A coalition of certificate authorities and software vendors, led by Canada's Entrust Technologies, is scheduled to announce Monday that they will cooperate to cross-certify their digital IDs so that certificates from one CA can be authenticated by another.
The Entrust initiative does not mean that all digital certificates from these vendors can be used interchangeably. Instead, it means that the technologies are supposed to interoperate--actual cross-certification will involve a host of other security and business considerations.
But the initiative has not won the support of IBM and VeriSign, the best-known CA. IBM licenses Entrust's software for Big Blue's certificate authority offerings, so its barrier to interoperate is not based on technology. IBM had no comment today.
"This will put pressure on VeriSign to participate," Entrust chief executive John Ryan said in an interview. Entrust said discussions with VeriSign on cross-certifying electronic IDs have not made progress.
Digital certificates are electronic ID cards for the Internet or private networks, where two parties cannot see or verify the identities of each other. The Entrust initiative could eventually mean that a digital ID issued by one certificate authority would be accepted by another CA.
That can happen only after the appropriate verification, security, and operation checks are made and after the two CAs agree to cross-certify. By accepting each other's digital certs, CAs can boost the use of the technology overall.
Entrust and its partners also back an emerging Internet Engineering Task Force standard called PKIX-3, which addresses how CAs operate. Warwick Ford, VeriSign's director of advanced technology, cochairs the IETF working group handling PKIS-3.
VeriSign considers cross-certification important, Ford said, but business issues, not technical ones, must be resolved.
"The technical issues are the tip of the iceberg," Ford said. "What makes cross-certification difficult is the nontechnical issues--reaching agreement on practices to be followed, how that is indicated in certificates, the whole set of legal issues of what happens in disputes, with liability, etc."
VeriSign's business differs significantly from Entrust's. VeriSign issues digital IDs as a service and primarily for the Internet, while Entrust sells software so companies can issue digital certificates for themselves, for corporate networks, or the Net. IBM has both a service and a software product.
The list of endorsers for the Entrust initiative include two competing CAs, GTE CyberTrust and Entegrity Solutions, plus several other authorities that use Entrust's software, called a public key infrastructure or PKI.
Entrust customers and partners signing on for the initiative include Bell Global Solutions, Chrysalis-ITS, Hewlett-Packard, electric utilities CA TradeWave, e-commerce vendor Harbinger, and Tandem. Other supporters include American Biometric, General Network Services, KyberPass, and email software vendor WorldTalk.