Global Certificate
Authorities Market Trends
by: Maria Montana
Copyright
2002, Faulkner Information Services. All Rights Reserved.
Docid: 00018312
Publication
Date: 0110
Publication
Type: MARKET
Preview
A certificate authority (CA) is a trusted third-party
organization or company that issues digital certificates used to create digital signatures and public-private key pairs. The
CA ensures that the individual granted the unique certificate is, in fact, who he or she claims to be. CAs are a critical
component in electronic commerce transactions since they guarantee the identify of the two parties exchanging information.
Report Contents:
Executive Summary
[return to top of this report]
Global Certificate Authorities (CA) are impartial third
parties who authenticate the identities of entities engaging in e-business or e-commerce. Businesses, government, and consumers
all need to protect their primary assets; data and monies. Unscrupulous e-criminals have taken thievery into the new millennium
with data theft. By intercepting data transmissions, e-thieves steal critical information such as credit card information,
bank transaction data, or trade secrets.
CAs use technologies such as PKI (Public
Key Infrastructure) to incorporate encryption information into the electronic identifications of the entities. These encryption
techniques make transmitting data electronically at best tamper-proof and at worst tamper-resistant. One problem encountered
by CAs is that PKI technology and other technologies like it are not standardized. As such, sometimes communications between
authenticated entities is hindered because of problems with incompatible PKI or PKI-like technologies.
The solution is as simple and complicated as standardizing
the PKI or PKI-like technology. Which technology, by which vendor, will be standardized to what (or whose) standards, by what
CA? Several vendors are stepping up to the plate to make electronic data transmissions tamper resistant. Notice the term:
tamper-resistant. As soon as industry declares something “tamper-proof”, some e-bad guy will make it his (or her)
life mission to tamper with the tamper-proof product.
In this day of cyber-criminals and would-be doers of bad
deeds, the need for CAs has been pushed to the forefront. But who will the CA Global Leader be? Will it be a consortium of
global financial institutions, or government certified vendors, or maybe an organization comprised of self-certified businesses?
Description
[return to top of this report]
Global Certificate Authorities must be neutral third parties
with a global presence able to support many different types of transmission protocols. Financial institutions are poised to
become prime CA candidates while government agencies are not.
Financial institutions form a regulated industry, in many
parts of the world, already accepting multiple transmission protocols from clients in the world community. They have global
credibility and at the very least theoretical neutrality. Government agencies (pick a government, any government) do not have
global credibility. Government agencies, in most cases, have specific transmission protocols that must be followed. Government
agencies, just by the nature of what they are, cannot be perceived as neutral in the global community. Financial institutions
cross physical boundaries and operate on foreign soil under foreign rule where government agencies cannot.
Global Certificate Authorities are to Internet transactions
what border patrols are to border crossings. CAs provide the service to authenticate the identities of entities requesting
entrance to another entities’ domains. Many businesses provide the products and support services to enable CAs to effectively
determine if a visitor is friend or foe.
State of the Marketplace
[return to top of this report]
CAs come in three basic flavors; those certified by government
agencies worldwide, those certified by an international financial institutions consortium, and those who are self-certified.
Government Agency Certification
The National Information Assurance Partnership (NIAP)
was born in 1997 as a partnership between the National Institute of Standards and Technology (NIST) and the National Security
Agency (NSA). NIST represents a single point of service providing consistent, reliable, standardized security-related product
evaluation and testing to the information technology (IT) community.
The evaluation and testing program is based on “common
criteria” officially titled: “The Arrangement on the Mutual Recognition of Common Criteria Certificates in the
field of IT Security”. Note that “common criteria” in this context is a set of standard criteria used to
evaluate IT security products for use by the international community.
Government Agencies from the international community began
joining the mutual recognition arrangement a year later, in 1998. Table 1 lists the international participants in the mutual
recognition arrangement. A complete description of the common criteria can be found on the NIAP website. Importantly, the
mutual recognition arrangement members are predominately from the European community with exception of Israel, Australia,
and New Zealand.
