Certificate authorities move in-house

Digital certificates are pushing beyond the enterprise and finding converts among service providers with growing e-commerce and business-to-business applications. Used to authenticate customers and secure transactions or messages, digital certificates are allowing carriers to add layers of security and improve administration.

Digital certificates grew out of public key infrastructure (PKI), which uses cryptography to authenticate users. Under PKI, a certificate authority distributes and maintains public and private keys, which must be used in conjunction. To authenticate a user, or for a transaction to occur, a public key must be combined with a private key.

The public key is accessible to users, and the private key is often e-mailed to users via secure sockets layer. The key is then stored in a user's browser. Once the certificate authority recognizes the private and public keys, the user can access the desired information. The certificates are formatted using X.509, and the principal role of the certificate server is to act as a trusted third party assisting in the authentication, verification and distribution of public keys.

VeriSign has dominated the certificate authority field, but a growing number of companies want to issue their own certificates rather than outsource the job. GTE CyberTrust Solutions, Entrust Technologies and Xcert are setting the trend in this field. Xcert, which developed SentryCA and WebSentry, has had some recent customer wins among service providers that want to be certificate authorities.

Since March, PSINet has used Xcert's SentryCA and WebSentry to authenticate its online customer support users. PSINet uses these tools to issue its customers digital certificates that enable them to access technical support and account information (see figure).

"We use Xcert as an extranet application," said Mike Hatalla, manager of customer support engineering at PSINet. "It authenticates and secures the data flow between customers and our internal site."

PSINet is introducing the service to customers when they call for technical support. Representatives discuss the online option and explain its benefits. Once a customer agrees to the service, PSINet's customer service group issues the new user an Xcert certificate. When the new user logs onto PSINet's customer service site, PSINet's WebSentry identifies the customer's certificate, checks its status with SentryCA and provides the customer access to the site once SentryCA verifies the customer's identity.

Another carrier using Xcert is GT Group Telecom, a competitive local exchange carrier (CLEC) in Vancouver, British Columbia. Under its service, gtTrust, Group Telecom is acting as a trusted third-party certificate authority. The CLEC has more than 57,000 real estate agent customers that use gtTrust to gain Web access to real estate associations and listing services, as well as for cross authentication with law firms and online mortgage brokers and online real estate transactions.

"We have provided Group Telecom with unified, scalable Web-based authentication that enables secure communication between trusted communities," said Tim Gage, product marketing manager at Xcert.

In addition to increasing security, digital certificates decrease the number of passwords a user has to remember to gain access to different network domains. For e-commerce applications, this single sign-on approach is appealing. Rather than suffering through multiple requests for user name and password, users can gain access to all the domains where they have rights.

Another benefit of digital certificates is that they create an electronic audit trail that allows companies to track down who executed a transaction or accessed an area. PSINet plans to track users on its customer support site to help it understand the types of problems its users are having. Other certificate authorities use audit trails for fraud control.