The digital certificate method of verifying on-line identities, though being marketed heavily to banks, is making rapid headway in the securities industry.
But banks can take some credit for the nonbank progress.
ABAecom, the American Bankers Association's digital certificate subsidiary, and Digital Signature Trust Co., its technology supplier and a subsidiary of Zions First National Bank of Salt Lake City, played key roles in a recently completed certification pilot sponsored by the Securities Industry Association.
The project, running from October through December, was a "proof of concept" similar to a recently concluded test by several banks and the National Automated Clearing House Association. The objective was to show that electronic credentials issued by different certificate authorities, or CAs, could interoperate.
In the SIA test, as many as 20 securities firms experimentally issued certificates for e-mail communications among participating employees.
Fulfilling an offer from ABAecom, which is offering to be the top of the certificate hierarchy-the root CA-for all types of financial companies, Digital Signature Trust served as the root for the brokers' SIRCA program, the Securities Industry Root Certificate Authority.
Digital Signature Trust, known as DST, signed the certificate requests coming from the participating firms and demonstrated interoperability among the various public key infrastructure vendors. DST was also the CA servicer for two of the brokerages and provided the registration of certificates in collaboration with the National Association of Securities Dealers.
The alternative to the unified root structure would be "for each securities firm to issue certificates to each individual" being authenticated, said DST president and chief executive officer Scott Lowry. "Each individual would have multiple certificates," in keeping with the number of firms being used.
"Industrywide use of digital certificates-whether in securities, banking, or any other industry-not only enhances trust and security when making on-line transactions, but also eliminates cost-prohibitive and time- consuming measures needed to address policy and technology interoperability," Mr. Lowry said.
"Digital signatures are still a relatively new technology," but the work with DST helped "validate the concept of an industrywide CA for the securities industry," said Mark Sanders, director of internal consulting for private client architecture at Merrill Lynch & Co. and a SIRCA subcommittee chairman.
"Our ultimate goal is to establish an industrywide utility to create trust using digital certificates."
In fact, the securities and mutual fund industries have been in the forefront of the certificate movement. Ahead of all financial companies, Liberty Financial Cos. of Boston two years ago began issuing the digital credentials to on-line mutual fund clients. The program was limited but it reflected a desire among nonbanks to strengthen customer relationships through a greater degree of personalization, assuring communications security in the process.
More recently, securities industry leaders have gone the more common route of testing the certificate waters internally. Morgan Stanley Dean Witter & Co. late last year said it would issue certificates supplied by Verisign Inc. to as many as 15,000 people, initially for secure electronic mail.
An executive of Cybersafe Corp. of Issaquah, Wash., attending this week's (1/18) RSA Data Security Conference in San Jose, Calif., said one of his company's brokerage customers is deploying certificates to 30,000 users worldwide for secure log-ons. (The firm has not consented to have its name released.)
Also at the RSA show, Digital Signature Trust announced what it called an Internet first: a system based on public key encryption technology that allows eligible investors to buy and sell stock directly from a corporate Web site.
The first transaction, a sale of Home Depot stock from the company's Web site, took place Dec. 28 using the StockClick system of StockPower Inc., San Francisco. StockPower serves as the certificate authority for customer authentication. DST is the CMA, or certificate manufacturing authority, and in that outsourcing role has produced more than 100,000 certificates to date.
Verisign, one of DST's larger outsourcing competitors, made a bank- centered brokerage announcement at the RSA conference. It said Barclays Bank of London had chosen Verisign Onsite-the same service backing Morgan Stanley's certificate program, another at First Union Corp., and more than 200 other customers-for Barclays Stockbrokers customers.
Subscribers to the Internet service would present Barclays-branded certificates when logging on. This would give them access to stock prices and trading services. Verisign said the $400 billion-asset Barclays also plans to use Onsite for internal e-mail and intranet access.
"We immediately established a complete trust services utility at a cost far less than building our own solution in-house," said Barclays senior security consultant Terry Brookman.
