Securing e-commerce at big firms

Netscape and VeriSign improve integration between Netscape's client-server software and VeriSign's OnSite digital certificate service.

3 min read
Two initiatives announced today could make it easier for large corporations to conduct secure electronic transactions.

Netscape Communications and VeriSign announced that they have improved integration between Netscape's client and server software and VeriSign's OnSite service for issuing digital certificates.

Over the next six months, the two companies plan to deploy common components in Netscape's software and VeriSign's service for managing certificates.

Separately, IBM and its Lotus subsidiary are donating source code as a reference implementation of the Internet Engineering Task Force's draft standards for Public Key Infrastructures, a key protocol for digital certificates.

Both initiatives are aimed at making digital certificates issued by different certificate authorities more trusted and accepted by other companies, particularly on extranets and in commerce between companies. Digital certificates are electronic IDs that vouch for the identity of an individual or company.

"If you need digital certificates on extranet, cross deployment is a key concept," said Netscape's David Weiden, director of marketing for directory and security products, noting that for two organizations to accept each others' certificates, they must believe the issuer is trustworthy. "The biggest barrier to using certificates is the trust issue."

VeriSign and Netscape will develop common technology for certificate revocation lists, which are used to check on whether a digital certificate remains valid, and for key escrow, which lets a company save a copy of an individual's digital ID in case it is lost or the person leaves a company. That technology will be rolled out over the next six months.

These enhancements aim to make deployments of digital certificates easier by reducing the cost and maintenance burden of managing and issuing digital IDs.

Specifically, the deal lets users of Netscape's Certificate Server software to issue and manage digital certificates that are compatible with those issued by VeriSign's service. VeriSign's digital certificate technology is embedded in both Netscape and Microsoft Web browsers, making digital certificates issued by VeriSign and its customers broadly acceptable.

Likewise joint VeriSign-Netscape customers also can use VeriSign's OnSite service for managing certificates.

Netscape and VeriSign also today released an extranet security white paper, available on each company's Web site, detailing their plans for deploying PKI.

IBM positioned its announcement as a step toward building a security infrastructure to make the Net a viable commercial medium. It aims to make certificates and PKIs from different vendors interoperable at a technical level.

"Transactions over the Internet need bulletproof security, and security is the No. 1 issue that people worry about," said IBM's Phyllis Byrne, vice president of distributed systems. "From a technology standpoint, the biggest issue is the deployment of digital certificates and public key encryption."

At the end of August, IBM will post a Windows NT version of source code, called a reference implementation, for the IETF's draft Public Key Infrastructure standard for issuing, validating, revoking, and renewing digital certificates. The source code for Sun Solaris will be available by the end of the year.

Vendors that use the IBM source code, due to be posted on the Massachusetts Institute of Technology Web site, don't need to invent their own core technology or worry about interoperability. The reference implementation will be used in interoperability testing.

Although most CA software supports the X.509 standard, that protocol includes enough options that certificates are often not compatible. A Windows NT version will be available through the Massachusetts Institute of Technology's Web site at the end of August, with a Sun Solaris version due by year's end.

"By developing and making the PKIX reference implementation code available to all, IBM and Lotus are enabling software vendors to develop products that interoperate," Jeff Schiller, IETF area director and MIT manager of systems and operations, said in a statement.

IBM and Lotus also will use the standard PKI throughout in products and service offerings, including applications Lotus Notes, Domino, eNetwork Firewall, and Global Sign-On; IBM's operating systems AIX (in January 1999), OS/2, OS/400 and OS/390; its IBM Vault Registry certificate authority, and security toolkits. IBM's Tivoli unit also will provide management support for PKIX.

PKIX supporters include General Motors, JP Morgan, Netscape, Sun Microsystems, International Computer Security Association, Security Dynamics, Intel, Equifax, and Dascom.