Virtually you

Virtually you
By Margie Wylie
Staff Writer, CNET NEWS.COM

In many ways, Stratton Sclavos is just your average suburbanite father.

The son of second-generation Greek-American parents, the Silicon Valley executive spends his weekends shuttling kids to soccer practice or catching a quick game of pickup basketball. His neighbors would never guess that on Monday, he captains a company that could change their lives as much as the invention of the telephone or the automatic teller machine.

Sclavos's VeriSign is in the business of digital IDs, virtual drivers licenses for the Internet. In a medium known for its anonymity, VeriSign's digital ID certificates make it possible for both consumers and merchants to prove they are who they claim to be. (You don't send your credit card number to a scammer instead of L.L. Bean; L.L. Bean doesn't accept your stolen credit card number from someone else; everybody's happy.) It's a big business that's bound to get bigger. Already VeriSign has issued about 400,000 individual digital IDs and 10,000 business IDs, with nary a competitor in sight.

705K 1180K

As a result, VeriSign has scooped up deals to issue Netscape users IDs and to partner with Visa on a secure credit card for Internet users. Not quite two-years old itself, the company recently funded its own startup in Japan. Yet, the self-deprecating Sclavos doesn't let it go to his head. A Silicon Valley veteran of 15 years and four start-ups, Sclavos seems to keep his distance from Valley culture, whether it's the unrelenting pace or the excesses of some of its leading citizens. "I've lived a very fast and hard kind of education growing up here in the Valley," he says. "I would always prefer to be remembered as a better basketball player than engineer."

We chatted with Sclavos in his Mountain View offices about being digital, the death of anonymity, the feds, and why he does what he does.

NEWS.COM: What does VeriSign do?
Sclavos: Today, when you cash a check, sign a contract, or buy a house, you're asked to show a form of identification so that the business party with which you're doing the transaction knows that it's really you, that you have the authority or rights to purchase this house, or execute this credit card transaction, or the like. Very simply, we are moving that into the digital world and specifically to the Internet. We're giving you a digital ID that identifies who you are, or in the case of some work we're doing with Visa, a digital credit card that allows you to charge things over the Internet securely. In the case of some banks or brokerages, [we're giving you] the ability make stock trades or move funds around by identifying who you are and what privileges you have for that given relationship with the bank or a brokerage, or potentially, even the government.

NEXT: Being digital

Being digital

When people talk about digital IDs, they tend to limit it to identifying themselves in very official situations. Do you ever see digital IDs being used more casually, the same way caller ID is used now?
I think that's a good point. This technology that we have, something called digital IDs and digital signatures, really has broad-based usage. Much the same way you have a library card, a credit card, or a driver's license, they're all used for various degrees of identifying who you are, some more casually and some more officially. You'll have a set of digital IDs that are appropriate for a given set of transactions you're going to do. We actually think that for secure mail--that is, sending people encrypted mail that nobody else but the receiver can read--you'll use a very casual digital ID that's just associated with your name. Whereas, to do a credit card transaction, you'll really need a digital ID that's issued by Visa, MasterCard, or American Express. So just the same way in the physical world where there is not a one-size identity vehicle that fits all, you won't see one size in the digital domain, either.

The way we describe it is two to three years out, you'll probably have something known as a digital wallet that's managing a variety of these different digital IDs: some for credit cards, some for banking, and some for just sending mail to your friends.

People might worry about how those digital IDs will mix and match information.
Right, and in fact, they really can't. These things are prepared with some of the strongest encryption technology that currently exists. Once they are created, they can't be forged, they can't be tampered with, and in essence, they can't be shared across multiple sites of applications. They cannot mix and match each other.

Aren't we sort of assuming a bit of American-centric ideal here, that IDs will come out of VeriSign, that they're approved by VeriSign, but not necessarily the French government? What are some of the issues there?
I think there are a lot of issues. Again, just as today the government doesn't issue your credit card, Visa doesn't issue your driver's license...There are many, many entities today that issue you some form of identity or authorization card based on what relationship you have with them. We think it's going to be the same on the Internet. Your credit card companies will have their brand on the digital credit card, VeriSign will have its brand on the digital ID a variety of classes, and a government may also issue digital IDs for its citizens to interact with government--Social Security, taxes, medical benefits, etc.

