A Canadian company touting a simplified approach to electronic commerce security is submitting it to market judgment for the first time.
Three years old but under its current management and strategic focus only since last fall, Diversinet Corp. launched its first major product last week.
It is called Passport Certificate Server and is advertised with words like "flexibility, ease of use, scalability, total privacy, anonymity, and cost efficiency."
Now Diversinet faces the tall order of delivering on all that. It is sure to attract notice if only because these qualities, widely demanded and frequently promised, remain elusive in a market still struggling to fulfill mass-market expectations.
Diversinet, which has offices in Toronto and San Jose, Calif., is directly attacking the complexity of data encryption technologies and public key infrastructures, or PKIs.
"Putting a PKI in place can be quite overwhelming and cumbersome," Mona Doss, director of marketing and sales, said in the product announcement. "Diversinet has developed a design that flows, that is not only easier to implement but also easier to manage, without compromising security."
Functionally, Diversinet offers the common form of authentication for buyers, sellers, and intermediaries on electronic networks.
Contrasting itself with more established vendors like Verisign Inc. or Entrust Technologies Inc., Diversinet emphasizes efficiencies and economies that it says can lower costs, speed the certification process, and maybe even improve overall security.
"We say, 'let's make it simple,'" said Nagy Moustafa, Diversinet's president and chief executive officer since last October. "We use 128-bit cryptography," by all accounts very tough if not impossible to violate, "and elliptic curve cryptography for fast response."
For access to elliptic curve, which requires less computing power than standard cryptographic methods, Diversinet announced a licensing agreement in March with Certicom Corp., also of Canada and Silicon Valley.
"Together our technologies will enable the next generation of secure, high-speed electronic commerce," Certicom executive vice president Rick Dalmazzi said at the time.
Once viewed as mavericks, Certicom and its elliptic curve are gaining credibility that could rub off on Diversinet. Its growing list of licensees includes Motorola, Schlumberger, and Verifone.
Rapid processing in small or constrained settings, like smart cards or wireless phones, is Certicom's selling point. Mr. Moustafa claims he can carry out a digital certificate in a fraction of the memory required by other companies' products.
Mr. Moustafa hopes other contacts will "open doors" for Diversinet, notably a board that includes cryptography pioneer and Netscape Communications Corp. chief scientist Taher Elgamal; Microsoft Network's Canadian general manager, Ken Nickerson; and Frank Clegg, a Microsoft Corp. vice president.
"We want to be a product company and partner with system integrators and technology companies like Spyrus and Certicom," Mr. Moustafa said in a recent interview.
The certificate server came first-on schedule, the CEO emphasized-along with a tool kit for system developers. On the way is a Permit Server to perform an authorization function that allows Diversinet to simplify the certificate structure.
The certificates are smaller than competitors' because they do without a lot of personal information and circumvent the need for expiration and revocation management. "Privileges" are kept separate from the certificate, Mr. Moustafa said. Permits can be issued, even for very specific or single uses, without changing or revoking the underlying certificates.
"A bank can issue a unique ID to a customer, but Sears may want to issue a permit," Mr. Moustafa said. "For this you only need one certificate," which might address some critics' concerns about people's ability to keep track of many different certificates.
A home banking provider, he said, can issue a customer any number of permits reflecting any necessary rules and restrictions for access to various accounts. Transactions may also be digitally signed to guarantee authenticity.
Diversinet's other marketing directions include network access control and business-to-business commerce.
Jerome Svigals, a smart card and digital security expert based in Redwood City, Calif., offered the same criticism he has hurled at other vendors: There is not enough assurance that the certificate holder is genuine. "I would be suspect until they prove they have positive control over certificate issue and acceptance," he said.
Mr. Moustafa said that must be addressed by an "implementation policy." The PIN-private key process "should tie the ID to that person," he said.
"Flexibility and simplicity in implementing a certificate authority is important, and it is increasingly complex," he added. "We want to simplify it."
