Background news analysis
Mapping The Rocky Road To Authentication
By Christy Hudgins-Bonafield
It may have pioneered public key authentication services, but even VeriSign is convinced that as public key infrastructures move forward, the "VeriSign Service Model" will shift to more readily accommodate business-to-business security. That's because most business-to-business transactions rely on bilateral contract and trust. Introducing a third party--an entity that vouches for other, perhaps unknown, partners--can be problematic. This is especially true if big dollars are at stake and the third party
is a start-up.
"Businesses haven't beat a path to trusted third parties," says Jeffrey Schiller, MIT's network manager, "because third parties have pushed liability out to the organizations. They tell you, the end user, to behave in a certain fashion. If you don't, they will revoke your certi
ficate, which, if your business depends on your ability to use PKI [public key infrastructure], can effectively put you out of business. Yet they say: 'If we screw up, we'll make amends by refunding your license fee on a prorated basis.' This is the condom manufacturer offering you your money back."
 Public certificate authorities (CAs) also fail to reflect a history of bilateral business arrangements that stretches back thousands of years, says Perry Metzger, a financial industry consultant with Piermont Information Systems. He says businesses may want to use CAs to reduce head counts, but still maintain the relationshi
p. When multiple parties endorse a check, says Metzger, each assumes liability. He believes the same should be true of third-party, commercial CAs.
But the reality is, there aren't many start-ups with that kind of capital. That's one reason why the bulk of CA product providers--and even companies like VeriSign--are implementing alternatives like private-labeled CAs and outsourcing arrangements. GTE, in fact, backed away from early directions favoring a public CA to offer customer-branded products. And VeriSign ultimately expects about half its business to come from outsourcing.
A number of businesses, then, are negotiating their own contracts with CA providers--from user-bought and -run systems to hybrids owned by the user and run by the provider to full-scale outsourcing. In many models, including Canada's Bell Sygma, special user requirements exist, like user staffing of a local registration authority. In almost all models, specific liabilities are written into a contract and many models call for l
iability insurance. VeriSign says businesses invariably purchase insurance as part of outsourcing contracts--with coverage typically starting at $1 million.
Bob Carberry, president and CEO of CyberGuard, says his CA business is 75 percent outsourced and 25 percent sales. Many businesses, he says, simply don't want to buy and build a CA alone.
Another model--one that already seems to be favored by the auto industry--is the establishment of industry-specific CA services. Tim Moses, manager of Entrust's security technology group, says vertical-industry CAs are more likely to understand an industry and its liabilities and less likely to take on unnecessary liability costs.
Another way around CA liability issues is suggested by Guy Fisher, director of product marketing for Internet services at GEIS. Fisher believes the third-party CA business would get a big boost if banks got involved, giving businesses the level of protection now established for credit cards.
|
REPORTS
ANALYTICS
Follow 
