Xcert brings PKI to Web commerce

Xcert International Inc. is an independent, public-key infrastructure (PKI) company at a time when many PKI firms are merging with or being absorbed by others. In fact, PKI is so expensive and complicated to implement that it can be hard to sell and deploy, leading many vendors to broaden their offerings through mergers and acquisitions.

Xcert International Inc.

Location: 1981 North Broadway, Suite 330, Walnut Creek, Calif. 95696

Telephone: (925) 274-9300

Web: www.xcert.com

Niche: PKI software and services

Why it's worth watching: Offers easy-to-use, scalable and open PKI platform and services.

Company officers: Patrick Richard, founder, chief technology officer and director; Sandy Sutherland, vice president of engineering; J.T. Hardy, vice president of professional services; Ed Murrer, senior vice president of sales and marketing

Milestones: 1996: Company founded, first product released - January 1999: Introduces Sentry CA 3.5, Sentry 4.5 PKI software for ASPs

Employees: 180; 220 by the end of the first quarter

Burn money: $40 million, including $31.5 million from Marconi

Products/pricing: Bundle of Sentry CA, a Web-administered certificate authority; WebSentry, a plug-in module to PKI-enable Web servers; and Sentry RA, which enrolls high volumes of users, prices start at $45,000 for 1,500 users.

Customers: T. Rowe Price Group Inc., General Electric Co., American Bankers Association

Partners: TidePoint Corp., CitX Corp., Newbridge Networks Corp.

Red flags for IT: Xcert is a small player up against much larger, public companies in a consolidating market. PKI requires extensive planning up front and expensive ongoing administration.

But Xcert plans to remain independent. The Walnut Creek, Calif.-based company claims that its PKI tools are easier to use, more scalable and more easily adaptable to Web commerce than those of its rivals. What's more, it says it sees application service providers (ASP) as another major market. Xcert's scalability is proven by the response it's getting from ASPs that may serve thousands of users, says Patrick Richard, the company's founder, director and chief technology officer.

Any ASPs that need to run PKI shouldn't have to look anywhere beyond Xcert [for their PKI needs], says Richard. "We're on our third generation of [Web-enabled] tools," which can scale "an order of magnitude greater" than competitors' products and can be installed in as little as 20 minutes, he claims.

Xcert's Sentry CA (certificate authority), RA (registration authority) and WebSentry tools "provide a good user interface," says Victor Wheatman, an analyst at Gartner Group Inc. in Santa Clara, Calif. As a relatively small company, he says, Xcert can also be nimble on providing support or custom code when needed. "They have a very talented professional services division," he says.

Matt Pavone, a Web architect at American Management Systems Inc. (AMS) in Fairfax, Va., used Xcert's PKI tools for the Buysense Web procurement service that AMS offers to state and local governments. He praises Xcert's ability to check for access rights using either a digital certificate or just a name and password and to let customers log on to multiple applications with a single sign-on. Even under the simulated impact of 250 near-simultaneous users, "we have not crashed the Xcert authentication server," says Pavone.

In PKI, the senders and recipients use two sets of keys -- one public, one private -- to encrypt and decrypt communications. PKI systems use certificates issued by certificate authorities to link users with the keys they use.

Keeping track of who has which certificates and which individuals or institutions can act as certificate authorities, as well as revoking certificates when needed, are only some of the long-term costs of managing PKI. Then there's the challenge of sharing information between PKI systems and other security tools and with corporate directories. As Wheatman says, many PKI projects never get past pilot mode.

Highly Scalable

Xcert's tools can scale to 8 million certificates, while competitors "are struggling to reach the 1 million mark," says Richard. Xcert also ships with interfaces that let it automatically publish lists of certificates to other corporate directories. That's crucial, according to Wheatman, because PKI really pays off "when it can be leveraged across multiple applications."

Several customers also say they like the way Xcert can revoke certificate authority users who have, for example, left the company. While other PKI tools must scan a certificate revocation list to determine if a user has lost any rights, Xcert instantly transmits such a change in status to all affected Web servers using the Online Certificate Status Protocol.

"I don't know of anyone who has a comparable offering right now," says Jack Moskowitz, an Xcert customer and vice president for security architecture at eOriginal Inc., a Baltimore-based vendor of e-commerce products and services. Moskowitz says, however, that he would like to see Xcert develop a more robust Lightweight Directory Access Protocol-compliant directory that would include mirroring and other recovery capabilities.

Xcert also offers professional services and sells PKI as an application service, both on its own and through partners. Richard says an investment of US$40 million from investors including Marconi PLC, a London-based provider of communications products and services, has given Xcert "staying power."

The company says it has yet to reach $10 million in revenue but that it plans to become profitable sometime in the next three years.

Facing PKI's Big Guns

Market research firm International Data Corp. in Framingham, Mass., estimates that the PKI market will grow from $281 million in 1999 to $3 billion in 2004 as enterprise customers use the tools to secure e-commerce applications. Xcert's chief selling points are its ease of use, openness and scalability, which customers have praised.

However, Xcert faces several larger competitors, some of which can offer products and services beyond Xcert's PKI capabilities, such as Web access control tools. Gartner Group analyst Victor Wheatman also warns that the cost and complexity of PKI are as important for customers to consider as individual products.

Baltimore Technologies PLC

Basingstoke, England


In January, Baltimore purchased GTE CyberTrust Solutions Inc., adding GTE's PKI hosting business to its line of PKI and other security products. The CyberTrust acquisition and the earlier purchase of British-based Zergo Holdings PLC has created what Gartner calls "a potent competitor," particularly for customers in the Pacific Rim and Europe.

VeriSign Inc.

Mountain View, Calif.


VeriSign broadened its reach last year by acquiring Herndon, Va.-based Network Solutions Inc., which registers .com, .net and .org names on the Web. VeriSign caters to customers who want to outsource their PKI systems rather than build them. "You don't necessarily learn a lot" about PKI, says Wheatman, but "in many cases, you don't need to learn a lot when you use an outsourcer." Outsourcing PKI to a firm such as VeriSign can also let customers deploy a secure application faster than building it in-house.

Entrust Technologies Inc.

Plano, Texas


Entrust sells Entrust/PKI for e-business applications and Entrust/PKI to issue Wireless Application Protocol certificates for mobile devices. The company also offers consulting services. Entrust has one of the most full-featured PKI offerings on the market, says Wheatman, but its products may be too expensive for some users.

This story, "Xcert brings PKI to Web commerce" was originally published by Computerworld.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon