Three banks outside the United States are bolstering the security of their on-line access programs with digital certificates.
The certification decisions by Canadian Imperial Bank of Commerce, Svenska Handelsbanken of Sweden, and Ulster Bank in Ireland and Northern Ireland were announced in recent days by their respective vendors -- Verisign Inc. and Xcert International Inc. of the United States and Baltimore Technologies of Ireland and the United Kingdom.
The moves underline claims by providers of digital certificates and related public key infrastructures, or PKIs, that demand is growing for higher levels of user identification and authentication, and that the banking industry is deepening its involvement.
Though most major U.S. banks are at least experimenting with potentially large-scale PKI programs, a more rapid acceptance in other countries may explain the three banks' willingness for their digital certification plans to be disclosed.
"We are growing faster in Europe," said Tim Gage, product marketing manager of Xcert International. He said financial institutions, other corporations, and government agencies in several countries face mandates to comply with digital signature laws that will require issuance of the electronic certificate credentials eventually to millions of customers.
"They are using that to drive electronic commerce," Mr. Gage said, noting that e-commerce got off to a fast start in the United States before certification issues were so fully addressed.
To be sure, these vendors and competitors such as Entrust Technologies Inc., GTE Corp.'s Cybertrust unit, and Digital Signature Trust Co. have U.S. bank customers. They have paired off with institutions such as Citigroup, Chase Manhattan Corp., and Bank of America Corp. in a pilot sponsored by the National Automated Clearing House Association, and in the multinational joint venture Identrus.
Xcert and Digital Signature Trust, which is owned by Zions Bancorp. of Salt Lake City, are playing central roles in ABAecom, the American Bankers Association spinoff that is encouraging banks to become certificate authorities. Xcert contends that the issuance and management of on-line credentials are extensions of the banks' historic "trusted third party" function.
But more digital certificate news is being generated abroad. Entrust, a spinoff of Nortel Networks of Canada that is publicly owned and based in Plano, Tex., is credited with the biggest certificate authority, or CA, infrastructure in banking to date -- an effort with Bank of Nova Scotia in Canada, now up to 150,000 issued certificates.
Entrust said a few weeks ago that Bank of Bermuda had purchased its system for a CA strategy with international ambitions.
Svenska Handelsbanken began testing Xcert's Sentry CA software last year and has since issued 130,000 certificates to customers. Now apparently the European banking leader in this category, it allowed Walnut Creek, Calif.-based Xcert to take the news public.
"We hope to announce another European banking customer soon," Mr. Gage said, implying that it will be an even bigger deal. Xcert announced in May that the German transaction processor Telecash had chosen its PKI technology in preparation for a digital signature system that could scale up to tens of millions of certificates.
Processing speed and scalability have been among Xcert's most strongly asserted marketing claims. National or international public key infrastructures, such as the business-to-business network envisioned by Identrus of New York, would call for millions of certificates. That is uncharted territory for organizations that must manage and maintain the PKI hierarchies as well as computing systems capable of dealing with complex data encryption algorithms. There are also matters of standardization and interoperability to be addressed.
Mr. Gage said Xcert has undergone performance testing for 250,000 users and "our eye is on millions or multimillions of users."
Xcert also prides itself on its ability to interoperate with any other provider's PKI, and on on-line status-checking of certificates that does away with the need for cumbersome certificate revocation lists.
Aside from its Svenska Handelsbanken announcement, Xcert said it has been in a pilot for three months with PSINet, an Internet service provider with 10,000 business users; and has been chosen by Group Telecom of Vancouver, Canada, for a certificate service bureau operation, gtTrust netGuardian, that has as its first big customer a 57,000-member association of real estate agents.
Exhibiting further momentum, the 100-employee Xcert organization added the network security vendor Aventail Corp. and the Surety.com Digital Notary Service to the more than 20 other allies in its OpenXchange Partner Program.
Scalability challenges have certainly not daunted Xcert's larger rivals. Verisign scored a coup in the Entrust-Bank of Nova Scotia backyard with its deal with Canada's largest bank.
Canadian Imperial Bank of Commerce was designated the "preferred Verisign financial affiliate" for Canada. CIBC plans to rely on the Mountain View, Calif., company's technology for a full range of certificate registration, issuance, and authentication services to Canadian companies, Internet businesses, and consumers.
The Toronto bank will start with a Web server system to assure visitors that a given site is authentic; and with enterprise certificate services to control and secure access by employees and business partners to intranets and extranets.
CIBC's approach is in keeping with widely held assumptions that simple applications such as Web site authentication -- ABAecom's first product -- and internal and business-to-business services will materialize first. "Consumer certificate services will later be added to meet market demand," CIBC said in a press release.
"Digital certificates are becoming the standard e-commerce security product of the future," said CIBC senior executive vice president Brian Cassidy. "We have been providing Canadians with the ability to conduct private and secure financial transactions for 130 years, and we see Internet trust services using digital certificates as a logical extension of our service offering."
Baltimore Technologies extended its string of successes -- it has dealings with Deutsche Bank, Identrus, and the European Union, among others -- to Ulster Bank. The subsidiary of London-based Natwest Group is building certificates into its Anytime on-line services to businesses and individuals.
"The security features of Anytime banking will ensure that no one can tamper with customer transactions and that no one can forge their identity to access their account, building confidence and trust in the service," said John McNally, Ulster Bank's chief executive of retail.
The bank purchased Baltimore's Unicert CA software and cryptographic tool kits that include encryption technologies licensed from RSA Data Security Inc. of San Mateo, Calif., which are common in other vendors' packages as well.
"Ulster Bank recognized the benefits of moving business on-line and realized that without a security infrastructure this would not be feasible," said Aidan Gallagher, Baltimore's executive vice president of global business development. With PKI technology, the bank "is enhancing its service delivery while optimizing its relationship with customers."
