The Company

VeriSign’s certificate authority technology was created in 1994 under the leadership of D. James Bidzos at RSA. In 1995 Bidzos realized the need for an independent organization to carry forth the technology and related services, and VeriSign was formed with current VeriSign CEO Stratton Sclavos at the helm. The company is headquartered in Mountain View, California, and has 300 employees. With $15.6 million in revenues in the quarter ending Mar. 31, 1999, VeriSign is an investor favorite with a market capitalization of $3.2 billion (5/17/99), more than $10 million per employee (ticker: VRSN). The company has issued 3.5 million individual certificates issued and certified 125,000 Web sites.

Target Markets: Businesses and consumers.

Business Model: VeriSign charges license fees to individuals, organizations, and enterprises for the use and registration of digital IDs. In addition it markets public key infrastructures (PKIs) to service organizations that wish to independently implement its verification and registration capability.

Partners: Visa, EDS, Intuit, Netscape, Microsoft, Reuters, AT&T, First Data Corp., RSA, Merrill Lynch, Oracle, and America Online are among many of the companies working with VeriSign.

Customers: Customers include: 100% of the top 40 electronic commerce sites; 98 of the Fortune 100 and 400 of the Fortune 500; example clients include Bank of America, Diner’s Club, Dow Jones, The Federal Reserve Bank of NY, NationsBank, Novus/Discover, Royal Bank of Canada, Hewlett-Packard, Ameritech, British Telecommunications (BT), First Union, and Morgan Stanley Dean Witter.

Contacts: (650) 961-7500
Stratton Sclavos is CEO
Richard Yanowitch is VP Marketing
Mary Anderson is VP Enterprise Marketing Quentin Gallivan is VP Sales
Ethel Daly is VP Strategic Alliances
Tom Honey is Dir. Financial Services Marketing

Products

The company has created the most widely recognized digital certificate or digital ID for authentication of parties in ecommerce and other electronic interaction. In a Jan. 1999 survey of 315 adults, Cheskin Research found that 53% of those familiar with VeriSign rated it one of the two best online trust builders; a score twice as high as its nearest competitor (OBR 1/99).

Part product and part service, the company creates software to authenticate users and then provides validation and registration capabilities (also known as Public Key Infrastructures, or PKIs) to provide a dynamic library of digital identities.

VeriSign Digital Certificate Product Line

The Authentic Site logo is available to all organizations that use VeriSign’s class 3 certificate to authenticate their Web destination.

The CPA WebTrust criterion examines three principles: business practices disclosures, transaction integrity, and information protection. VeriSign provides a list of participating accounting firms at www.cpawebtrust.org

Cost (end-user): Consumer Digital IDs cost $9.95 per year and may be obtained directly through the VeriSign Web site and through distribution partners, such as Microsoft, which packages VeriSign certificates in IE 5.0.

Cost (enterprise): Companies can purchase Web site certificates for $349 to $1,295 depending on which product bundle is chosen. The certificates are bundled with various levels of insurance against hackers. CPA Web Trust fees are paid to individual accounting organizations which establish their own fees.

How It Works

Digital certificates authenticate one or both parties in electronic commerce or communication. Essentially, when an online financial institution or other Web site uses a digital ID, it can be proven that it is authentic and not an impostor. End-users can similarly employ a digital ID on their end to guarantee that they are who they claim to be, alleviating the concern that others are “spoofing” their identity to rob their online accounts.

As a form of authentication, digital IDs are often compared or contrasted to fingerprints and other methods of biometrics. Given today’s extended length encryption techniques, digital ID’s are thought by many to be “virtually unbreakable.”
But they can still be compromised if the crook
gets a hold of the certificate and its password.

Digital certificates use the public key encryption method, which consists of a matching public key and private key. Only the keyholder knows the private key, while the corresponding public key is distributed to anyone who seeks it. In this system, the holder of the private key has the exclusive ability to use or show their electronic identification, but anyone retrieving the public key can check the validity of this ID.

This system works well as long as users have easy access to the other party’s public certificates and the privacy of the private key (also called the secret key) is maintained. Because Web sites could use this to check the end-user’s electronic ID, this method could conceivably be used to eliminate the need for passwords, especially for read-only access to data.

How to Put VeriSign on Your Web: Web certification can be acquired through either VeriSign’s Web www.verisign.com or through the co-managed Security Center on Netscape Netcenter. Certificates can be delivered within two days. CPA WebTrust certifications must be obtained from various accounting organizations; refer to the VeriSign Web for complete details

Financial Services Usage

Business Banking: In Feb. 1999, Bank of America announced a digital certificate program for corporate clients www.bofa.com/news/news571.html The bank claims to have “raised the bar for Internet security by becoming the first bank to successfully complete a large-scale deployment of digital certificates to its corporate clients.”

Consumers: Ease of use and major industry wins are often the bellwether of widespread adoption. Could VeriSign’s progress suggest that a major bank will soon align with VeriSign or some other CA to successfully deploy digital IDs to a large consumer audience? VeriSign believes that “stronger applications will eventually drive consumer adoption.” When pressed for a prediction of how long it will be before consumers begin widespread certificate use, company representatives postulated a period 18 months into the future.

Smart Cards: VeriSign also sees smart card technology being incorporated with digital IDs, where a bank-branded card is embedded with a personal certificate in order to bind the relationship between the consumer and the financial institution. This is a way for a recognized, respected organization to stand behind an individual’s signature, giving the cardholder instant authentication and, therefore, economic power. And the future may not be as far off as it seems: an implementation is currently underway with the University of Pittsburgh that gives all students a digital signature, in order to allow private, authenticated access to student information and records.

Analysis

There’s no such as too much perceived security. But you need to be careful not to implement security measures that hurt ease of use and drive customer service costs up. We believe Web site certification will have little negative impact on customer service, while significantly improving security perceptions. Furthermore, we believe you should consider both the VeriSign program for brand recognition and the ABAecom service for the banking linkages. The adoption of more advanced VeriSign services will depend on your strategic needs.

Financial Institution Opportunities

Source: Online Banking Report, 4/99

Summary: VeriSign has done an admirable job of maintaining primary mindshare in the certificate authority world. The company’s products are accepted by industry opinion leaders as mature and proven, and with the growth of ecommerce and particularly financial ecommerce they stand a good chance of gaining a firm hold on their market space.

In terms of competition, VeriSign has superior brand recognition at the end-user level and claims to have a greater depth of managed services. While there may be choices in the area of differing technology approaches, the company has a huge lead in consumer brand preference at the moment.

VeriSign is a supercharged, stock-option fed Internet company. Sometimes, this can make them difficult to pin down to work out the details of a strategic partnership. But if you are persistent, and/or big enough, or if you can structure a deal that will increase VeriSign’s market capitalization, you’ll have an enthusiastic and capable partner in VeriSign.

On Jan. 1, 1998, Washington became the first state to legally recognize digital signatures. Here is a look at the law and the ramifications of digital signatures on electronic commerce. For the latest state, national, and international developments in digital signature legislation, visit www.mbc.com/ds_sum.html .

Definitions

Authenticate: To prove genuine.

Encrypt: To put messages into code.

Decrypt: To retrieve the coded message.

Public Key Encryption: Two-key system invented in 1975 for hiding messages. Anyone can encrypt a message to you using your public key, and you can simply decrypt it by using your private key. The hard part is authenticating the sender. That’s where certificate authorities come in to play.

Certificate/Certification Authority: Issues digital certificates that attest to the owner’s identity. A certificate authority has five primary functions:
1. Accepting applications for certificates
2. Verifying the identity of applicants
3. Issuing certificates
4. Revoking certificates
5. Providing certificate status information

Digital Certificate: Electronic information containing:
1. The owner of the key pair
2. The organization of the owner
3. The owner’s public key
4. Expiration information
5. A digital signature, created using the CA’s private
key, proving that the certificate has not been altered

Digital Signature: Like pen and ink, digital signatures establish identity. But the digital variety can also establish the authenticity of whatever they are affixed to – in effect, creating a tamper-proof seal.

Source: “Encyclopedia of the New Economy,” Wired, March 1998; Understanding Digital Signatures by Gail L. Grant, McGraw Hill, 1998.

Laws rarely affect the development of new technology. Although the U.S. Justice Department’s antitrust lawsuit against Microsoft may become a high-profile exception, a less well-known example is the enactment of laws recognizing the use of digital signatures. Not surprisingly, Washington state is leading the development of these new laws. On Jan. 1, 1998, the Washington Electronic Authentication Act (WEAA) became effective, making Washington the first state to legally recognize digital signatures.

Digital-signature laws such as the WEAA have the potential of dramatically increasing electronic commerce. Although the Internet has grown at a phenomenal pace, electronic commerce has been slower to develop. The question everyone would like to answer is “What are the barriers to electronic commerce, and how can we overcome these barriers?” There is no simple answer because a variety of factors are affecting its development. For example, one barrier may be simply psychological — it takes time for individuals and businesses to feel comfortable conducting business over the Internet. Fundamentally, however, the barriers to electronic commerce are both technical and legal. Digital-signature technology and recently enacted legislation establishing rules governing the use of digital signatures may help overcome these barriers.

The challenge posed by a public communication system such as the Internet is the establishment of trust. For example, if you receive an email message from someone claiming to be John Smith, how do you know that the person sending the email is in fact John Smith? The truth is that you cannot know for sure. Even if you know John Smith and that his email address is johnsmith@abc.com you still don’t know whether someone has accessed John Smith’s account and sent an email message claiming to be John Smith.

Although this example is rare, it has occurred, causing significant problems for the persons involved. It is also possible (and more common) to “forge” a return email address to make a message appear to be from someone else. In our example, this can be done without actually accessing John Smith’s real account. Trust is more problematic if you have never met John Smith. Although trust may not be particularly important for using email to chat, it is critical for individuals and companies who want to use the Internet to conduct business.

Existing laws also create problems. Assume you are a business and you receive an order for a variety of parts via email. At the bottom of the order is typed “John Smith.” You then ship the parts to John Smith and demand payment. John Smith, however, denies having sent the email. Under our laws, a person relying on a signature has the burden of proving the validity of the signature. This would be relatively simple in a paper-based transaction, because you could show that John Smith actually signed the order (unless his signature was forged). In a paperless transaction, however, the task is much more difficult. It is not clear how you could prove that John Smith typed “John Smith” on the order. You could argue that the email came from John Smith’s account and that evidence is sufficient to satisfy your burden of proving John Smith actually signed the email message, but it is unclear how a court would rule in such a case. In any event, few businesses want to take that risk. This issue is known legally as nonrepudiation.

Digital signatures can solve both problems of trust and nonrepudiation. Digital signatures create a means by which a person may verify that John Smith actually signed an email message. What is more significant, however, is that digital-signature legislation like the WEAA shifts the burden of proof regarding the validity of the signature. A person relying on John Smith’s digital signature is not obligated to prove that John Smith actually digitally signed the email message to be able to legally enforce the offer contained in the email message. Instead, the WEAA provides that John Smith has the burden of demonstrating that in fact he did not sign the email. By shifting the burden of proof, businesses are much more likely to be willing to rely on digital signatures to conduct business over the Internet. To better understand how digital signatures can solve the problems of trust and nonrepudiation, it is helpful to describe how digital signatures work.

A digital signature is simply a unique series of characters that is generated for an electronic document. Here’s how it works. A person wishing to “sign” an electronic document must first have software capable of creating a digital signature. Companies such as CertCo www.certco.com and Entrust Technologies www.entrust.com produce digital-signature software. For electronic mail, upcoming versions of Microsoft’s Outlook 98 and Netscape Mail will also have digital-signature capabilities. The software uses a mathematical calculation known as a hash function to create a unique identifier for the document. For example, the unique identifier for this article might look something like 3ojf93je8uvnme09u$fed&rdOJjifwDoi. This unique identifier is known as the hash result. Although it is theoretically possible that two different documents could have the same hash result, for practical purposes it is safe to say that each document has a unique hash result.

Although the hash result is a unique identifier of the document, it does not identify the “signer” of the document. Here’s where encryption technology comes into play. A person wishing to digitally sign a document must also have a pair of “keys” known as a “private key” and a “public key.” These keys are related to each other through the mathematical principle known as asymmetric cryptography. As stated in the Digital Signature Guidelines published by the American Bar Association www.abanet.org/scitech/ec/isc/dsgfree.html , an asymmetric cryptosystem is “a system which generates and employs a secure key pair consisting of a private key for creating a digital signature and a public key to verify a digital signature.” The principle feature of this key pair is that although the public key can be used to verify a digital signature created by the private key, it is nevertheless not feasible to use the public key to compromise the security of the private key.

The software uses the signer’s private key to encrypt the hash result for the document. The encrypted hash result for this article would look something like dljme_E&ioj@-sejoecUksfjFD#fgM&@klj. This encrypted hash result is appended to the end of the document, and it is the signer’s digital signature for the document. In summary, it is an identifier that is unique to both the document and the person signing the document.

To verify the authenticity of a digital signature, the recipient’s software also calculates the hash result for the document. Then, using the public key of the signer, the software confirms that the hash result was encrypted (or “signed”) by the person holding the private key. If the encrypted hash result can be confirmed, the recipient of the digital signature knows that the document has not been altered, and that John Smith signed the document. (Editor’s note: This presumes, of course, that John Smith has properly safeguarded his private key.)

Although digital-signature technology makes this process possible, it assumes that the recipient knows the public key actually belongs to John Smith. This is where the Washington Electronic Authentication Act is important. Entities known as “certification authorities” issue certificates that confirm the public key belongs to the person signing the document (in this case, John Smith). Thus, these certification authorities act as independent third parties that certify the identity of the signer.

• The WEAA establishes standards for licensing certification authorities. The certification authority must:
•  Use a trustworthy system in the issuance of keys and certificates.
•  Obtain a bond or other suitable guaranty.
•  Show that its employees have a minimum level of competence and have not been convicted of fraud or a recent felony.
•  Satisfy annual auditing requirements.

Although the licensing requirements attempt to provide some assurances to a relying party that the certification authority is trustworthy, the reputation and financial stability of the certification authority should also be considered before obtaining or relying on a certificate.

Although certification authorities are not required to obtain a license to conduct business in Washington, the WEAA creates special rules for licensed certification authorities that affect all ties. For example, licensed certification authorities enjoy limited liability under the WEAA. A person who uses a private key to digitally sign documents is liable for any loss if the person negligently loses control of his or her private key. This is significantly different than the federal laws governing the loss of credit cards, which limits consumer liability to $50 per card.

Finally, as discussed previously, not all digital signatures are presumed valid under the WEAA—only those in which the signer obtained a certificate from a licensed certification authority. Further, presumption is not applicable if reliance on the certificate was not reasonable. For example, a recipient of a digital signature must check the certification authority’s repository to make sure that the certificate has not been revoked. (The repository is an electronic database that includes a list of all certificates that have been suspended or revoked. Software that verifies a digital signature automatically checks the repository that is specified in the certificate.) If the certificate has been suspended or revoked, but the recipient nevertheless decides to rely on the certificate, the presumption of validity is lost.

There are other factors that may affect the validity of a digital signature or the liability of ties, so all ties should know and understand the provisions of the WEAA before using or relying on a digital signature. (The WEAA is codified in Chapter 19.34 of the Revised Code of Washington, and can be found at leginfo.leg.wa.gov/pub/rcw/title_19/chapter_034 Other Revised Code of Washington titles can be found at leginfo.leg.wa.gov/www/rcw.htm.

The Washington Secretary of State is the governmental authority issuing licenses to certification authorities. It has not yet issued a license to a certification authority, although it is anticipated that Integrated Electronic Authorization Inc., a Washington corporation, will be one of the first companies to obtain a license. Other national certification authorities such as Verisign www.verisign.com will probably apply for a license in the near future. Although other states have enacted digital-signature laws, Washington is the first to broadly implement such legislation.

For electronic commerce to flourish, the transfer of electronic information must be trustworthy and cost effective. The WEAA opens the door for the widespread use of digital signatures. Initially, the biggest user of digital signatures may be state and local governments. In the near future it will be possible to electronically file documents with Washington state or local government. For example, individuals will be able to file corporate documents, real estate deeds, and court pleadings electronically.

As the use of digital signatures becomes more widespread, private businesses will also discover the benefits of digital signatures. Some industries may be radically transformed by the ability to simultaneously and reliably transfer information. For example, transaction costs will be significantly reduced for international deals, which will be able to close with the click of a mouse even though the parties are thousands of miles apart. Because of the opportunities created by digital signatures, Pacific Rim countries are working with Washington state to develop uniform standards for the use of digital signatures.

In this dawn of electronic commerce, Washington
state is trying to create new opportunities for electronic commerce by enacting legislation to remove barriers. Ultimately, national legislation may be required
before digital signatures become widely used. It is conceivable, however, that Washington’s new law may become the model for future national standards.

Tom Melling, an attorney with Hillis Clark Martin & Peterson, P.S., in Seattle, is a member of the Washington Digital Signature Implementation Task Force and the Information Security Committee of the American Bar Association. He can be reached at (206) 623-1745 or tgm@hcmp.com .

Before: Experian began making credit reports available over the Internet for $8 at www.experian.com/product/consumer/online.html.

After: A few days later, Experian was forced to shut down the service indefinitely due to a technical glitch which sent credit reports to the wrong users.

The good news. Experian was the first of the big three credit bureaus to offer online access to credit reports at www.experian.com. The (really) bad news. They were forced to shut down the service after only a few days due to a highly embarrassing technical glitch that misdirected credit reports to the wrong online requester. The online credit reports do not contain full account numbers so the glitch isn’t as bad as you might of have thought. Naturally it made headlines around the country throwing more cold water on the coals of electronic commerce.

The silver lining in all this? A small start-up company, QSpace www.qspace.com, is doing what Experian tried to do, but in a more secure fashion using VeriSign’s class 2 digital certificates to verify user identity. QSpace had been advertising a $7.50 special for the digital certificate (good for one year) and credit report (with subsequent purchases costing $3). But with Experian’s temporary exit, QSpace upped the price to $12 (and $5 for credit report reorders). QSpace says they were merely passing on an increase in the wholesale cost of digital certificates from VeriSign (which also retails digital certificates for $19.95).

QSpace’s version of “Netscape Now.” Click on the button to link to the Internet Credit Report order form.

QSpace provides a “free” copy of your credit bureau report online, but you have to buy a VeriSign class II digital certificate for $12.

QSpace delivers online credit reports (from Experian’s database) under the trademarked name Internet Credit Report. Users must have a class II digital ID from Verisign for authentication. You earn a free credit report by buying the digital ID online through Experian. QSpace has posted an excellent FAQ on credit at www.qspace.com/questions/faq_all.html.  Privately held QSpace began operations in Oakland, CA in August 1996.
Contacts: I.O.A. Eze is Co-Founder & President; Arash Saffarnia is Co-Founder & CTO; Peter C. Balas is Founding Investor, 510.893.1085.