Table
1. Government Certification Agencies
|
Country |
Agency |
|
Australia |
Australasian Information Security Evaluation Programme
Defence Signals Directorate |
|
Canada |
Canadian Common Criteria Evaluation and Certification
Scheme |
|
Canada |
Communications Security Establishment (CSE) |
|
Finland |
Ministry of Finance |
|
France |
Schema d’Evaluationet Certification Francais |
|
France |
Service Centralde la Securite des Systemes d’Information
(SCSSI) |
|
Germany |
Budesamt fur Sicherheitin der Informationstechnik (BSI) |
|
Greece |
Ministry of Interior |
|
Israel |
Ministry of Industry and Trade |
|
Italy |
Presidenza del Consiglio dei Ministri Autorita Nazionale
per la Sicurezza DESIS III Prparto - UCSi |
|
Netherlands |
Ministry of the Interior and Kingdom Relations |
|
New Zealand |
Government Communications Security Bureau |
|
Norway |
HQ Defense Command Norway/Security Division |
|
Spain |
Ministerio de Administraciones Publicas |
|
UK |
Communications-Electronics Security Group (CESG) |
|
UK |
Department of Trade and Industry |
|
UK |
UK ITSec Scheme |
|
US |
National Institute of Standards and Technology (NIST) |
|
US |
National Security Agency (NSA) |
|
US |
NIAP Common Criteria Evaluation and Validation Scheme |
Financial Institution Certification
Identrus has emerged from the international financial
community as an impartial third-party CA provider. This world-wide consortium of financial institutions banded together to
provide consistent, reliable, standard identity authentication services.
Table 2 contains a list of the current Identrus members.
This member list is expected to grow. The consortium has applied a standard level of evaluation and testing criteria to its
approved products. Identrus is unique in that it is a vendor-neutral organization and as such is creating global standards
used to secure electronic transmissions.
Table
2. Financial Institution Certification
|
Financial Institution |
Financial Institution |
|
Abbey National PLC |
Deutsche Bank |
|
ABN AMRO |
Dresdner Bank |
|
AIB Group |
Fleet Bank |
|
Australia and New Zealand Banking Group Ltd. (ANZ) |
HSBC Group |
|
Banco Bilbao Vizcaya Argentaria, S.A. |
HypoVereinsbank |
|
Banco Comercial Portugues |
Industrial Bank of Japan, Limited (IBJ) |
|
Banco Sabadell |
ING Group |
|
Banco Santander Central Hispano |
J.P. Morgan Chase & Co. |
|
Banesto |
Korean Exchange Bank |
|
Bank of America |
LBBW |
|
Bank of Ireland |
Lloyds TSB |
|
Bank of Montreal |
National Australia Bank Limited |
|
Bank of Scotland |
Nordea |
|
Bank of Tokyo-Mitsubishi Ltd. (The) |
PNC Financial Services Group, Inc. (The) |
|
Barclays PLC |
Royal Bank of Canada |
|
BNP Paribas |
Royal Bank of Scotland Group |
|
Canadian Imperial Bank of Commerce (CIBC) |
Sanwa Bank |
|
Chohung Bank |
Scotiabank |
|
Citigroup |
SEB Bank |
|
Commerzbank |
Société Générale |
|
Commonwealth Bank of Australia |
Standard Chartered Bank |
|
Co-operative Bank (The) |
Sumitomo Mitsui Banking Corporation |
|
Crédit Agricole France |
Wells Fargo Wholesale Internet Services |
|
Crédit Lyonnais |
Westdeutsche Landesbank Girozentrale |
|
Den Norske Bank |
Westpac Banking Corp. |
Self Certification
The Open Platform for Security (OPSEC) organization was
founded by Check Point Software Technologies in 1997. OPSEC’s mission statement promises to “provide complete,
integrated multi-vendor security solutions” by applying “a single, central, enterprise-wide security policy.”
OPSEC, like Identrus and NIAP, has developed its own criteria to evaluate functionality and apply standard testing.
OPSEC’s 250 strong member base provides the broadest
operating system and network infrastructure support and Internet security integration interfaces used in the industry. The
OPSEC SDK (software development kit) claims to use “industry standards” to ensure vendors deliver compatible and
complementary security products. The problem in using “industry standards” is that there are no formal industry
wide standards.
Note: OPSEC--Open Platform for Security is a consumer-based
organization. OPSEC--Operations Security Professional Society is an organization dedicated to professionals in defense, security,
intelligence, and other security services. The latter OPSEC does not certify products.
Market Leaders
[return to top of this report]
Although the market is nascent and somewhat fragmented,
there are some clear industry leaders.
Identrus
Identrus-certified products offer the most promise of
any of the three certification options. The consortium has global creditability and neutrality. Major banks from around the
globe are members of Identrus and the membership is quickly growing. This group has a proven and respected history of dealing
with electronic data transactions being made across many different platforms with as many different types of transmission
protocols. Being able to converse with clients from industry, government, and the private sector has fostered Identrus’
commitment to being vendor neutral when selecting transmission and security software.
Another feature that makes Identrus stand out as a market
leader is their focus. The Identrus model’s focus is on quality assurance not quality control. As such, Identrus builds
multi-transmission protocols into the process, which in turn produces a product capable of supporting multi-transmission protocols.
