home
NEWS       BLOGS       FORUMS       NEWSLETTERS       RESEARCH       EVENTS       DIGITAL LIBRARY       CAREERS  
Network Computing Network Computing Powered by InformationWeek Business Technology Network

IMMERSE YOURSELF:

SOA

  |

Data Center

  |

802.11n

  |

Data Privacy

  |		 APO  |

Virtualization

  |

NAC

  |

Security

  |

Network Mgmt

  |

Enterprise Apps

  |

Storage & Servers











Certificate Authorities: How Valuable Are They?

To illustrate, let's revisit 007 and his latest intrigue. Bond wishes to make a purchase over the Internet, but he's wary about transferring his credit-card information over the wire. Trained to be vigilant, he even questions the authenticity of the destination site. If Q has set up a certificate-based environment, Bond (the client) will be presented with a site certificate from the server as soon as he connects to the Web site. If this certificate has been generated by a trusted CA, Bond can be sure that the certificate also will be verified by the browser, effectively eliminating any chance of forgery. Agent 007 may then proceed, reasonably confident the Web site is the one he believ es it to be. In turn, the site may require that Bond identify himself using a client certificate issued by a trusted CA, adding a level of security that simple passwords cannot provide. The transmission also will be encrypted, barring any opportunity for eavesdropping on the session. None of this occurs, however, so Bond returns to his date and his stirred martini, postponing his car purchase and foiling the ZIFFWEC band of brigands once again.

Securing the Perimeter Obviously, the value of using a CA to secure Web transactions is inextricably linked to the integrity of the CA itself--if the CA's security is compromised, the certificates it issues will be worthless. One safeguard is to outsource the operation to a company that specializes in CAs, such as VeriSign, Mountain View, Calif. VeriSign is one of the world's largest public CAs--it has issued more than 600,000 public certificates in the past six months alone. It offers five levels of physical security, two of which are biometrics-based, a nd three levels of certificates, each representing greater reliability. For example, anyone on the Internet who can receive e-mail messages and who has access to Netscape Communications Corp.'s Navigator 3.0 or higher can obtain a VeriSign Level 1 certi ficate. A Level 2 certificate requires a more extensive background check, while those seeking a Level 3 certificate must satisfy an even more stringent issuing policy.

Confusing the Issue Credit-card transactions compound the Internet security dilemma. A particular type of certificate-based technology, called the Secure Electronic Transaction (SET) specification, addresses this problem. SET is based on X.509 certificates with several extensions. A blinding algorithm within SET, in effect, lets merchants substitute a certificate for a user's credit-card number. The certificate must come from a public CA like VeriSign, and it is forwarded from the merchant to a verification gateway for approval. The beauty of this scheme is that for the first tim e in the history of credit card-based transactions, the merchant never possesses the buyer's credit-card number--a novel idea, on or off the Internet.

GTE, the telecommunications giant, has been in the CA business for years--its CyberTrust division recently branched out from its traditional government customer base into the commercial market. GTE's primary focus is not to issue billions of certificates to users in the browser community, but to adapt its CyberTrust product to the CA goals of individual customers and have its customer-branded solutions appear as if they were part of the client's system. GTE, in conjunction with MasterCard, one of its clients, is slated to launch a SET-based system pilot program this month.

The Inside Job Using a public CA service provider makes especially good sense when an organization either lacks the internal expertise to implement such high-level security or simply can't afford to create a setup as secure as VeriSign's or GTE's. However, running an interna l or private CA does have some benefits--particularly for sites that want better control over their issuing policies, prefer to customize the certificate content, or simply don't want to be billed per head.

We approached the testing of these products from th e angle of a semi-large corporation wishing to create and use the services of a private CA. We created users, submitted and approved certificate requests, and tried, when possible, to get them to work with one another. Because the products were all at different release stages--Xcert Software's Sentry CA was released half-way through our review, Frontier Technologies Corp.'s e-Lock was in beta and Netscape Communication Corp.'s Netscape Certificate Server was already released--we felt it would be unfair to pit beta products against shipping versions. Although we didn't use our usual Report Card, we did dig into these products and found both strengths and weaknesses. Look for a CA round-up in the near future.


Updated March 25, 1997







Ready to take that job and shove it?

Function:

Keyword(s):

State:
SPONSOR
RECENT JOB POSTINGS
CAREER NEWS
10 Search Engines You Don't Know About
Go beyond Google and get vertical. These specialized search sites will help you find the business information you need -- fast.

Yahoo Profits Fall 23%, Cuts 1,000 Jobs
Ari Balogh was named to the post of chief technology officer as the companys for a "realignment" of employees.

More articles from our career center










InformationWeek U.S. IT Salary Survey 2008
Salaries for business technology professionals are falling. Here's what you need to know in order to make good hiring decisions and personal career choices. Download Today
 
ROLLING RIGHT ALONG
Follow key Network Computing Reviews from conception to completion. This Week: Holistic APM.



Network Computing Reports Emerging Enterprise Podcast Series: Secrets to Success








TechSearch
Microsite of the Week


Powerful Information at Your Fingertips



InformationWeek Business Technology Network
InformationWeekInformationWeek 500InformationWeek 500 ConferenceInformationWeek AnalyticsInformationWeek CIO
InformationWeek EventsInformationWeek ReportsInformationWeek MagazinebMightyByte and SwitchDark Reading
Digital LibraryIntelligent EnterpriseInternet EvolutionNetwork ComputingNo JitterPlug Into The Cloud
space
Techweb Events Network
InteropVoiceConWeb 2.0 ExpoWeb 2.0 SummitEnterprise 2.0 ConferenceMobile Business ExpoSoftware ConferenceCSI - Computer Security Institute
Black HatGTECEnergy CampMashup CampStartup Camp
space
Light Reading Communications Network
Light ReadingLight Reading EuropeUnstrungLight Reading's Cable Digital NewsConstantinopleInternet EvolutionPyramid Research
Heavy ReadingLight Reading Live!Light Reading InsiderEthernet ExpoOptical ExpoTeleco TVTower Technology Summit
space
Financial Technology Network
Advanced TradingBank Systems & TechnologyInsurance & TechnologyWall Street & TechnologyAccelerating Wall StreetBank Systems & Technology Executive SummitBuyside Trading SummitInsurance & Technology Executive Summit
space
Microsoft Technology Network
MSDN MagazineTechNetThe Architecture Journal
space


App Infrastructure   |   Messaging & Collaboration   |   Network & Systems Mgmt   |   Network Infrastructure   |   Security  |   Storage & Servers   |   Wireless   |   Enterprise Apps
About Us  |  Contact Us  |  Site Map  |  Technology Marketing Solutions  |  Advertising Contacts  |   Briefing Centers
Copyright © 2008  United Business Media LLC  |  Privacy Statement  |  Terms of Service  |  Your California Privacy Rights