Data Security Firm Adds Validation Function

Article excerpt

Certco Inc. has added a powerful validation component to its digital trust technology.

The New York data security company, a spinoff of the former Bankers Trust Corp., introduced CertValidator, a system that assures the validity of a digital certificate presented in an electronic commerce transaction.

Certificate validation has become a critical issue -- for some, a stumbling-block -- in attempts to complete the construction of Internet commerce infrastructures.

In the digital equivalent of the printed credit card "hot lists" of the 1960s and 1970s, an on-line seller might have to consult an unwieldy certificate revocation list, or CRL, to see if a presented credential expired or was revoked. CRLs are widely considered unworkable for large-volume networks that put a premium on speed. A leading alternative is OCSP -- the on-line certificate status protocol -- on which CertValidator is built.

Vendors of public key encryption and digital certificate technologies have taken steps to accommodate non-CRL options like OCSP. Xcert International Inc. of Walnut Creek, Calif., has explicitly avoided CRLs because it views on-line, real-time status checking as essential. One company specializing in validation methods and related support services, Valicert Inc. of Mountain View, Calif., has raised consciousness about the issue with its own technology, certificate revocation trees, as well as OCSP.

Certco differs from Valicert's Validation Authority offering, said Certco senior vice president Jay Simmons, in that it integrates a secure OCSP data repository with the "responder" function.

Yosi Amram, president of Valicert, said, "I and Valicert welcome the entry of Certco into the validation space.

"This helps to further legitimize the business need" and reinforces "a message that Valicert has been conveying to the market for over two years."

Calling CertValidator "the second leg of a product offering" that began with certificate authority systems, Mr. Simmons said, "We believe it will be necessary to know who issued a certificate and to get a positive response that it has been issued."

Among the key benefits would be nonrepudation. A buyer of goods, for example, would be unable to claim improperly or fraudulently after the fact that the transaction did not occur.

In keeping with open interoperability principles, CertValidator can store and manage certificates, CRLs, and status data from all major certificate authority vendors. The president of one of them, Peter Hussey of GTE Corp.'s Cybertrust unit, said the program fits well with its "secure extranet" offerings. "This powerful technology not only gives our customers a flexible option for accelerating their business-to-business e-commerce activities," Mr. Hussey said, "but it also makes them more secure."

"Real-time validation capability within and across public key infrastructures is critical for businesses that intend to engage in high-value e-business transactions via the Internet," said Diana Kelley, senior security analyst with Hurwitz Group Inc. "OCSP support and multivendor interoperability are features that the market should demand."

Richard Salz, the architect of CertValidator, said the system's foundations in standards such as OCSP and LDAP (lightweight directory access protocol) and certification for meeting high-level Federal Information Processing Standards contribute to the all-important flexibility and scalability requirements sought by customers.

Included on a long list of CertValidator operational features are hardware-based data encryption and key storage, tamper-proofing, audit trails, and two trademarked ideas, Fast-Path Revocation and Fast-Path Suspension. The former occurs much faster than the hours or days that a CRL system might take. With the latter, a hold can be placed on a certificate in a critical situation, then quickly lifted to return it to valid status. …