banks historically gave in establishing trust and completing transactions-whether in the days of bank- issued private money or with modern wire transfers or letters of credit.

"We are in a new era of Internet banking, a brave new world," Mr. Raines said. "But in essence, it harks back to a previous era. Only the medium has changed."

Digital certificates, an offshoot of data encryption technology, are long strings of computerized data that establish credentials analogous to driver's licenses or passports. Exchanges of certificates yield digital signatures, codes that vouch for the uniqueness and integrity of a transaction.

Banks could issue "certs" as they do credit cards. They and other certificate authorities, or CAs, could conceivably form authorization networks similar to those in the card industry, and some such steps are already being taken.

"For the first time, I see financial institutions putting major budget dollars aside for these efforts," said Walter Taylor, a longtime Citibank executive who has spent the last year as financial industry director of GTE Cybertrust, one of the top certificate technology vendors.

"They are pressured by competition and by their customers' moving out into the Internet space," he said. "They want new revenue and can compete globally to get it."

Yet even as the banks-as-certifiers argument wins adherents and budget commitments, another recurrent theme threatens to drown it out. The technology is challenging, both in itself and because of a lack of standardization. System providers have a sense of realism and urgency about that.

"Public key cryptography has been around for a long time, and it might accurately have been described as a solution looking for a problem," said D. James Bidzos, president and chief executive officer of RSA Data Security Inc., the leader in the data encryption industry.

Only recently has the problem-on-line commerce-presented itself, said Mr. Bidzos, and the assurance business is, accordingly, less mature than the enabling technologies.

"We have more to do to make this technology real, ubiquitous, and easy to deploy," said Charles R. Stuckey Jr., chairman, president, and chief executive officer of Security Dynamics Technologies Inc., RSA's parent and one of a host of companies assembling system and support packages to address the shortcomings.

"A lot of noses have been bloodied in implementation," said Yosi Amram, president and CEO of Valicert Inc., which offers a technique for validating digital certificates in the authorization process. "This is not shrink- wrapped technology. All of us are working to improve that."

"There is clearly a lot of frustration," said Philip C. Deck, chairman and CEO of Certicom Corp., a Canadian-owned company touting the elliptic curve form of cryptography as an alternative to the more established RSA algorithms, particularly for smart cards and portable computing devices. "We have heard that some people who bought PKIs later wondered why they did," he said.

PKIs, or public key infrastructures, are the technological underpinnings of potentially large-scale digital certificate operations.

Sue Pontius, chief executive officer of Spyrus in Santa Clara, Calif., said certificate services, even as they gain acceptance, address only part of the "high assurance" spectrum that Spyrus, Security Dynamics, Certco Inc., and others are trying to cover with a broad range of hardware, software, and consulting assistance.

"High assurance means not just issuing certificates but doing something meaningful with them," Ms. Pontius said.

The current soundings from the banking sector-at least among an elite group of sizable institutions that can afford to invest and experiment-are of a can-do nature.

"The Internet is not incidental to the future of banks-it is going to be critical to it," said Peter Freund, chairman of Certco, a New York-based company that sells public key encryption infrastructures.

Realizing the potential of "seamless, frictionless, ... anyone-to- anyone" commerce on the Net requires guarantees or assurances from "somebody with long-standing, pre-existing relationships with companies," Mr. Freund said, obviously pointing in the direction of banks.

Certco, which Mr. Freund, a credit derivatives pioneer, founded, is a spinoff of Bankers Trust Corp. It is also co-owner and lead technology provider of the global trust organization, a joint venture of Bankers Trust and seven other multinational institutions that exemplifies how some banks are working to keep the certification opportunity from slipping away.

The global trust organization, still in a formative stage and known as GTO, is focused on business-to-business commerce and expects to distribute smart cards for storing individuals' certificates of authenticity.

The GTO is "proof positive that the banks think they need a PKI to make the business work," said John Ryan, president and CEO of Entrust Technologies Inc. of Richardson, Tex., which has captured about half the PKI market.

"This is real-people want to get PKIs up and get going," Mr. Ryan said.

Security First Network Bank of Atlanta, the renowned "first Internet bank" that was acquired last year by Royal Bank of Canada, has embraced digital certification. It is the first bank to sign up with Equifax Inc.'s new service bureau for certificate operations, which offers one of the ways banks can take the plunge.

"PKI deployment is tough," said Jeffrey Johnson, general manager of the Equifax Secure division. "Some big banks might want to do it in their back rooms, but many will not."

He said most selling of the technology to date has been to "the technology sides of banks, but it is the business sides that want to be the trusted third parties. I am selling to the business side. It wants to set rules but not do the mechanics of it."

Verisign Inc., a competitor of GTE and Entrust and close ally of RSA and Security Dynamics, also reports banking industry progress. BankAmerica Corp. and Barclays Bank of London-two other GTO founders-are among its major customers. But so are nonbanks like E-Trade Group and Morgan Stanley Dean Witter & Co. (which took Verisign public last year), pointing up the fast-moving, broadly competitive nature of this young market.

Microsoft Corp. and Netscape Communications Corp., having built certificate technologies into their on-line commerce systems, are also becoming forces to reckon with.

Netscape disclosed last week at RSA '99, a premier international conference sponsored by RSA Data Security Inc. of San Mateo, Calif., that it has deployed directory servers, a foundation of its Certificate Management System, to more than 50 million computer workstations, or "seats."

