|
Who's Who In The CA Market
Question:
What spreads its tendrils faster than kudzu in Alabama humidity?
Answer:
Certificate authority (CA) products and services.
Within months, the number of CA products and services has shot from a mere handful to more than 30, and no one is predicting a slowdown. Much of the momentum can be directly attributed to Entrust Technologies--which came early to market with a stable product that other vendo
rs could build upon. Our labs, in fact, named Entrust's CA as Network Computing's product of the year. An unstated promise of Entrust's multivendor bandwagon is product-level interoperability. As we went to press in June, some of the industry's largest players were building atop Entrust or distinctly leaning in that direction--including Hewlett-Pac
kard Co., IBM Corp. and Novell ( see Network Computing Online at techweb.cmp.com/nc/813/813f2.html). Both Netscape (Communicator 4.0) and Gradient were also expected to announce or ship Entrust-ready versions of their products this summer. Gradient's product lets businesses map public key certificates to Kerberos authorization tickets.
Vendors that offer services and products based on Entrust include Canada's Bell Sygma, CyberGuard, HP, IBM and Newbridge's TimeStep. TimeStep plans to augment its own approach with a broad announcement of ephemeral certificates with Entrust this fall. Bechtel's Genuity uses TimeStep's technology in a one-stop connectivity, VPN an
d authentication offering. It was also clear in June that major players Novell and NeTegrity were distinctly leaning toward using Entrust as a CA base.
Banker's Trust spin-off Certco expects its product to become a platform upon which others build. Certco is providing the technology for the root CA used by Visa and MasterCard and is targeting its product/systems integration and legal services at the financial community.
In Europe, however, the catalyst for CAs lies with a standard--SESAME--to which Bull, ICL and Siemens Nixdorf have all built products (www.esat.kuleuven.ac. be/cosic/sesame.html). Elements of SESAME have also been incorporated in the work of the Object Management Group (see Business Trends, page 26).
But innovative CA products and services are also coming from many other directions. On the services side the clear leader is VeriSign, but competition is emerging from a variety of sources, including a South African public CA known as Thawte. The U.S. Postal Service has also announced
pilot 1997 CA services. Other vendors that have or plan CA products or services by third quarter include GTE, Internet Dynamics, Isolation Systems Ltd., Frontier Technologies, Microsoft, Netscape, Sun Microsystems, VeriSign and Xcert.
Antivirus leader McAfee is likely to enter the market with its own technology by year's end. Similarly, GEIS hopes t
o release CA technology/services at the end of the year or early in 1998, and secure-token leader Security Dynamics is expected to offer a CA by late summer.
Single sign-on leader AXENT Technologies plans to build to APIs or support CA products like Entrust's by early 1998. Sources say that First Data will both build a CA and offer its own authentication service. By third quarter, security and CA tools provider Consensus Development is expected to launch "authority"-based plug-ins for next-generation Netscape and Microsoft servers, followed by a set of authority management tools and an authority-based application programming interface (API). More tenuous
are MCI's plans, which says it plans to have a CA offering, and EDS' plans, which says it is considering using outside technology to offer CA services. The fate of CA technology through PGP's acquisition of Zoomit was also fuzzy at press time as the acquisition faltered.
Microsoft CA Integrated with Active Directory
Microsoft's foray into the world of certificate authorities is expected to begin in the third quarter when it ships an X.509v3 certificate server that is integrated with Active Directory. Both certificates and certificate revocation lists will be pushed to Active Directory, according to Microsoft's Karan Khanna.
The Active Directory integration is one reason why Microsoft's Crypto-API remains vague about other directories that might otherwise be used in the authentication process.
Clients will be able to query the directory for certificates and CRLs using the Lightweight Directory Access Protocol. Because Active Directory is "fully integrated" with the secur
ity infrastructure-including the certificate server-it will be aware of any object, including switches or routers. That means the directory can set policies that will authenticate each certificate request against a Cisco router, before issuing a certificate.
Application developers will be able to access authentication services using the APIs for Windows NT, M
icrosoft's CryptoAPI or Microsoft's Secure channel API for SSL services. They can also extend the Windows NT security by adding their own authentication schemes via SSPI APIs.
Khanna says the CA will support the use of both SKIP and ISAKMP/Oakley key management schemes and will support open interfaces to allow others to build policy modules enforcing Distinguished Name encoding as well as other extensions.
|
REPORTS
ANALYTICS
Follow 