Identrus carries its focus into its certification process
as well. Focusing on the process rather than the product enables Identrus to remain vendor-neutral. Certification is not given
on specific products. Rather, vendors seeking Identrus’ blessing, must conform to standard policy, requirements, and
a prescribed process.
OPSEC
OPSEC’s certification reaches across many platforms
and many types of transmission protocols. OPSEC certifies products, not processes. As such, OPSEC is not vendor neutral, thus
accounting for their large membership. The downside to certification at a product level is that functionality is inspected
into the product under the certifying organization’s rules and regulations. Product certification does nothing to build
standard functionality in the product.
Government
Government certified products perform consistently and
reliably according to the objectives defined in the NIAP common criteria. Quality control of the product rather than quality
assurance of the process is the government’s focus. As a result, only the version and release of a particular product
that has been certified meets the requirements outlined in the common criteria. Prior releases are not certified by default
just as future releases must be certified independently. Certification under government is very rigid, inflexible, and fails
to support multi-platforms and diverse transfer protocols.
Note: Two vendors, Check Point Software Technologies
and Unisys, have dual certifications. Check Point is certified under government certification as well as obviously, OPSEC.
Unisys is certified by both OPSEC and Identrus.
Market Trends
[return to top of this report]
The CA industry is heading toward centralized, standardized
multi-platform, multi-transmission protocol-based services. Vendors competing for a spot in the global market place need to
select a philosophy. The first option is to select a process based certification, like Identrus, and build products to conform
to that model. The second option is to select a product-based certification, like OPSEC, and inspect products to fit those
requirements.
Identrus and OPSEC are the organizations to watch. Each
entity is a pioneer in their respective approaches. Both Identrus and OPSEC have drafted heavy hitters from their respective
industries into their ranks. Membership in each organization is growing at a feverish pace.
American-based Bank of America Corporation and European-based
ABN AMRO, Deutsche Bank, and HypoVereinsbank are the first group of Identrus members to deploy a B2B (business to business)
payment application as a result of Identrus’ efforts. This ground-breaking endeavor will pave the way for many more
ventures. This is just the first, and it was a big success.
Team captains, Identrus and OPSEC, are already being solicited
by top-ranking free agents. Microsoft is adapting their products to be compatible with the Identrus model. Microsoft is an
industry leader in its own right and now the mega company is throwing its weight behind the financially based organization.
A few years back (in 1999), Ericsson and Microsoft created
a joint company, with Ericsson owning the majority share, giving Microsoft WAP technology. Now Microsoft has brought a new
layer of technology over to the Identrus side.
Nokia, on the other hand, is courting Check Point (OPSEC
founder). Besides being a leader in the wireless arena, Nokia is collaborating with Palm Computing, giving Nokia exposure
in the hand held world. Add to that Nokia’s partnership with BEA integrating WAP technology with its wireless services.
So now Nokia brings its relationships with these companies to play on OPSEC’s side.
Nokia and Microsoft have brought a new layer of cellular
technologies to the CA table. Remember that WAP technology allows content from the Internet, or an intranet, to appear in
the window of a cellular connected hand held device. Could these quirky unions expand the CAs role into the B2C (business
to consumer) market? Consumers could demand CA level protection while executing personal banking, financial, and investment
electronic transactions. Time will tell.
Another notable contender is Thawte. Thawte claims to
be the second largest CA provider. Interesting to note is that Thawte is not certified by NIAP, Identrus, or OPSEC. Perhaps
that is why Thawte is also building a team of vendors who support their own “industry” standards. We shall see
if the old axiom of “too many cooks spoiling the broth” rings true for Thawte.
About the Author
Maria D. Montana is an independent consultant located
in Stanhope, New Jersey, specializing in Computer Validation, Quality Assurance, and Technical Writing. She has more than
24 years of Information Technology experience with a concentration in the Pharmaceutical Industry. Mrs. Montana has provided
services to such companies as Warner-Lambert, Schering-Plough Research Institute, and Prudential. She is a freelance writer
to Faulkner Information Services.
Web Links
[return to top of this report]
Checkpoint: http://www.checkpoint.com/
Common Criteria: http://www.commoncriteria.com/
Identrus: http://www.identrus.com/
NIAP: http://niap.nist.gov/
NIST: http://www.nist.gov/
NSA: http://www.nsa.gov/
OPSEC (Open Platform for Security): http://www.opsec.com/
OPSEC (Operations Security Professional Society: http://www.opsec.org/
[return to top of this report] | 
