GTE's CyberTrust For Web Electronic Commerce Washington, D.C., 6 February 1996 -- GTE officials say that the company's new CyberTrust electronic commerce program will allow companies for the first time to handle most of the CA (Certification Authority) function by themselves, by means of secure Web servers. At the Comnet press conference, reporters were told that GTE, a partner of both Mastercard and Visa, will introduce its new "Virtual CA" capability for Webmasters in conjunction with a trio of related services. The four new services from GTE are aimed at financial institutions, online merchants, and government agencies, as well as at the corporate and consumer markets, said Charles S. Walton, Jr., CyberTrust's program director, speaking at the Comnet press event. One component of CyberTrust, called the Electronic Commerce Service, will provide an "infrastructure" for credit card companies using new secure payment standards for online transactions, Walton added. Another new service, the Partner Forum, will provide online test services and tech support for developers and integrators in the electronic commerce arena. Through GTE's new Cybersign service, GTE will directly handle the maintenance of public key certificates, as well as the issuance, renewal, and revocation of these certificates. But with Virtual CA, GTE will manage certificate management only, permitting Webmasters at subscribing companies to do their own issuance, renewal, and revocation of certificates. Walton acknowledged that GTE's new suite of services will be targeted at the same market now dominated by Verisign. But the GTE services, he maintained, will be differentiated on the basis of general "operational environment," as well as by Virtual CA. In a follow-up interview later, Walton said that GTE, a long-time consultant to Mastercard, began working with both Mastercard and Visa last November on development of SET (Secure Electronic Transactions), a new joint standard for online credit card transactions. GTE, he added, hosted both Mastercard and Visa last week at GTE headquarters in Needham, Massachusetts. Aside from GTE, Mastercard and Visa, other partners in the SET effort include Verisign, IBM, Microsoft, Netscape, SAIC, and Terisa Systems. GTE had previously helped Mastercard to create the SEPP standard, according to Walton. GTE's new CyberTrust, first announced as supporting SEPP, will now support its "successor," SET, he noted. CyberTrust will also comply with the SSL protocol for Web security. During the press event at Comnet, Walton reported that Cybersign and Virtual CA will implement a "dual card, split RSA key design," with "strong access controls." The two systems will use PCMCIA cryptographic hardware token technology and X.509-certificate-compatible software. Virtual CA, he continued, will initially be available on Sun Solaris-based secure Web servers, but will be ported to Windows NT-based secure Web servers by the end of 1996. End users will be able to access Virtual CA through Netscape browsers. The Web server-based service will introduce "verification at the server level, which is really where you want it to be," asserted the GTE official. On-site Webmasters are in a particularly good position to confirm that users "are who they say they are," the journalists were told. As a result, Virtual CA will use a technique called "pre- verification," in which the Webmaster, or RA (Registration Authority), will validate and approve users' certificate requests before the requests go to CyberTrust. CyberTrust will then return a certificate for the end user, in the form of an algorithm, either direct to the end user or through the RA. Companies subscribing to Virtual CA will receive custom home pages for certificate data entry, and for issuing, renewing, and revoking certificates, Walton said. The CyberTrust program director said that the special PCMCIA hardware will be used at the "CA level" only, and will not be required by either end users or Webmasters. No "actual cards" will be issued to, or needed by either group, he added. GTE plans to begin offering both Virtual CA and Cybersign in the second quarter. --