Entrust targets VeriSign on certs

The company, known chiefly as a public-key infrastructure firm, targets rival VeriSign in the market for digital certificates.

4 min read
Targeting rival VeriSign, public-key-infrastructure (PKI) firm Entrust has formed a new unit to issue digital certificates to vouch for the authenticity of Web sites.

But Entrust isn't VeriSign's only challenger. Data-collection giant Equifax is licensing technology from the same South African firm that Entrust is using--Thawte Certification--for its own push into the digital-certificate market for Web servers.

"The Web server certificate market is now becoming an attractive long-term growth market," said John Ryan, Entrust chief executive. He said that at least 100,000 certificates will be issued this year, making it a market of $25 million to $30 million. But the market is growing 100 to 200 percent annually.

But Forrester Research security analyst Ted Julian notes that the real money in digital certificates for the Web isn't for Web sites but for consumers.

Ryan said Entrust will do consumer certificates if its customers demand it, but Entrust may run into conflict with customers that bought Entrust PKI software to issue consumer certificates, only to find Entrust as a potential competitor.

"While on one hand Entrust is now getting into services for first time, they're doing they're doing it at the low end," Julian said. "The Web server market is not going to change their market cap."

He thinks Entrust's entry into the services market, which it had previously eschewed, is the most significant part of the announcement, primarily because it lets Entrust get into big accounts where customers want to start with a service. To date, that market has been ceded to VeriSign.

Both Entrust and Equifax can issue digital certificates that allow secure Internet communications using the Secure Sockets Layer (SSL) protocol and secure email via the S/Mime protocol.

SSL certificates are important for Internet commerce because Web storefronts need to have them for secure sales using credit cards. VeriSign claims the top 40 e-commerce sites currently use its certificates.

To date, Entrust has concentrated on selling PKI software to the corporate market for communications on internal networks and extranets. Today's agreement is its initial foray in the services market of issuing certificates itself.

Equifax, which had $1.6 billion in revenue last year, announced in last June that it would enter the digital certificate market, but it has not been a large presence to date.

"Equifax isn't nuts for thinking they have a role to play--they have an enormous asset in the data they have in their system--so the challenge is figuring out the right business model," said Julian.

VeriSign has been the most visible issuer of digital certificates for the Internet, although Thawte claims that on a worldwide basis, it has 35 percent market share, based on Web server certificates issued. But Thawte president Mark Shuttleworth acknowledges that VeriSign has grabbed the lions' share of revenue.

VeriSign may be vulnerable to rivals over the next year because of a quirk in the way digital certificates are issued and how they interact with Web browsers.

VeriSign's certificates have a "root key" that expires December 31 of this year. That means that starting in January, users of some Netscape Web browsers will get a pop-up message on their screen when connecting to a Web site with a VeriSign certificate stating that the certificate has expired.

"We think that's a message that the e-commerce industry doesn't want to happen, especially since it will come during critical busy period of late December," Ryan said. "We are bringing that to the attention of industry."

Thawte's root key doesn't expire until 2020, and Equifax and Entrust will license Thawte's technology so its certificates expire that year too. However, an older Thawte root key expired in July 1998, when it faced the same problem VeriSign will have at year's end. Both Equifax and Entrust are banking on grabbing market share from VeriSign during that transition and potential confusion among consumers on the Net.

But Mahi deSilva, a VeriSign vice president of engineering, minimized the impact of its root key expiring at year's end. The issue primarily becomes visible in Netscape browsers of versions 4.05 or earlier, and he said Netscape plans an aggressive marketing campaign to get consumers to upgrade to later browsers. In part that is driven by fixes that need to be made for Y2K issues.

Nonetheless, VeriSign sees the Entrust entry into Web certificates as an aggressive move, deSilva said, but it's a little surprised on the marketing tack Entrust is taking with its emphasis on the expiration of root keys.

"It's also reflective of them realizing that their current mode of operation is not particularly successful," deSilva said, noting that Entrusts revenue growth has been relatively slow. "We aren't particularly surprised they view it as a fertile market."

But the VeriSign executive noted his company's four-year track record in running a service business, something Entrust has not done.

"It takes a lot of infrastructure to ramp up," deSilva said. "We are skeptical of how they can bring that together."

Entrust's new Web-oriented service will be called Entrust.net and expects to begin issuing certificates next week. Equifax's new service will be called Equifax Secure and will issue digital certificates starting in July.