InformationWeek

PKI services, not products, may provide the most cost-effective approach, according to Anil Pereira, VP of the Internet services group at VeriSign Inc. The company provides services to 4,000 Internet service providers and has issued 250,000 Web server digital certificates. VeriSign, which was formed by Netscape five years ago, runs PKI-enabled applications out of secure data centers throughout the world. VeriSign also acts as an authentication bureau and validates not just the digital certificate, but the actual transaction through digital notarization.

VeriSign recently announced a suite of trust services for business-to-business E-commerce that's being used by General Electric's Global Exchange Services to authenticate more than 100,000 trading partners."In the PKI world, you can have your own control, benefits, and right credentials," says Pereira. "VeriSign sets up your own hierarchy that may be co-branded or chained to your PKI service provider."

Ruesch International Inc., a Washington financial institution specializing in international payments, found that PKI is an effective security approach for a global operation. The company trades more than $7.0 billion per year in international cross-border payments using 29 currencies. It developed RueschLink, an Internet-based network, to let its customers react to market trends instantly, says senior VP Ron Szoc. Customers can get real-time exchange-rate updates and authorize payments anywhere they can make an Internet connection. From its inception, RueschLink used PKI.

To meet strict government regulations and fiduciary responsibilities, Ruesch must authenticate users to know who the company is talking to, provide nonrepudiation so that a customer authorizing a transaction acknowledges having done so, and insure data integrity and confidentiality through encryption. Though the company would have liked to develop a proprietary system, it didn't have the capital available.

"PKI has a framework within which there are a lot of choices that you need to make. But it's easy for the client to work with," says Szoc. "We finally settled on digital certificates and the certificate-authority model."

The system uses technology from GTE CyberTrust, which is now owned by Baltimore Technologies plc, and requires a client to go through a three-tier process. First, a digital certificate is issued to an individual to establish a unique online identity for each user. Second, two IDs are issued--a company ID consisting of random letters and numbers and a personal ID consisting of an individual password. Third, users are granted access only to specific functions. A client company designates an individual who has the authority to add and delete users, assign predefined access rights, and administer the certificate process. The RueschLink transactions are also stamped with a digital signature--nonrefutable electronic code that participants agree will be legally binding in states and countries where such types of signatures are accepted.

RueschLink is handling 7%--or more than $1 million--of Ruesch's daily dollar volume. All orders and transactions, whether placed online or via fax or phone, show up in the RueschLink reporting log and can be exported to an Excel spreadsheet.

"We have a goal of tripling business within the next three years. PKI will be a very important part of achieving this goal, and RueschLink will be a key component," says Szoc. "We're going to initiate a mobile VPN with our own staff this spring and we might expand it to clients. PKI and the Web have opened up whole new vistas to which we didn't have access before."

The digital certificates issued by e-Scotia.com and others are compliant with the X.509-V3 standard and will be interoperable with any PKI that adheres to open standards. But not all PKIs have certificates that work together. To avoid obstacles within the financial community, Scotiabank joined Identrus LLC, an international organization established by eight global financial institutions in 1999 to act as a clearinghouse for its members to verify the identity of their trading partners. For a fee, Identrus lets businesses manage E-business risks through a trusted relationship with a financial institution.

In April, Identrus disclosed that 18 vendors' E-business security technologies are now interoperating on its pilot network. Participating vendors include Baltimore Technologies, Computer Associates, CyberTrust, Datakey, Entrust, Gemplus, Litronic, nCipher, Schlumberger, and VeriSign.

This is the first time that interoperability on such a broad scale has been achieved. In tests, each financial institution has been able to send, receive, and validate digital certificates on Identrus' pilot network. Identrus plans to offer its services not only to financial institutions, but to technology vendors and trading partners.

Such advances are helping to speed the deployment of PKI. In addition, the federal government and all 50 states are working on legalizing digital signatures, so that electronically signed transactions will be legally binding. That should provide even more momentum to the E-commerce boom and the need for sophisticated forms of security such as PKI.

return to page 1