Forum Unites Microsoft, IBM To Promote PKI Use

Microsoft Corp. and International Business Machines Corp. have set hostilities aside to give emerging data security technology a push toward maturity.

Joined by the leading data encryption company RSA Security Inc. and digital certificate vendors Baltimore Technologies and Entrust Technologies, IBM and Microsoft announced this week the formation of a collaborative PKI Forum.

Those founding members have put themselves out in front of an effort that they hope will improve understanding, usability, and profitability in the PKI, or public key infrastructure, business.

PKIs, mechanisms for coordinating and managing the complex mathematical keys and credentials that can secure electronic commerce and digital information of all kinds, have been widely expected to proliferate along with growth in the Internet. But the explosion has never fully materialized, in part, experts say, because of market fragmentation and the difficulty of making any given system compatible with that of another vendor.

The PKI Forum is following a classic route toward technology acceptance: creation of a common framework that, once established, stimulates competition in a way that benefits all participants. One current example, subscribed to by many active in the PKI field, is WAP, the Wireless Application Protocol for hand-held communication devices.

Microsoft, which has built PKI into its Windows 2000 operating system, and IBM were similarly early-stage supporters of the MasterCard-Visa Secure Electronic Transaction protocol for Internet payments, which had more mixed success. (The SET specification calls for digital certificates.)

"We as vendors would like to facilitate deployment of PKI at a faster rate than we have seen," said Lisa Pretty, vice president of strategic marketing at Baltimore Technologies, an Irish company with an office in San Mateo, Calif. "It takes a united front to drive this market."

The forum has set as its principal goal interoperability among such system components as digital certificates, directories, and certificate validation methods.

The group does not intend to set standards but rather will support existing efforts such as the Internet Engineering Task Force's PKIX. It will encourage cross-vendor demonstrations and independent evaluations of product compliance.

Ms. Pretty and other forum organizers said the broader the participation, the better. They want to bring both sellers and end-users into one of three membership levels: principal, costing $35,000; associate, $10,000; and auditing, $5,000.

A Web site is up at pkiforum.org. Business and technical working groups are being formed. An introductory meeting is scheduled for Jan. 18 in San Jose, Calif., during the RSA Data Security conference, a major PKI industry gathering. The group wants to demonstrate its first "interoperability profiles" by June.

"People like the forum because it is business-focused," said John Sabo, manager of security strategy and business development in IBM's SecureWay unit.

Among those expressing interest are British Telecommunications, Hewlett-Packard, ID Certify, Open Group, Sun/Netscape Alliance, Spyrus, Thawte Certification, Trustpoint, Valicert, and Xcert International.

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER