Valicert Inc., which is trying to lock up one of the specialty markets associated with electronic commerce security, continues to lengthen its list of strategic allies.
The three-year-old company announced agreements last week with Equifax Secure Inc. and International Business Machines Corp., which itself is a close ally of Equifax Inc.'s digital security offshoot.
On top of a series of other cooperation and distribution agreements in recent months, the latest alliances solidify Valicert's claim to serving as the premier source of certificate validation technology-systems that can be used to verify that a digital certificate has not expired or been revoked.
Most leading vendors of public key infrastructures for digital certificates-including Entrust Technologies Inc., Verisign Inc., Baltimore Technologies PLC, GTE Corp.'s Cybertrust unit, Celo Communications of Sweden, and Thawte Certification-have some form of system-integration or interoperability agreement with Valicert.
In a business rife with strategic alliances because few if any companies can deliver the complete range of data security components by themselves, Valicert's record of cooperation is as extensive as any.
Equifax Secure, for example, licensed Valicert's Enterprise VA Suite 2.0 and will make it available to customers of its e-commerce security program. The division of Atlanta-based Equifax Inc., a leader in the consumer information and credit reporting industries, will also serve as a reseller of Valicert's VA, or validation authority, system.
IBM made its VaultRegistry certificate-issuance system, which is a key element of Equifax Secure's offering, compatible with Valicert products such as Enterprise VA and the Valicert Global VA Service.
By incorporating the Valicert technology, "IBM is able to support a wider range of e-business applications as it provides enterprises with trust around the globe," said Mark Greene, the computer giant's vice president of security.
"Valicert is a recognized leader in providing complete and efficient validation authority solutions for digital certificates," said Equifax Secure general manager Jeffrey Johnson. "We look forward to expanding the scope of our certificate issuance systems"-customers will have the option of acting as their own validation authorities rather than relying on an outside service.
Valicert aims to resolve one of the thorny complications of digital certificate operations. Validation of certificates in public key encryption infrastructures, or PKIs, can be so difficult or inefficient that some security-technology innovators have proposed alternative approaches that do without validation per se.
But PKI methods are well entrenched and gaining new adherents as e- commerce takes hold. Encryption keys for digital certificates, the credentials that banks or other trusted parties issue to vouch for a customer's on-line identity, are standard equipment in Internet browser software, for example. (Browser leaders Microsoft and Netscape are on Valicert's partner list; Microsoft's Internet Explorer 5 has validation built in.) Certificates are required of banks, merchants, and consumers by SET, the Secure Electronic Transaction protocol for Internet credit card payments.
PKI proponents like Mr. Greene of IBM acknowledge that it could take years for these technologies to get fully established. But Mr. Greene pointed out in a recent interview that "it is possible to get it to work without exposing users to all the complexity."
As long as there are PKIs, validation will be an issue-and it is one of the areas where ingenuity is being applied to reduce the operational burdens.
Valicert itself has adjusted to market demands. The Mountain View, Calif., company initially came on the scene with a validation method called Certificate Revocation Tree, considered a vast improvement over the cumbersome checking of certificate revocation lists, or CRLs. Valicert president and chief executive officer Yosi Amram likened CRLs to the paper "hot card bulletins" that retailers had to consult in the early days of credit cards.
In assembling its validation capabilities, however, Valicert recognized that its revocation trees would not displace CRLs overnight. Meanwhile, a new technique called OCSP-On-line Certificate Status Protocol-gained ground within the Internet Engineering Task Force's standards-setting program. To offer complete coverage, Valicert therefore supports CRL and OCSP.
"By working with Valicert, IBM has expanded the options its global customers have to implement a comprehensive, security-rich solution for engaging in communications and commerce over the Internet," Mr. Amram said last week. "We expect additional companies to rely on IBM and Valicert technology to expand the availability of global validation and intend to continue to work closely with IBM to ensure that our products interoperate effectively to enable world-class solutions for enabling global e- business."
Though Valicert had been cooperating at some level with PKI companies almost since its inception, recent announcements took on deeper significance. In March, Thawte of South Africa and GlobalSign of Belgium, which had been testing the validation systems, embarked on more formal integration and distribution arrangements.
Baltimore, a British-Irish PKI leader that participated in the March announcement with a licensing and distribution pact, announced a more comprehensive technology integration on April 27. Citing Valicert's OCSP support, Baltimore marketing vice president Patrick Holahan said the deal "adds an enhanced level of trust to Baltimore Unicert digital certificates."
Also in April, Entrust Technologies of Plano, Tex., joined in a "validation interoperability" announcement, encompassing both the Entrust- championed CRL Distribution Points methodology and OCSP.
"Our partnership with Valicert brings additional revocation choices to our PKI customers through either CRLDP or OCSP standard formats," said Entrust CEO John Ryan.
In mid-April, Digital Signature Trust Co., a subsidiary of Zions First National Bank of Salt Lake City, said it would add the Valicert VA to its certificate repository architecture.
The repository is "the central point of trust for our customers," said Digital Signature Trust president Scott Lowry. He said the Valicert technology would "increase interoperability and improve the performance of our repository certificate-validation queries."