A fierce battle worthy of a Tom Clancy blockbuster is being waged behind
the scenes over something that most people don't even understand: digital
The players include an
Internet start-up with blue-chip backers, a vendor
that won its spurs keeping hush-hush spy projects secret, a spin-off of a
giant New York bank, Internet software combatants Microsoft (MSFT), Netscape (NSCP), and IBM
(IBM), and, believe it or not, the U.S.
All are fighting over the right to issue digital certificates, an ID
card for the Internet that vouches for the user's identity--just as many
stores in the physical world ask for a drivers license when shoppers write
The digital ID market is
What is a digital ID? || |
Digital IDs are the electronic counterpart to drivers licenses and
passports. They are used to prove your idenity or right to access
information online. || |
forecast to be huge. One day digital certificates
will be commonplace. Individuals will use them
for access to Web sites (instead of passwords), for secure email, for home
banking, for online stock trading, for access to information on corporate
networks, perhaps even for filing income tax returns electronically.
In business, digital certs--as they are also known--will let outside
partners see relevant parts of
corporate extranets, and firms that use the Net for EDI (electronic data
interchange) to buy from suppliers will authenticate their identities with
Even security products, such as firewalls and routers, will have digital
certificates to automate virtual private networks that send
information through the Net in an encrypted tunnel. Digital IDs are
attached to Java applets and ActiveX controls so users can evaluate the
author--and perhaps to block code that might attack their PCs.
In a few years, individuals may have ten different digital
certificates--making the number of certificates on their PC hard drives
roughly the same as the number of credit cards and IDs in their wallets,
according to Stratton
Sclavos, VeriSign CEO.
One day, most experts say,
Stratton Sclavos, VeriSign CEO, on smart card wallets
people will keep their digital certificates on a smart card, a piece of plastic the size of a credit card with a chip
embedded. That will allow them to carry their electronic IDs with them so they can use any NC, kiosk, Internet TV, or PC to check their email or
charge purchases on the Net.
While there is little question that digital IDs will be ubiquitous, who will issue these electronic credential is up for grabs. That's because, in the broadest sense, certificate authorities are trafficking in
"Trust is a hard thing to earn and an easy thing to lose," said Jeff Irby,
vice president of sales and marketing at Internet payments firm CyberCash (CYCH).
To consumers, the issuers of digital certificates will be familiar places
like banks, schools, employers, the post office, or an online issuer like
VeriSign, which has already assigned
digital IDs to more than 1 million individuals and almost 25,000 Web sites.
Issuers are called certificate authorities (or certification
authorities or CAs), but the job requires skills that are not always found in the same
company: tight physical security, know-how in public-key cryptography, and
meticulous record-keeping, not to mention a staff to check up on
applicants, then issue, revoke, renew, and otherwise manage the
The new Secure Electronic Transactions (SET) protocol, designed to make
credit card transactions safe on the Net, has created a vast new market
for digital certificates: Every buyer, merchant, and merchant bank must
With e-commerce projections booming, the SET situation offers a peek at the
behind-the-scenes battle among digital cert providers. International Data Corporation this week
estimated Internet commerce will top $220 billion in 2001--up from $2.6
billion last year. Many sales, though not all, will involve digital
"SET is essentially the first mass market electronic commerce that has any
chance of being widespread successful," said Peter Freund, chairman of Certco, a spin-off of Bankers Trust
(BT) that is working with Visa and
MasterCard, coauthors of SET.
In SET, banks--both card issuers and those that process transactions for
merchants--occupy a central role because they issue SET certificates to consumers and
Today's market free-for-all in the CA business involves technology
suppliers that either want to sell software for banks to issue their own
certificates or want to run a CA on a bank's behalf.
Big name companies are strutting their stuff in an effort to get in on the
VeriSign is the chief outsourcing player. It has a contract with Visa to be
preferred CA for banks that offer Visa cards, but it also can issue SET
certificates for Diners Club, Novus (which issues Discover and Bravo
cards), and (in South Africa) MasterCard. VeriSign issues certificates to
bank customers under the bank's name and puts the bank's brand on digital
"We are now finding banks have enough on their hands in terms of acquiring
new customers," said Anil Perrara, VeriSign's vice president of marketing.
"We're already supporting 100-plus banks that are willing to outsource to
Outsourcers argue that the CA business is so complex that card issuers are
better off letting the experts handle it, which has largely been the case
for SET trials. Sellers of CA
software counter, saying that banks won't want an outsider to handle such a
critical banking function.
CyberTrust, a GTE
(GTE) unit that
Sclavos on whether you can trust CAs
has two decades of security experience with spy
agencies, is another SET contender. CyberTrust, the preferred provider for
MasterCard and American
cards, will issue SET certificates for banks, or sell them the
software to do the job themselves.
Ditto for IBM, which is cultivating banks worldwide.
"As far as getting software out to issuing banks, that's the kind of things
IBM does better than anyone else in the world," said Scott Dueweke, IBM
marketing manager for electronic payments and certification.
Another big CA is largely sitting out the SET market. Entrust Technologies, a spin-off of
Canada's Northern Telcom, is focused on
large enterprises that use certificates mostly for intranets.
The Post Office wants to do certificates too, but probably not for SET. Its
thousands of physical locations around the country mean it can check
physical IDs before issuing digital certificates.
To enable companies to issue digital certificates to employees, suppliers,
and customers, Microsoft and Netscape sell "certificate servers"--though
they're not in the SET arena. Critics say their products are fine for
hundreds or thousands of people on an extranet, but question whether they
can scale to hundreds of thousands of users.
CertCo's Freund thinks that banks, because of that trust relationship, will keep
the CA function for themselves.
"To be a certificate authority, to control that identification [of
customers], is a really crucial banking function," said Freund. "It's
unlikely to be outsourced because it goes to the core of what a bank does."
go to Everything you need to know about digital IDs