Certco Inc. has added a powerful validation component to its digital trust technology.
The New York data security company, a spinoff of the former Bankers Trust Corp., introduced CertValidator, a system that assures the validity of a digital certificate presented in an electronic commerce transaction.
Certificate validation has become a critical issue -- for some, a stumbling-block -- in attempts to complete the construction of Internet commerce infrastructures.
In the digital equivalent of the printed credit card "hot lists" of the 1960s and 1970s, an on-line seller might have to consult an unwieldy certificate revocation list, or CRL, to see if a presented credential expired or was revoked. CRLs are widely considered unworkable for large-volume networks that put a premium on speed. A leading alternative is OCSP -- the on-line certificate status protocol -- on which CertValidator is built.
Vendors of public key encryption and digital certificate technologies have taken steps to accommodate non-CRL options like OCSP. Xcert International Inc. of Walnut Creek, Calif., has explicitly avoided CRLs because it views on-line, real-time status checking as essential. One company specializing in validation methods and related support services, Valicert Inc. of Mountain View, Calif., has raised consciousness about the issue with its own technology, certificate revocation trees, as well as OCSP.
Certco differs from Valicert's Validation Authority offering, said Certco senior vice president Jay Simmons, in that it integrates a secure OCSP data repository with the "responder" function.
Yosi Amram, president of Valicert, said, "I and Valicert welcome the entry of Certco into the validation space.
"This helps to further legitimize the business need" and reinforces "a message that Valicert has been conveying to the market for over two years."
Calling CertValidator "the second leg of a product offering" that began with certificate authority systems, Mr. Simmons said, "We believe it will be necessary to know who issued a certificate and to get a positive response that it has been issued."
Among the key benefits would be nonrepudation. A buyer of goods, for example, would be unable to claim improperly or fraudulently after the fact that the transaction did not occur.
In keeping with open interoperability principles, CertValidator can store and manage certificates, CRLs, and status data from all major certificate authority vendors. The president of one of them, Peter Hussey of GTE Corp.'s Cybertrust unit, said the program fits well with its "secure extranet" offerings. "This powerful technology not only gives our customers a flexible option for accelerating their business-to-business e-commerce activities," Mr. Hussey said, "but it also makes them more secure."
"Real-time validation capability within and across public key infrastructures is critical for businesses that intend to engage in high-value e-business transactions via the Internet," said Diana Kelley, senior security analyst with Hurwitz Group Inc. "OCSP support and multivendor interoperability are features that the market should demand."
Richard Salz, the architect of CertValidator, said the system's foundations in standards such as OCSP and LDAP (lightweight directory access protocol) and certification for meeting high-level Federal Information Processing Standards contribute to the all-important flexibility and scalability requirements sought by customers.
Included on a long list of CertValidator operational features are hardware-based data encryption and key storage, tamper-proofing, audit trails, and two trademarked ideas, Fast-Path Revocation and Fast-Path Suspension. The former occurs much faster than the hours or days that a CRL system might take. With the latter, a hold can be placed on a certificate in a critical situation, then quickly lifted to return it to valid status.
Meridien Research senior analyst Octavio Marenzi said OCSP responders and repositories can meet the instantaneous information needs of trading partners only if they are "highly secure, fully interoperable, and scalable. All (those) characteristics appear to be present" in CertValidator.
Certco president and chief executive officer John Herron said CertValidator is an "industrial-strength implementation of OCSP," resulting from the company's mix of skills in such areas as cryptography, banking, law, software, and risk management.
"Many of our technical advantages are simple in design yet sophisticated in concept, the product of engineers and others who know a lot more than just technology," Mr. Herron said.
Mr. Simmons said the system is not only designed "as a secure repository for managing certificate life cycles across multiple certificate authorities," but also is well suited for "the Identrus model" -- a certificate infrastructure that requires multiple participating banks to be in sync with validation.
Certco, in fact, was instrumental in the formation last year of Identrus LLC, a multinational business-to-business trust consortium that included among the founders Bankers Trust and its Germany-based acquirer, Deutsche Bank.
Mr. Simmons said he views Identrus as one of the likely sparks to growth in commercial use of public key encryption technologies in the coming year. "Y2K will be behind us, and we see the banks moving very aggressively," he said.
Certco relinquished its shareholder position in Identrus to compete on an even footing for the banks' business. A rival, Baltimore Technologies, was designated root-key supplier for the pilot phase, and Valicert won a role for its validation tools.
Mr. Amram described CertValidator as "effectively an OCSP responder product," whereas his company, Valicert, is already into a "third generation" with a multipronged strategy including a server that supports all protocols and a third-party validation authority service.
"OCSP is a key component of Identrus' risk management strategy," said the consortium's chief operations and technology officer, Kristin Kupres. "It's great to see Certco respond to the need for real-time digital certificate validation by advancing this important standard."
MOUNTAIN VIEW, Calif. -- The Validation technology supplier Valicert Inc. said it has obtained $23 million in a mezzanine round of venture capital financing.
Leading the investment group was Lucent Venture Partners, an arm of Lucent Technologies. Other members included Canadian Imperial Bank of Commerce, Financial Technology Ventures, First Analysis, France Telecom, Gemplus, Korea Technology Banking, Mitsui, and Thomson-CSF Ventures.
This money came on top of $7 million last year from August Capital, Bessemer Venture Partners, Draper Fisher Jurvetson, Intel, and U.S. Venture Partners, all of which were also in the mezzanine round.
"This round of funding will enable Valicert to greatly extend the availability of its Validation Authority solutions, allowing companies around the world to securely conduct business transactions over the Internet," said Jean-Michel Barbier, president of Thomson-CSF Ventures, the investment unit of the French technology company.
Valicert president and chief executive officer Yosi Amram said he is "excited at the breadth and diversity of our new investor syndicate. We expect their financial, technology, and distribution experience to play a critical role as we continue to add value to our business."