IBM building e-business security package

IBM Corp. said it has developed technology that could take much of the headache out of managing digital credentials for e-business.

Researchers at IBM’s Haifa, Israel, lab have created software that IS professionals can plug into existing e-business applications for authenticating and approving end users. The system also lets IS or business managers define the type of security policy they want to implement, giving them flexibility to tailor it to their needs without extensive programming skills.

Dubbed IBM TrustManager, the Java software works by using credentials such as digital certificates to verify and approve enterprise network or Web site access for customers, end users and partners. E-business buyers and sellers often do not know each other, needing to decide if they can trust each other enough to do business.

Managing digital credentials can be a painstaking process. According to Amir Herzberg and Yosi Mass, two of the lead researchers on the TrustManager project, there are few established certificate authorities, and the use of the technology is not widespread.

E-businesses typically must accept certificates from a pre-established list issued by a certificate authority such as VeriSign Inc., which is often time-consuming.

With the IBM technology, these businesses could instead use certificates from any other partner they have done work with or from a marketplace that issued digital certificates to member companies. If an unknown vendor were to approach the distributor, all that would be needed is a credential from a partner of the business or their partner’s partner, depending on what the business deems acceptable.

Relying primarily on the X.509 V3 certificate format, TrustManager can run on Windows NT, Unix or other server platforms. Using an API, it can be attached to existing applications, such as an HTTP server, for internal or external Web sites. Acceptable credentials might include a public-key/private-key mix, certificates signed by the issuer, a document retrieved from a company database or a record of a transaction.

TrustManager automatically collects accepted credentials in a database so IS staff are freed from entering them manually. The application also knows when to cancel an expired or revoked certificate and can be programmed to issue a credential for a fixed time period.

Working on a graphical user interface, TrustManager users write policy rules in an XML format that spells out, for example, how many certificates potential customers must have and how many site resources they are allowed to access. For companies that want to let customers remain anonymous, TrustManager can be configured to verify that an end user has access to resources without revealing his identity.

TrustManager also includes a software agent that goes out on the Web and locates certificates that might be needed to verify a particular vendor.

Although IBM doesn’t comment on unannounced products, TrustManager may find its way into the company’s lineup within six months, perhaps as an add-on to the Tivoli Systems Inc. SecureWay network management product line. Tests indicate the software also will work with IBM’s WebSphere application server, IBM says.

The technology could be a useful thing to implement for security, said one network manager with a large insurance firm who requested anonymity. However, one caveat is that a user must rely on the certificates of business partner or other sources, firms that might not be observing due diligence when issuing them, creating security risks, he said.

He added that the technology could become widespread, as e-signatures are going to be important in the future of ‘Net commerce. He said he expects others companies to offer similar products.

A free version of TrustManager is available at the IBM developer’s alphaworks site: