Hoping to put some added momentum behind its digital certification tool, Valicert Inc. is offering its customers more options at a lower price.
Free, to be exact.
The Palo Alto, Calif., company announced the release last week of version 2.0 of its tool kit, which software developers can use to test for certificate revocation within electronic commerce programs.
Valicert contends that digital certificates, the electronic credentials that can verify buyers' and sellers' identities on the Internet, will reach their potential only if accompanied by a highly effective means of ascertaining that a given certificate has not expired or otherwise been revoked.
By giving away its software-it can be downloaded from the valicert.com Web site-Valicert is following a high-tech precept for stimulating market development. That could lead to sales of higher-end products for implementing certificate validation. "Getting the tool kit out develops ubiquity and a PKI," or public key infrastructure, Yosi Amram, the company's president and chief executive officer, said in an interview.
In theory, as on-line commerce and associated certificate volumes expand, system operators would then want to buy the high performance levels of Valicert's server system. Or a company validating certificates across business units might turn to Valicert's service bureau.
While the free distribution may be the main attention-grabber, Valicert may be making an even more significant gesture by rendering its tool kit "universal." It will support any validation protocol and not just the "certificate revocation tree" that Valicert champions.
The 2.0 tool kit thus will accommodate certificate revocation lists, or CRLs, which Valicert has dismissed as a slow legacy technology that will not stand up to the stresses of high-volume commerce. Valicert will also support OCSB, the On-line Certificate Status Protocol, being developed under the auspices of the Internet Engineering Task Force.
Any application developer, whether working on secure virtual private networks or the MasterCard-Visa SET payment protocol, "can use our tool kit to check the validity of any certificate, regardless of the platform they support," Mr. Amram said.
The openness "reflects our ongoing commitment to meeting developers' needs today and in the future for multiple validation and revocation technologies," the Valicert CEO added.
Mr. Amram said legacy systems will have a "clear migration path" to certificate revocation trees or beyond. He views the more elaborate OCSB as "right for high-value financial transactions" such as wholesale wire transfers, where people will be willing to pay a price, including a delay in response time, for a desired level of assurance.
"We have a system of roads that support Ferraris, Chevys, and buggies," he said. "For validation we need the equivalent. For some very high percentage of transactions-I don't know if it is 92%, 95%, 98%-certificate revocation tree is right."
Mr. Amram said market feedback since Valicert started selling its systems last year was favorable, but there was reluctance to "get on the bandwagon of a proprietary solution. "Now anyone has an easy, free, no-risk tool that is open and universal, supporting any protocol."
"Any tool kit has to embrace whatever method is being embraced by the marketplace for revocation management," said Victor Wheatman, an analyst with the Gartner Group of Stamford, Conn. "Valicert is continuing and extending its strategy of addressing revocation management, and the addition of protocols is appropriate."
The move won praise from the Financial Services Technology Consortium, the cooperative research organization of major U.S. banking companies. FSTC president Adam Backenroth of Chase Manhattan Corp. said it "demonstrates the true interoperability that is crucial for the global adoption of electronic commerce in the banking and financial services industry."
