Network Computingwww.networkcomputing.com

In addition, it's not yet clear how revocation lists will be stored and accessed during decades to come so that contracts holding digital signatures can't be nullified years later--fo r instance, by an assertion that the certificate originally used to sign a contract was stolen and used by an impostor.

Analyzing the Middleman What's the biggest problem with today's certificate authority products? "They are complex, hard to manage and scare the hell out of people," says Jamie Lewis, president of The Burton Group. What CAs have to do is stop scaring users and network administrators. According to Lewis, that means that Netscape Communications Corp. will have to move beyond command-line utilities to generate certificates, and industry-leader Entrust will need to move away from what he calls "exorbitant" pricing models. Entrust lists at $159 per active user for unlimited applications; single-application use, site licenses and volume discounts lower the price.

CAs also need to scale. Carl Howe of Forrester Research is high on CA products from Microsoft Corp. and Netscape, although he doesn't expect administration and scalability to go beyond hundreds of thousands of users. T he companies he finds most interesting for larger enterprises include Axent Technologies, Newbridge Networks' TimeStep Corp. and Xcert Software.

Tiny, Canada-based Xcert is particularly innovative, Howe says, because of a proxy it provides to security-enable homegrown and legacy applications and even mainframe apps. While Xcert's technology--and accompanying application programming interface (API)--isn't expected to overshadow big security API players like Intel Corp., Microsoft and now Sun, it may make a lot of headway as long as API confusion reins (see "Bridging the Business-to-Business Gap," on page 62).

In Europe, on the other hand, Groupe Bull, ICL and Siemens Nixdorf are backing a standard known as SESAME. Supporters tout it as advanced because SESAME already provides a stable way of using a secure directory server to generate special short-lived certificates that delineate privileges. These certificates are typically valid for short periods of time--minutes or days. Privilege certificates are used to express role- and group-based controls, as well as delegations (www.esat.kuleuven.ac.be/

cosic/seame.html). The Object Management Group has also selected SESAME for its Common Object Request Broker Architecture (CORBA). Although commercial versions of SESAME include encryption, a reference imple mentation available on the Web does not--primarily because of pressure levied by France.

The SESAME effort has encountered some North American criticism because European work on the spec stopped more than a year ago. However, SESAME supporters say a draft is still awaiting consideration by the Internet Engineering Task Force (IETF). The biggest problem with SESAME may simply be that, outside Europe, familiarity with the specification is scant. One possibility is that the popular North American PKI specification--Public Key Infrastructure X.509 (PKIX)--could be incorporated within products based on the more encompassing SESAME standard once PKIX is stable.

As for public outsourcing services, the undisputed leader is VeriSign. The Burton Group's Lewis thinks VeriSign will be successful, both as a public CA and as a company selling combined product and know-how in the form of systems integration. What VeriSign doesn't realize, though, he says, is that it will have lots of competition.