With an assist from Intel Corp., Valicert Inc.'s digital certificate technology has taken a credibility-enhancing leap.
Valicert said Monday that its software for validating authentication credentials in electronic commerce is compatible with a widely supported technical standard, CDSA.
Intel-the computer chip manufacturer, champion of CDSA, and an investor in Valicert-concurrently said it will incorporate Valicert's Certificate Validation Module into its documentation for technology licensees.
This ensures visibility for Valicert if not quite guaranteeing a full market embrace. Valicert and the digital certificate community it hopes to complement have been struggling to enter a mass-market mainstream, the credit card industry's Secure Electronic Transactions protocol exemplifying a failure to live up to early expectations.
Formed two years ago on the premise that its validation system would be crucial to acceptance of digital certificates in on-line transactions, Valicert sought to be as open and compatible as possible with common standards.
Valicert wants to duplicate in electronic commerce the universality of credit cards by validating certificates whether in on-line banking or stock trading, in electronic mail or electronic data interchange, and regardless of security platform or certificate vendor.
The Palo Alto, Calif., company contends that without a powerful and efficient means of determining whether a given certificate hasn't expired or been revoked, Internet commerce will remain slow, unreliable, and uninviting.
Hoping to stimulate experimentation and acceptance, Valicert in April released version 2.0 of its tool kit, making its software free to system developers.
Now the company has plugged a big hole by introducing a "plug-in" for CDSA, the Common Data Security Architecture.
It got a strong endorsement from Michael Glancy, general manager of Intel's platform security division: "We expect Valicert's Certificate Validation Module to enhance interoperable, secure Internet commerce applications across multiple platforms."
Version 2.0 of CDSA, originally a product of the Intel Architecture Labs, was declared an official standard early this year by the Open Group, a consortium intent on creating highly accessible and secure methods of electronic commerce.
CDSA was designed to accommodate numerous variations and choices in data encryption and related public key infrastructures. Its supporters included Hewlett-Packard Co., International Business Machines Corp., J.P. Morgan & Co., RSA Data Security Inc. and its parent, Security Dynamics Technologies Inc., and the digital certificate vendor Entrust Technologies Inc.
CDSA accomplishes in an open format what Microsoft Corp.'s Crypto Application Programming Interface-CAPI-does for Windows-based systems.
"We see CAPI and CDSA as de facto platforms that certificate revocation will be written on in the next year," Valicert marketing vice president Sathvik Krishnamurthy said in an interview last week. "We are excited to be a de facto platform for CDSA.
"A lot of vendors are going with CDSA because it is not a single-vendor solution, but both are important for their reach."
Riding on CDSA gains "lots of ubiquity for our tool kit," said Valicert president and chief executive officer Yosi Amram. "Application developers don't want to write a separate validation module for every certificate authority they deal with."
Beacuse "Intel has a lot of licensees"-as do companies such as RSA and Security Dynamics that are aggressively selling encryption-based technologies for secure commerce-Valicert can be a common denominator in certificate validation, Mr. Amram said.
"This announcement underscores Valicert's commitment to standards-based technology and our leadership in open certificate validation solutions," Mr. Amram said.
Ted Julian, an analyst with Forrester Research in Cambridge, Mass., said Valicert and others are fighting inertia in a market satisfied with what is "good enough."
"I compare it to SET," Mr. Julian said. "It's cool, it does good things, but SSL (a less complex but currently widespread alternative) works, and change is not high on the priority list."
But the vendor community wants to give validation a shot, suggested Security Dynamics senior vice president Dave Power.
Certificate validation "will become essential" as corporations move data security pilots into production mode. With Valicert and CDSA, he said, "customers of our SecurSight products will easily validate certificates in their secure communications and commerce transactions."
