VeriSign Inc. said it has fixed the problem that led it to unwittingly issue two digital certificates to a computer criminal posing as a Microsoft Corp. employee, but its resolution has not restored the confidence of some banks, which contend they are the rightful issuers of security credentials.
The fraud came to light March 22, when Microsoft officials warned its customers that VeriSign had issued two fake digital certificates, used for verifying the source of downloaded software, on Jan. 29 and 30. The Mountain View, Calif., company, which has issued more than 500,000 certificates, blamed human error for the mistake and said it was the first incident of its kind at VeriSign.
We have already put changes in place to ensure this doesnt happen again, and will continue to look at ways to improve that process, said Mahi DeSilva, vice president and general manager of applied trust services for VeriSign.
But the incident has fanned the belief of some security experts that banks, not technology companies, should be issuing digital certificates in the first place.
Banks are natural providers of trust services, said Mark Robinson, Royal Bank of Scotlands program manager for Identrus, a consortium working to put banks at the center of the digital certificate business. Banks should be involved with managing customer relationships and deciding who they should issue certificates to.
Scott Lowry, president and chief executive officer of Digital Signature Trust Co., a subsidiary of Zions Bancorp, both in Salt Lake City, said that because of the potentially costly danger of digital certificates falling into the wrong hands, their issuance falls under risk management, and therefore should be handled by banks.
We think there are natural technology providers and natural trust providers, he said. You would not go to a bank to buy a computer chip, so why would you go to a technology company to buy trust?
The evolution of digital certificates will be similar to that of credit cards, which gained mass acceptance because banks stood behind them, Mr. Lowry said.
Just as there is a need for contract infrastructure in the credit card industry to bring certainty to the business process, the same thing is true in the digital certificate world, he said. Certificates being issued by technology companies really have no value in the marketplace, because no one knows what protections and procedures are behind them.
Guy S. Tallent, president and CEO of Identrus, whose membership is made up of 44 banks, said banks are the only trusted third party that rely on the procedures and processes that have been in place for 300-plus years procedures that are highly audited and regulated worldwide.
However, this is not to say that human errors never happen within a bank, but banks have a history of being able to deal with checks and balances in ways that newer companies are not necessarily attuned to deal with, he said.
Mr. DeSilva said his companys authentication processes compare very, very favorably with any process at any financial institution.
Technology companies such as VeriSign will continue to play a role in issuing certificates, because sometimes the practice does not make sense for banks, he said.
Where it is appropriate for banks to issue credentials for corporations, we equip those banks to do that, Mr. DeSilva said. There is also a place for public certification authorities to issue credentials for applications. Different types of authentication are appropriate for different types of applications.
Dennis Behrman, an analyst at Meridien Research in Newton, Mass., said consumers may not trust technology companies to the same extent they trust their financial institutions, but not all banks will find it profitable to issue digital certificates. For that reason, technology companies would have a place as certificate issuers, especially beyond the realm of financial services, he said.
VeriSigns stock closed Friday at $35.4375 a share, up/down 6% from a week earlier, the day after the certificate fraud was announced.