Want CNET to notify you of price drops and the latest stories?

ValiCert checks IDs

In a move to boost e-commerce, the start-up has announced new software and services that check the validity of digital certificates.

2 min read
In a move designed to boost e-commerce, start-up ValiCert today announced new software and services that check the validity of digital certificates, which serve as ID cards on the Internet, no matter who issued them.

Issuers of digital IDs do provide ways to check whether digital certificates have been revoked or canceled, such as manually checking a listing or using a directory. But those methods aren't practical for busy Web sites that conduct lots of transactions, said ValiCert founder and chairman Chini Krishnan.

"Applications that use or access certificates really don't know anything about the validity of the certificate without downloading the certificate revocation list [CRL]," said Krishnan. "We are making the entire process electronic, automated, and efficient.''

ValiCert's service, to be launched next year, also will aggregate CRLs from multiple certificate authorities, creating a one-stop location for verifying the validity of a digital certificate. Digital certificates are used for Internet transactions, secure email, and other purposes.

"ValiCert has a really clever way of doing this," said Ira Machevsky, e-commerce analyst at Giga Information Group. "It's a missing piece of the certificate authority jigsaw puzzle."

Matthew Kovar, an analyst at Yankee Group, said vendors have been "sweeping the problem under the rug."

ValiCert's service will prove particularly important for secure credit card purchases on the Net under the Secure Electronic Transactions (SET) protocol, Machevsky added, which uses digital certificates some 20 times in a single transaction.

"It would be nice to validate certificates in a very efficient fashion--SET is already a very slow protocol where performance is concerned," Machevsky said.

ValiCert has already picked up backing from several major vendors of certificate authority (CA) software, including GTE's CyberTrust, Entrust, and Netscape Communications.

Conspicuously missing is the best-known and perhaps largest CA, VeriSign, which issues certificates as a service. VeriSign and ValiCert are in discussions, but no announcements have been made.

ValiCert's offerings include two pieces of software, plus its service. ValiCert Tookit is designed for software developers writing applications that use digital certificates. By embedding the toolkit into their applications, developers can create products that can check certificate validity efficiently.

ValiCert Server, targeted at enterprises that deploy their own certificate systems, lets companies check certificate issuance on an intranet. It also will be embedded in certificate issuance and management systems utilized by public CAs.

ValiCert Service will be targeted at enterprises conducting broad Internet communications and commerce. It will serve as a clearinghouse for checking the validity of digital certificates regardless of who issues them.

ValiCert Server and ValiCert Toolkit are available now. The toolkit costs $995 per year for an unlimited use license; the server is available for $9,995, or comes embedded in CA products from other vendors.

Field trials of the ValiCert service will begin later this year, with public availability targeted for early 1998. Pricing has not been determined.