In-Depth

Digital Certificates Secure Web Services, Mobile Communications

Public key infrastructure isn't dead yet.

• By Mathew Schwartz
• 08/11/2004

With digital certificates, application designers can sign code; document authors can authenticate their work; and the U.S. Postal Service uses them in its “electronic postmark” program for signing Microsoft Word documents. Security Strategies spoke about digital certificates with Neal Creighton, president and CEO of GeoTrust, which along with Verisign is one of the largest certificate-issuing authorities.

GeoTrust a digital certificates company?

The company was founded in 1998, and the whole idea or vision behind the company wasn’t to issue digital certificates. But we believe that as the world becomes more networked, as devices become more networked, that identity really matters [most]. If you know who you’re speaking to, you can prevent spam … If you know a server is a real server in Web services, you can open up your network. Of course … that credentialing technology can change in 10 or 20 years … and [given our infrastructure] we can just bolt on what’s new.

When PKI first hit, many decried its lack of scalability. Has that changed?

PKI was very much hyped during the boom, and there weren’t enough applications for it … So [today] the applications are there … The other problem was there were two methods for selling PKI … software, and the services model … I think a lot of the disappointment came from the software, it didn’t scale … and [customers] weren’t experts in using it.

What will we see going forward?

So what I think you’re going to see for the most part, some of the most interesting applications—document signing, application signing… it will be done by supplying credentials to a [managed] certificate authority.

As it scales, will prices decrease and operating efficiencies increase?

We call our technology a factory, because we get economies of scale, because the more certificates we issue, the more our costs go down. Also … we just launched a new product, because we’re finding that more and more people are ordering things online from mobile devices—Pocket PCs, DoCoMo in Japan, or Palm … In the past few years we’ve worked hard to get software on mobile devices … [so] merchants can talk to those devices as well as PCs.

What’s the state of the market with regard to certificates and e-commerce applications?

The overall industry saw about 40 percent growth year over year in the SSL market. We grew over 100 percent, but that’s picked up even more. I think … we’ll see a lot more merchants come online [still] and use digital certificates.

What about Web services?

That’s all about authenticating servers and opening up your network so that people can operate with certain applications that you have, and to do that you need to know that you’re talking to a trusted third server.

How automated is that?

From our perspective, we identify and credential things, and we do that almost 100 percent in an automated format.

We … spent a lot of time building [that] … and right now, we have methods to identify just about any server, anywhere in the world, in a matter of minutes, which almost no one else can do.

Talk about the Unified Testing Initiative (UTI), a method of authenticating Java applications on mobile phones.

For UTI and Java, it’s all about trusted content. On your mobile phone, it’s all about trusted sources. We can authenticate [a Java application] and … make sure it’s real. We think that technology will migrate … back to the PC as a way to prevent viruses on the network.

Can an application’s validation be revoked?

If there’s a problem with the application later … we can shut down that application, because [the phone] checks to make sure the signature of the application is still valid before it executes it, every time.

It’s a very neat way of streamlining …. you’re actually in front of the viruses now, based on using identification to prevent putting those things [from being] on the network in the first place. The same thing can go back to a PC, it can check a signature … and allow [applications] to upload or not.

Could this be applied to trusted-e-mail initiatives?

You could only receive e-mail from authenticated sources, which is a long way off … The Caller ID [for E-mail] initiative, that’s a part of the [Microsoft] Sender ID protocol, which has to do with authenticated domains, or IDs; Yahoo [DomainKeys] does the same thing but differently.

What’s happening with documents and signing them with digital certificates?

I think document signing is the killer application of the future … But if I told you this was going to happen next year, I’d say that was optimistic.

How is document signing currently being used?

The kinds of document signing we’re seeing today have to do with [for example] 401(k) rollovers. [Also] we have a large financial application where they’re allowing analysts to digitally sign research. Or the state of Indiana—between different state agencies, they’re signing documents; it’s business-to-business [types of transactions] actually.

What’s the U.S. Postal Service (USPS) offering today?

Go to the USPS Web site, and you can request and receive a digital credential from GeoTrust which you can use to sign Microsoft Word documents.

How exactly do you use a digital certificate in Word?

You’ll see Microsoft is making a lot of changes to its next [Office] release, but Microsoft [already] implemented a specific DLL [to do that in Word].

How do you predict document signing will take off?

In a general sense, financial applications where you want to know where a report came from—a certain financial analyst—or in manufacturing where there’s a lot of paperwork coming back and forth and you have to sign [off]. Then … between individuals [selling goods] or when filing taxes, and so forth. I think [document signing] will emerge in places where there’s a lot of cost savings when [it’s done], either from [reducing] paperwork … or from a liability perspective. Then … it will migrate down to more consumer applications.

Related Link:

USPS Electronic Postmark:
http://www.uspsepm.com

Related Articles:

ASN Security Issues Run Deep, Forrester Warns
http://info.101com.com/default.asp?id=5851

Q&A: Securing the Door as Important as Securing the Data
http://www.esj.com/news/article.asp?EditorialsID=718