So there's going to be a variety of these things and they will be issued by a variety of different entities. We have already started a subsidiary in Japan specifically because we want to localize what we do to the practices inherent in the Japanese culture. The Japanese government, in fact, is spending $100 million over the next two or three years to do electronic commerce pilots and really test out the cultural acceptance of things like digital IDs and digital cash. So we're already in Japan. You'll see us in Europe next year, again, localizing all the things that we do to make them culturally right, yet at the technology level, interoperable across the globe.

There are more than cultural issues in Europe, though. There are some very strict data privacy directives from the European Union.
One of the first people we hired here actually wasn't a technologist. He was a lawyer who had been working for eight or nine years in electronic commerce law. We're very closely following all the various legislative and legal aspects that are developing in all these countries, and we'll have to change what we do based on what the local laws and customs are.

Data privacy is a particularly interesting one for us. It's likely that in France, as an example, you'll have to issue the digital IDs from France under French law. But in Germany, it's probably okay to issue them from Belgium or somewhere in the Nordic countries. So all of this stuff is kind of maturing, developing, and evolving over the course of the next 12 to 18 months. Meanwhile, what we're seeing is that we have issued digital IDs to consumers in over 50 countries already.

How many of those have you done?
We sold well over a 250,000 [individual certificates] in just our first 90 days. Today, we've sold over 400,000 individual certificates and 10,000 business certificates.

What does that mean in terms of actual trade? What are people doing with them?
Today, the most likely usage is to replace a password and log-in as you go to a Web site. Instead of being asked for one of ten passwords you might have to memorize and use, your digital ID can act as your gatekeeper, your access control into these Web sites without you as the user having to type your password in again. That's the predominant use today. We also see secure mail as another big driver for the IDs.

Soon with Visa, we'll roll out a pilot for digital credit cards with some of their banks and their cardholders. I think that's where you'll start to see the payoff in trade: electronic payments with credit cards. There are other things with brokerages and banks where they want to give you access to the accounts you have and let you either see what your account balance is and also potentially move money from account to account, or buy stock in one account, or in one company, or sell it in another.

So you're going to see a variety of uses. Predominantly the 250,000 we've issued today will be used mostly for access control on Web sites, but in the next 6 months you're going to see at least another half-dozen applications roll out.

So is it the end of anonymity on the Internet?
No, I think that anonymity has its place. We also think there's room for identifying who you are at various levels of assurance on the Net. Today, we don't care in the physical world if we're anonymous when we hand somebody our credit card, right? If we're going to do that on the Internet or in the digital world, we need to identify ourselves and make sure that somebody understands that we have the authority to purchase something on the Net.

I think it's very simple: Everything we do in the physical world that's appropriate, we're going to move into a digital world in terms of providing services or buying goods--buying software, buying flowers, buying wine--all of those things that are obviously early successes on the Web. Those things where we identify ourselves to a physical merchant today, we will want to do with a digital merchant in the future.

Can you describe what businesses buy from you and what individuals buy?
An individual gets something that's more like his or her driver's license; it identifies who he or she is as an individual.

What do I get? A card or a little bit of paper? How do I know I actually have one?
Well, it will be sitting in your browser and you can pull down a menu item and look at your certificates where you'll see your digital ID in there from VeriSign. In the business sense, it's more like getting a business license. People know that you are an incorporated business and you have legal provisions that are allowing you to use this trade name and the rest. So when we get a request from a business, we don't check out the Webmaster, we check and make sure that the business has an article of incorporation, that we can confirm the businesses identity. We check the InterNIC to make sure the domain names or the URL they want to use for the certificate really belongs to them.

How do you register an individual?
We check them against a computer database such as Equifax to make certain that the date of birth and the address of the individual and the social security number and so on match what's in those consumer databases.

And if it doesn't match?
We don't register the consumer.

What about all the mistakes in those databases?
We have pretty sophisticated algorithms that look for transpositions of numbers and to see if abbreviations are misspelled, etc. In general our goal is not to issue 100 percent. Our goal is to maintain very strict guidelines. We never bend the rules, and what we try to do is make sure the algorithms are as good as possible to try to sort out mistakes.

Can you describe where you keep all this information?
We have three locked doors between the outside world and these keys that we use to sign certificates. The first door you have to come through with a physical key, the second door requires an electronic key, and the third door requires an electronic key and your fingerprint. In the war room, the digital keys themselves are stored in military-grade boxes that, if they are tampered with, electrically erase their contents.

Self-destruct?
That's right, but without the smoke.

NEXT: The business of digital identity

The business of digital identity

How much did this sort of Web explosion really influence your business?
Well, it's the reason I think this business is a spin-out separate company from RSA. [RSA president] Jim Bidzos realized as the Web was taking off and companies like Netscape were asking for security solutions. He could not grow a digital ID business fast enough internally. RSA had been issuing digital IDs since as early as 1986, but in volumes measured in thousands per year.

I think the Web explosion made security a paramount concern and it required that an infrastructure be built very, very quickly to support widespread use of authentication technology. So the Web has everything to do with why we're here and why it has grown so fast.

Do you ever worry that you've missed your opportunity here? VeriSign was the first with digital IDs and certificates. Now everyone wants to compete with you, including GTE Government Services and even the U.S. Postal Service.
We have been first to market with every significant introduction of digital ID products, whether it was digital IDs for servers, digital IDs for consumers, or digital IDs for software publishers so they can sign their code and you can be assured that it came from Microsoft or from Lotus. You'll see us roll out digital credit cards first. So our strategy is very simple: Be first to market and execute. We already have twice the number of people as GTE does in this particular business, and we'll double it again in 1997. This isn't an offshoot business for us; it's all we do. History has proven that if you focus and you execute to a key plan in a market where there is a lot of demand, you can be a winner.

What's the next thing for VeriSign?
One of the things that has fascinated us is how broadly applicable what it is we're doing is to moving the Web to that next generation of commerce. We see a lot of vertical market specialization for ourselves. Today, we're mostly focused in financial services with the credit cards, the banks, and the brokerages. We see health care as a huge opportunity, mostly in terms of benefits management and administration. There's a lot of work going on to allow you to access all of your 401(k) information or your payments records with doctors and dentists and the like through your health care plan, but over the Internet.

There is a lot of business to be done in publishing. We believe that subscription services is a model that will pan out for a lot of Web sites that are providing content. So in fact, folks like the Wall Street Journal and others are starting now to use subscription services. Well rather than a password and log-in to get into your services, you'll probably use a digital ID issued by a publisher to get all of your various services and your tailored information, tailored ads, or even tailored news stories.

You've seen a lot of start-up companies from the inside. Is it different doing an Internet start-up?
An interesting thing we talk about a lot here is, can we maintain the pace that we're all on? And not just VeriSign, but all of us, whether it's Microsoft, Netscape, or any other company doing this. The pace is phenomenal. It's never been said that Silicon Valley is a bunch of laggards or slackers. We've worked 12- to 14-hour days for as long as I can remember.

What it's doing in this particular space, is forcing us all to work together. And that's something I don't think people have talked about. The fact that you can't do it all yourself in these time-compressed periods, where you have to deliver an Internet service or product, forces you to go outside and align yourself with a VeriSign or align yourselves with a Visa or the rest. So we find ourselves being asked into more and more opportunities than we ever thought we would, because the people that are providing these new services need what we do and realize that if they can get it for us at a cost-effective price, why re-invent it?

What about your competitors?
I would claim there isn't going to be another start-up to compete with VeriSign. We're well in the lead. With the RSA technology that we inherited that's in some cases eight and ten years worth of development plus now over a year and a half's lead on the Internet, I think it would be very hard for a venture firm to fund a company to compete with us. I do believe, however, you'll see big players like a GTE or Postal Service take technologies that they've developed for other uses and try to commercialize them. GTE, for example, is a military contractor. It wants to move into the commercial space. So I think you'll see large system integrators, mostly with government contractor backgrounds, trying to get in and do what we do. They will have bigger names and probably more financial credibility than we do. I think what we'll have is execution credibility, in terms of having done this time and time again over the last few years.

And the Postal Service?
I'll actually make a statement I probably haven't made before: I expect us to work with the Postal Service in a lot of ways. The Postal Service is focused in one area, which is secure messaging using their services and using something they call a digital postmark, which gives you a legal time stamp when a piece of electronic mail passes through their systems. A digital signature will be legally binding, as will a time stamp on top of it of when the transaction occurred. Those things are going to be important for doing things like signing legal contracts on the Web.

We think that we could work with them in some of those applications, and we're having some initial discussions with them. We also think that if they went off and competed with us in just the secure email area, we've got a lot of other things we're doing in digital credit cards and digital bank books and the like. So it's a very, very large market. We want other players in it because we think with more players it gives more credibility to the overall security and trustworthiness of this digital ID infrastructure.

NEXT: The feds

The feds

What do you think of the recent White House policy that lets companies like Netscape export stronger security products in exchange for government access?
I think that they believe that they've made a bigger move and concession than we in the industry believe they have. The difference between 40 and 56 bits from a technology perspective is certainly important. But from a marketing perspective of the software providers that have to build these products, it's 40 bits or 56 bits vs. unlimited bits in international products. For them, I don't know that it's going to make a huge difference.

Meanwhile, the administration wants us all to build in key recovery systems, which we're not against. In fact, we think that key recovery is a big business for VeriSign downstream. We think that commercial enterprises will want it for their employees' information. At the same time, linking those two things we don't think makes a whole of sense.

On the one hand, they didn't make U.S. companies more competitive in the market really, since they didn't lift the restrictions; they simply raised them to 56 bits. Also, we think that key recovery really should be driven by commercial requirements that the government can then access through law enforcement vs. a government mandate as some kind of barter agreement for raising the export requirements.

Our business isn't directly impacted since signature technology can go out at full strength. We ship 1,024-bit technology around the world. Yet, in a secondary way, it does impact us. Because if our major partners are the Netscapes and Microsofts and Suns of the world and they can't be competitive in the international market, then it will limit our market share with their products in those places.

There are at least four countries in which you can buy a toolkit to build a cryptography application that is what we call full-strength encryption: 1,024 bits or higher. That's Japan, Australia, Israel and, I believe, South Africa. So, those toolkits are available without export restrictions on them, which makes the administration's argument--that it's really terrorists they're trying to protect us from--specious, in my view, since those people can get access to those technologies in the international market.

Vice President Al Gore has said that the administration wants key recovery to be commercially driven.
I think that they were trying to figure out how to make it a win for commercial enterprises, but they forgot to ask us.

NEXT: That thing you do

That thing you do

Personally, what do you get out of this?
I think the thrill in this for me is really a sense of creating a part of history. It is amazing to me how fast this whole Internet track has taken off and continues to accelerate.

I would love to see my bills presented to me online, I'd like to pay them online, I'd like to do my stock trades there, I'd like to go to my bank this way. There's a whole variety of things that I as a consumer would benefit from if all of this stuff was actually in place. And I think that, with the security piece in place, we (and a lot of other people working very hard with applications and other layers of the technology) are about to do that. It's going to change people's lives, the same way that the telephone or the TV changed it 20, 30, 40 years ago.

Forgive me for being suspicious, but this sounds an awful lot like the Eisenhower years to me, when the woman dancing around in the kitchen mopping in high heels was the icon of leisure we were expected to achieve.
I was always a critic of the interactive TV strategies, 500 channels, pay-per-view movies, and getting everything I want on my TV. I want TV to be fairly mindless and I don't want to be working in that setting.

I don't believe these technologies are for all of us to use in our spare time. It's for saving time so we have more quality time to spend with our families and do these other things.

I'll tell you, right now I have a hard time getting to my son's soccer game and my daughter's gymnastics competition. I'm sure that in business today sending email has replaced the fax because it's faster. When you can save time and make people more productive, these things take off.

What if I come back in five years? You still going to be here or are you off to another start-up?
I'll tell you what. I am enjoying this so much, and it seems like every time we think we've just finished one thing, ten more things pop up on our screen to do.

We have tapped into what seems to be one of the biggest concerns with the Net and we think we're providing a service that's just scratched the surface of really being usable across all these different applications. So I expect to be here 5 years and 10 years from now. This is a very exciting time.

If I cracked open your high school yearbook, would you be most likely to succeed?
[Laughs.] I don't think so, actually. I think mostly I was into athletics and playing sports and the like and I still do that today: basketball, baseball, the whole gamut of things. I think I was the most likely to break a leg skiing or something.

So are you a jock and not a nerd?
That's right; my wife often teases me about that. She claims I am a nerd. I would always prefer to be remembered as a better basketball player than engineer.