Within that package is Certificate Server 1.0, with which BC Tel of Canada is offering to authenticate customers receiving and paying bills electronically, and which Lehman Brothers is using to secure high-net-worth investors' access to on-line analytical and research information.

Netscape said Bell Atlantic will use its technology in offering electronic bill presentment to 25 million customers, which should awaken any remaining skeptics in the banking industry to how fast that service might spread, with or without banks' direct involvement.

In the "back to the future" mode of Mr. Raines, some bankers are acting on the belief that they have a trust foundation on which to build a competitive response.

In 1998, when the American Bankers Association formed ABAecom to offer root certificate services to banks and other financial companies, it said the role was of a piece with its administration of check transit/routing numbers, credit card account numbers, and the Cusip numbering system for securities.

A premise of ABAecom, much like the global trust organization, is that some degree of standardization encourages both efficiency and competition, and that banks are uniquely qualified to set some rules.

"Banks really sell two products, money and trust," said Steve Katz, chief information security officer of Citigroup Inc., another GTO partner and an Entrust customer. "If you don't have the trust component, you don't have the money component."

Like Mr. Freund and Mr. Raines, Mr. Katz was a speaker last week at RSA '99. Such bank-connected people's presence among the 5,000 in attendance spoke to their industry's increasing prominence and potential influence in the certificate market and in the wider PKI field.

"The days of password identification and link encryptors are over," said Mr. Katz, referring to earlier and still-prevalent security techniques that are viewed as inadequate for full-scale Internet commerce. "We have to have certainty of who is at both ends of the line."

Thanks in part to the banks, "it is starting to come together," said Mr. Bidzos of RSA. "The infrastructure issue is a big one."

"For privacy, prevention of unauthorized use, and nonrepudiation, the answer is PKI," Mr. Katz said. "Implementability, operability, and pitchability are essential. Like in the early days of personal computers, we have to put together an 'Erector Set'" to connect the many pieces of PKIs.

Few observers doubt the capabilities of the technologies, the resourcefulness of the vendors, even the likelihood that they will coalesce on standardization to create credit card-like openness and interoperability. But to some, banks' winning is no sure thing.

William Powar, a former Visa International executive who heads a Silicon Valley consulting firm, Venture Architects, said, "Does a digital certificate service fit logically into what bankers do? Yes." But he said that, except for institutions with well developed trading or risk management mentalities - including investment banks and Mr. Freund's colleagues at Bankers Trust Corp.-few have the "skill sets" or the will to go after the business.

"There are only eight to 10 big banks staking out positions," said Steve Mott, a former MasterCard International executive who has formed a Connecticut-based electronic commerce consultancy, BetterBuyDesign.com. For all their trust and payment-system advantages, he warned, banks "are not going to be automatically anointed for the first generation of PKI."

"Brokers are getting in fast. And companies like Microsoft, Intel, and Compaq are building certificates, biometrics, and other things into their systems," Mr. Mott said. "Unless something comes out of the financial services industry pretty soon that I don't see, those others could be a lot more powerful."

Mr. Johnson of Equifax said certification might gain momentum faster in the health care field or other parts of the e-commerce community-the Internet auction site eBay was Equifax Secure's first announced customer this month-than in banking.

But at GTE Cybertrust, "we still see the financial industry leading this in the United States," said Tom Carty, vice president of business strategy. "They have the customers and the need to authenticate."

"I know there is some skepticism," said Jay Simmons, a veteran cash management banker who is now senior vice president of Certco. "But if you go back 20 or 30 years, nobody thought Visa would ever be what it is today."

Others see a parallel in automated teller machines, which took 20 years to gain majority public acceptance. But 20 years is an eternity in Internet time.

Mr. Simmons said he sees lessons in the way Visa's first chief executive officer, Dee Hock, rallied the entire banking industry around a new electronic payments infrastructure. Despite Certco's focus on the biggest banks and on the very top of the developing hierarchy of digital certification, Mr. Simmons said there is no reason for smaller financial institutions to be frozen out-"if we can make it easy" through standards, implementation packages, and service bureaus.

"There is impetus for even the smallest banks to provide their smallest customers access to a global network with digital signatures," he said. But he conceded that the steps to that end will be many and incremental, beginning with the GTO effort and other building blocks of infrastructure that will require collective action in order to keep costs down.

"A lot of my energy this year will be on educating the community banks," said Tom Greco, president of ABAecom, which relies for technology on PKI vendor Xcert International Inc. and Digital Signature Trust Co., an affiliate of Zions Bancorp. of Salt Lake City. "I see tremendous opportunities there."

"In some areas, smaller banks are able to move quicker," said Mr. Taylor of GTE Cybertrust. "They have fewer decision-making obstacles."

Mr. Raines, a history buff, invoked a piece of Civil War strategy: When Robert E. Lee first took command of the Confederate army, his aggressive cavalry commander, Jeb Stuart, wanted to attack quickly because the Union army was in some disarray.

The Federal Reserve Bank of New York's vice president for electronic security was speaking specifically about Valicert's validation technology, saying, "it is better to check the status of a certificate up-front" in an electronic transaction. But the point about pouncing could just as easily be applicable to banks' current state of certificate readiness.

"The economic consequences of the everyone-to-everyone commerce model are enormous," said Mr. Freund of Certco. "The current situation only tantalizes us."

Optmistic that the banking industry can make the difference, he said, "The Internet will be transformed by the development of bank-based, bank- centered PKI."

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER