RealTime IT News

Sparks of Life (and Green) in Smart Cards

SAN JOSE, Calif. -- Got green in your browser's URL bar? If you do with the latest IE, the technology industry wants you to associate it with confidence in secure online transactions. Or at least give the user a visual clue if a site is actually spoofed.

At a time when research suggests that more consumers are slamming the brakes on online commerce amid fears of identity theft, technology providers are pouring fuel on new authentication engines to keep the digital economy growing.

They may be doing more than talking this time. More than 60 vendors -- hardware, software and everything in between -- are promising to line up better identity protection and authentication tools for businesses and consumers.

The projects are already sparking new smart cards to use with Web-based transactions. And they're delivering.

Take digital signature provider VeriSign. The company plans to integrate its latest digital certificates of authentication to support Microsoft's "InfoCard," the smart card identity management project Bill Gates touted during his keynote at the RSA Security Conference yesterday.

The partnership means VeriSign's Sockets Layer (SSL) certificates and its just-launched VeriSign Identity Protection (VIP) offering will be integrated with Microsoft Internet Explorer 7, which recently went into beta.

"It's time to put a new face on identity security," said Stratton Stavlos, CEO of the digital certificate provider, during a keynote address at the RSA Security Conference.

As part of a keynote demonstration of the integration with IE7, the color green in the URL bar indicated to the user that VeriSign's high-level certificate authority stamped their assurance that the Web site has been authenticated.

A spoofed site? Not with the levels of checking that go into getting that certificate into the site. Green is the signal to the user that this is a Web site that it can trust -- and conduct business with confidence.

After all, the little "lock" that appears in the lower right corner of a browser can be easily spoofed, noted Microsoft's Michael Stephenson, director of product management in Microsoft's server and tools division.

The VeriSign certificate that lights up green in the URL field is the result of a network of security providers sharing information on the validity of the Web site in question -- and updating that status in real-time, executives here said.

The VeriSign Identity Protection (VIP) offering is a mix of software and intelligence that gives consumers something more than a password to authenticate who they are during online transactions.

VeriSign and Microsoft call the integration "mutual authentication" on the Internet, meaning a transaction requires that both the destination site and the consumer positively identify each other.

That SSL certificate, and the VIP offering, are "comprehensive, strong authentication from a variety of vendors," Stavlos said during a keynote today. The companies share intelligence with each other on anomalies they discover.

"It's a network effect around security, sharing that ID credential."

The industry-wide effort to improve authentication tools among devices people carry, such as cell phones, PDAs and USB devices, is dovetailing with OATH (Initiative for Open AuTHentication), the industry group representing some 60 device, platform and application companies, as well as end users of authentication technologies.

Just today, OATH sent drafts to the Internet Engineering Task Force (IETF) for protocols governing symmetric keys between different systems, which are key to that all-important digital handshake that establishes who the two transacting parties really are.

The idea is to keep confidence high that the Web site is actually what or who it says it is, at a time when confidence is high on the minds of technology executives.

John Thompson, CEO of security provider Symantec, noted during his keynote address today the results of a Conference Board survey of 10,000 households.

It found that 41 percent are buying fewer items online and that 54 percent are more concerned today about their personal information.

"Unless each and every one of us -- enterprises and consumers -- can prove to the other that we are trusted partners, the risks associated with online transactions will become unacceptable," he told attendees here.

For a company, failure to protect their customers' information will result in customers simply taking their business someplace else, to someone they can trust.

"If we fail to create a trusted digital environment, we won't just slow the growth of e-business, but of all business. We won't just hurt the digital economy, but the economy as a whole," he said.

"And, this is the real hidden threat today -- not some massive cyber attack, but the loss of consumer confidence in the digital world."