Big names battle for digital IDs

A fierce battle worthy of a Tom Clancy blockbuster is being waged behind the scenes over something that most people don't even understand: digital IDs.

The players include an Internet start-up with blue-chip backers, a vendor that won its spurs keeping hush-hush spy projects secret, a spin-off of a giant New York bank, Internet software combatants Microsoft (MSFT), Netscape (NSCP), and IBM (IBM), and, believe it or not, the U.S. Postal Service.

All are fighting over the right to issue digital certificates, an ID card for the Internet that vouches for the user's identity--just as many stores in the physical world ask for a drivers license when shoppers write checks.

The digital ID market is

What is a digital ID?
Digital IDs are the electronic counterpart to drivers licenses and passports. They are used to prove your idenity or right to access information online.

forecast to be huge. One day digital certificates will be commonplace. Individuals will use them for access to Web sites (instead of passwords), for secure email, for home banking, for online stock trading, for access to information on corporate networks, perhaps even for filing income tax returns electronically.

In business, digital certs--as they are also known--will let outside partners see relevant parts of corporate extranets, and firms that use the Net for EDI (electronic data interchange) to buy from suppliers will authenticate their identities with digital certificates.

Even security products, such as firewalls and routers, will have digital certificates to automate virtual private networks that send information through the Net in an encrypted tunnel. Digital IDs are attached to Java applets and ActiveX controls so users can evaluate the author--and perhaps to block code that might attack their PCs.

In a few years, individuals may have ten different digital certificates--making the number of certificates on their PC hard drives roughly the same as the number of credit cards and IDs in their wallets, according to Stratton Sclavos, VeriSign CEO.

One day, most experts say,

830 K Stratton Sclavos, VeriSign CEO, on smart card wallets

people will keep their digital certificates on a smart card, a piece of plastic the size of a credit card with a chip embedded. That will allow them to carry their electronic IDs with them so they can use any NC, kiosk, Internet TV, or PC to check their email or charge purchases on the Net.

While there is little question that digital IDs will be ubiquitous, who will issue these electronic credential is up for grabs. That's because, in the broadest sense, certificate authorities are trafficking in trust.

"Trust is a hard thing to earn and an easy thing to lose," said Jeff Irby, vice president of sales and marketing at Internet payments firm CyberCash (CYCH).

To consumers, the issuers of digital certificates will be familiar places like banks, schools, employers, the post office, or an online issuer like VeriSign, which has already assigned digital IDs to more than 1 million individuals and almost 25,000 Web sites.

Issuers are called certificate authorities (or certification authorities or CAs), but the job requires skills that are not always found in the same company: tight physical security, know-how in public-key cryptography, and meticulous record-keeping, not to mention a staff to check up on applicants, then issue, revoke, renew, and otherwise manage the IDs.

The new Secure Electronic Transactions (SET) protocol, designed to make credit card transactions safe on the Net, has created a vast new market for digital certificates: Every buyer, merchant, and merchant bank must have one.

With e-commerce projections booming, the SET situation offers a peek at the behind-the-scenes battle among digital cert providers. International Data Corporation this week estimated Internet commerce will top $220 billion in 2001--up from $2.6 billion last year. Many sales, though not all, will involve digital certificates.

"SET is essentially the first mass market electronic commerce that has any chance of being widespread successful," said Peter Freund, chairman of Certco, a spin-off of Bankers Trust (BT) that is working with Visa and MasterCard, coauthors of SET.

In SET, banks--both card issuers and those that process transactions for merchants--occupy a central role because they issue SET certificates to consumers and merchants alike.

Today's market free-for-all in the CA business involves technology suppliers that either want to sell software for banks to issue their own certificates or want to run a CA on a bank's behalf.

Big name companies are strutting their stuff in an effort to get in on the action.

VeriSign is the chief outsourcing player. It has a contract with Visa to be the preferred CA for banks that offer Visa cards, but it also can issue SET certificates for Diners Club, Novus (which issues Discover and Bravo cards), and (in South Africa) MasterCard. VeriSign issues certificates to bank customers under the bank's name and puts the bank's brand on digital IDs.

"We are now finding banks have enough on their hands in terms of acquiring new customers," said Anil Perrara, VeriSign's vice president of marketing. "We're already supporting 100-plus banks that are willing to outsource to us."

Outsourcers argue that the CA business is so complex that card issuers are better off letting the experts handle it, which has largely been the case for SET trials. Sellers of CA software counter, saying that banks won't want an outsider to handle such a critical banking function.

CyberTrust, a GTE (GTE) unit that

830 K Sclavos on whether you can trust CAs

has two decades of security experience with spy agencies, is another SET contender. CyberTrust, the preferred provider for MasterCard and American Express cards, will issue SET certificates for banks, or sell them the software to do the job themselves.

Ditto for IBM, which is cultivating banks worldwide.

"As far as getting software out to issuing banks, that's the kind of things IBM does better than anyone else in the world," said Scott Dueweke, IBM marketing manager for electronic payments and certification.

Another big CA is largely sitting out the SET market. Entrust Technologies, a spin-off of Canada's Northern Telcom, is focused on large enterprises that use certificates mostly for intranets.

The Post Office wants to do certificates too, but probably not for SET. Its thousands of physical locations around the country mean it can check physical IDs before issuing digital certificates.

To enable companies to issue digital certificates to employees, suppliers, and customers, Microsoft and Netscape sell "certificate servers"--though they're not in the SET arena. Critics say their products are fine for hundreds or thousands of people on an extranet, but question whether they can scale to hundreds of thousands of users.

CertCo's Freund thinks that banks, because of that trust relationship, will keep the CA function for themselves.

"To be a certificate authority, to control that identification [of customers], is a really crucial banking function," said Freund. "It's unlikely to be outsourced because it goes to the core of what a bank does."

Stay tuned.

go to Everything you need to know about digital IDs