CertCo
Industry | Financial cryptography |
---|---|
Founded | March 1994New York City, New York | in
Founders |
|
Defunct | 2002 |
Fate | Dissolved |
Parent | Bankers Trust (1994–1996) |
CertCo, Inc., was a financial cryptography startup spun out of Bankers Trust in the 1990s. The company pioneered a risk management approach to cryptographic services. It had offices in New York City and Cambridge, Massachusetts. It offered three main public key infrastructure (PKI) based products: an Identity Warranty system (tracking and insuring reliance on identity assertions in financial transactions); an electronic payment system (internally known as Acquire); and an Online Certificate Status Protocol (OCSP) responder for validating X.509 public key certificates. It went out of business in Spring 2002 never having found a wide market for its products despite filing a number of patents and developing new technology.
History
[edit]Early history
[edit]CertCo was founded in March 1994 by Frank Sudia and Peter Freund as an internal bank department known as BT Electronic Commerce (BTEC). It spun out in November 1996 as CertCo with a number of outside strategic and financial investors in a transaction managed by Goldman Sachs.[1]
Some of its better known early employees included Rich Ankney, Ed Appel, Alan Asay, Ernest Brickell, David Kravitz (inventor of the Digital Signature Algorithm), Yair Frankel, Dan Geer, C.T. Montgomery, Jay Simmons, Nanette Di Tosto, Paul Turner, Mark Jefferson and Moti Yung.
Early on it licensed the "Fair Cryptosystem" key escrow patents of MIT Professor Silvio Micali and announced plans to implement a "Commercial Key Escrow System". Thereafter the policy climate for key escrow turned negative, market interest waned, and the system was never built.[2][3][4]
Vision
[edit]CertCo and Bankers Trust promoted the creation of a bank consortium to serve as a PKI certificate authority for global commerce, leading to the 1999 launch of Identrus, later renamed Identrust. The banks, however, declined to license CertCo's technology, opting instead for a vendor-neutral approach. Unlike the vendor-neutral approach, Certco promoted a risk management approach to PKI with transaction level insurance, and pioneered novel visionary approach to authentication in the financial sector: First, a distributed proactively secured certificate authority was designed and built (had it become a standard, it would have avoided a single control point over certificate authorities, and would have avoided coercion by that control point, and would have been further used to prevent attacks on the trust infrastructure, like the one on DigiNotar). Secondly, strong authentication of clients employing PKI and digital signatures was promoted, and if it had been widely used this would have reduced the effect of Phishing attacks, also envisioned as a possible threat to financial transactions).[5][6] Currently, practice employing U2F devices employs such strong authentication measures at the user side.
CertCo's most notable commercial customer was SETCo,[7] the operating company for the Visa-MasterCard Secure electronic transaction credit card security protocol, to which it provided certificate authority technology, which was the first implementation of distributed Threshold cryptography based signing.[8] Currently, Threshold Cryptography is widely employed, say in the Cryptocurrency exchange ecosystem.[9]
Business failure
[edit]Despite developing new technology, CertCo did not find a wide market for its products, and went out of business in Spring 2002, following substantial reductions in technical staff in November and December 2001, due, partially, to unavailability of investors after the September 11 attacks.
Technical contributions
[edit]CertCo made various contributions to the fields of cryptography and public key infrastructure via scientific publications and patents. Its most heavily cited patents by subject are:
- U.S. patent 5,659,616 Attribute certificates
- U.S. patent 5,825,880 Certificate authority
- U.S. patent 5,995,625 Digital rights management
- U.S. patent 5,903,882 Identity warranty
- U.S. patent 5,799,086 Key escrow
- U.S. patent 6,029,150 Payment system
Other patent filings include
- U.S. patent 6,411,716 Changing key fragments in a digital signature system
- U.S. patent 8321348B2 Computer-based method and system for aiding transactions
Standards and policy
[edit]CertCo personnel contributed to a number of standards bodies and policy projects, including:
- IETF Online Certificate Status Protocol OCSP
- American Bar Association Digital Signature Guidelines][10]
- ANSI X9.30 The Digital Signature Algorithm (DSA)[11]
- ANSI X9.31 Reversible Public Key Cryptography (rDSA) (better known as RSA)[12]
- ANSI X9.45 Attribute Certificates[13]
- ANSI X9.57 Certificate Management for Financial Services[14]
References
[edit]- ^ "FW Sudia Consulting". www.fwsudia.com.
- ^ Sudia, Frank (December 1995). "Private Key Escrow System". CertCo SecureKEES Brochure.
- ^ "A Taxonomy for Key Escrow Encryption Systems". 16 November 2006. Archived from the original on 16 November 2006.
- ^ "The Risks Of "Key Recovery," "Key Escrow," And "Trusted Third-Party" Encryption - 1998". 14 June 2007. Archived from the original on 14 June 2007.
- ^ The Payment System: Emerging Issues (FDIC). Archived 2011-06-04 at the Wayback Machine
- ^ "CertCo Providing Security for High-Value Transactions". PRNewswire. April 10, 2001.
- ^ "New group to oversee SET". CNet. May 1997.
- ^ "CertAuthority Solution Introduced". January 13, 1998.
- ^ Gągol, Adam; Straszak, Damian; Świętek, Michał; Kula, Jędrzej (2019). "Threshold ECDSA for Decentralized Asset Custody" (PDF).
{{cite journal}}
: Cite journal requires|journal=
(help) - ^ "Section of Science and Technology Law - Section of Science and Technology Law" (PDF). www.abanet.org.
- ^ ASCX9. "ANSI X9.30-1:1997 Public Key Cryptography Using Irreversible Algorithms - Part 1: The Digital Signature Algorithm". webstore.ansi.org.
{{cite web}}
: CS1 maint: numeric names: authors list (link) - ^ "ANSI Webstore".
- ^ "ANSI Webstore".
- ^ "ANSI Webstore".