PKI/Digital Certificate (DC) Market Analysis

Update January 2002

This is the current market research update on the PKI/Digital Certificate (DC) market with a focus on central Europe and Switzerland.

The main statements as published in our previous report remain valid, that is:

Market will be dominated by enterprise or sector oriented PKI solutions

PKI providers operate in a tough market environment

Sector oriented solutions combined with B2B applications

45% of oversized/”out of the box” PKI/DC installations were not successful

Security driven PKIs are a non-success due to complexity, cost and missing business support

Identrus and VeriSign are still the only international certificate schemes of importance

New issues:

Microsoft will be part of enterprise PKI strategies

Government will have to play a leading role for public certificates, based on specific e-Government services

Cost per user is coming down

More client hardware tokens will be available in 2002

First large scale roll-outs to be expected 2nd quarter 2002

Details

According to a report published by the Meta Group the international PKI market is consolidating with a clear tendency to constant growth (platform of productivity). The rate of unsuccessful PKI/DC projects remains high. Nearly 50% of the security driven (internal) PKI projects were a failure. Mainly because of wrong targets, unreachable goals, a wrong approach (bottom up instead top down) and unskilled resellers. Especially large-scale projects with complex goals could not succeed within the time frame planned. Building a comprehensive PKI infrastructure requires a long-term effort and cannot be achieved within a few months. Visionary enterprises defined small, certificate driven projects that were using the same infrastructure, adding application after application. This approach seems to be successful, independent of location or business sector.

A general growth is expected with the support of certificates within Windows XP, although the key PKI components are missing in the Microsoft product. Large organisations will still need a strong infrastructure with automated PKI processes, truly something Microsoft cannot offer today (and tomorrow). This means that there is no short-term alternative to the existing PKI products such as Entrust or Baltimore. The user, however, can make use of the certificate-supported client. META Group expects 50% of all large enterprises to run PKI systems by the year 2004. This figure will also apply to European customers.

In the application sector, the new signature laws will boost international signature applications. Bill presentment systems together with electronic invoicing will start spreading in 2002, expecting a major growth in 2003. With the adaptation of electronic invoices in the European legal systems, the main obstacle to process integration will be cleared away. This will boost B2B e-commerce and digital signatures. Product providers of accounting systems and e-commerce software will be able to update their products and generate revenue. Switzerland is leading the way by supporting VAT accepted electronic invoicing and archiving by January 2002. E-mail security still remains a painful field, mainly because of insurmountable conflicts of interests between virus protection and end-to-end security. Consequently there will be a focus on server-to-server encryption.

There will be not much change on the product supplier front. Product providers will remain the same, Entrust still being the leader with an estimated market share around 40%. The future of Baltimore is uncertain, although it has been announced that they will restructure and tighten their product portfolio. RSA will have to integrate their acquisition (XCERT) and find a sound product strategy, including their legacy products such as SecurID. Smarttrust/ID2 remains a niche player with interesting products and Compaq support. All product providers still struggle with the stability and competence of their local subsidiaries and some problems with technical support through their resellers. The skill base available does not seem to cope with the requirements of the market.

Global PKI systems

There is still no global PKI system with significance besides VeriSign. Although there are some attempts to build similar structures (like Wisekey), no player has reached global reach or international acceptance. Identrus is the strongest player in the banking sector with the most sophisticated policy base, but is still struggling to bring the solution to the potential customers, mainly due to a lack of communication and marketing skills. “Make it or brake it” for Identrus will be mid 2002.

Future Developments

Token management systems will become important because up to now there were no real life PKI systems with large amounts of tokens (mass roll-out) and the challenge of complex processes (except VeriSign). Large deployments must focus on support and revocation processes as well as token handling. The variety of tokens available on the market will still grow. User acceptance of tokens will be the decisive factor, which tokens will survive. In the mobile sector, 3G systems supporting digital signature smartcards will not be available before 2004. The current pilot systems using GPRS and dual slot technology have no chance of substantial market deployment as long as there are no end user devices available in large numbers. It seems that the WIM standard will win (dual smartcard mobile devices, where one card is used for DC use only) Biometric systems need some more years until they reach the level of maturity the market demands. More organisations will use ASPs to cover their PKI/DC needs (see next paragraph).

Recommendations

Global organisations should focus on a clear certificate strategy and targeted rollouts. Before any products can be evaluated, a sound PKI/DC/Authentication concept has to be produced. This includes a list of business needs for the use of PKI/DC and the strategy of accepting certificates as the main instrument for identification , authentication and authorisation purposes. Targets should be defined long term (2-4 years) based on a TEI (Total Economic Impact) analysis. Organisations should not concentrate on in-house versus external PKI but combine both services. The use of ASPs (a combination of certificate services and application) will continue to grow and the prices for such services will become attractive. The integration of certificates for process enabling, especially in the ERP field should be planned and software suppliers should be checked for availability of digital signature support in areas where current legislation has been prepared to enable electronic processes (electronic invoicing, VAT). As stated earlier, business units must drive these projects together with infrastructure providers (security and systems).

End-user devices are the key to a successful rollout. In the B2C market, only top-level customer segments can be equipped with expensive signature compliant equipment due to cost limitations. Roaming solutions for large but closed user groups will be the fastest growing segment in the PKI/DC market. An in depth analysis of the security requirements and the quality of end-user devices needed will be a key success factor. In large-scale environments, token management systems will be a must to support PKI/DC operation.

Switzerland

Switzerland will have a comprehensive legal framework enabling all forms off electronic business transactions including digital archiving of business relevant data by the first quater of 2002. There is no public CA in operation. Application driven PKIs will be pushed by the financial industry and the EDIFACT user group. Government PKIs will be a need by mid 2002, however due to political constellations, it is questionable whether there will be a system in operation by the end of the year. IG TOP and Swisscert are still in the initial phase of trying to build a business case. Swisscert is offering their non signature law compliant solution from January 2002. The proposed system has some very nice features and is based on an anonymous voting concept. The technical solution must be adapted in order to become signature law compliant . This will require significant investments and adequate funding. The future of IG TOP remains uncertain, no significant process has been made during the last three months. The banking industry has not moved a lot. Internal PKI solutions where announced, but deployment seems to be limited. In 2002, FSG (Sega Intersettle) will deploy their new SECOM solution with full PKI support.

Update April 2001 (RSA Conference):

PKI Enabled Services and Applications

Gartner presented their PKI Hype cycle. The hype cycle basically describes the evolution of a new technology, starting with a hype after a short starting period. According to Gartner, the peak was reached in 1999. After this, demand sunk to rock bottom levels and is now growing again. We see the same development, but only for in house PKIs. We do not agree on the overall PKI trend. In our opinion, there was no explicit hype cycle, but a continuous slow demand for certificate based services. This includes internal and external services. The future developments will show which players will survive. But it was obvious that the "old" PKI companies were less present than in earlier shows. Although they still got a lot of sessions, the focus is obviously shifting to applications.

Microsoft will be the most important new player in the future. Although currently teaming up with several PKI vendors, the recently introduced Windows XP operating system will include most of the key and certificate management functions needed for a corporate PKI. Especially the Windows XP workstation will provide a transparent integration of key and certificate management services based on CMC protocol (e.g. Auto enrollment & Renewal and Key recovery using Key Recovery Agent (KRA)). This will have an impact on the leaders in this segment: Entrust, Baltimore and RSA. We expect that most PKI vendors will focus their further development rather on PKI server products than on client products because of the seamless integration and enhanced functionalities of key and certificate management services provided by Microsoft Windows XP and probably other future releases.

Privilege Management infrastructure (PMI) vendors - e.g. Netegrity, Securant, Entrust, … - were strongly present and showed theirs Web Portal Access solutions. All theses products are more less linked to a PKI. However, it is obvious that PMI is not the "killer application" for PKI and certificate based services. Much more important then PMI were the offerings around outsourcing and managed PKI services.

There is one general tendency towards certificate-enabled services and applications, pushing the infrastructure component back. We described this tendency some time ago. As more applications become available, "naked" PKI components and certificates will rarely be sold in the future, although there are still players trying to do this. We might not see them again next year.

Standardization and interoperability play an important role in the field of PKI. Organizations like the PKI Forum - an international, not-for-profit, multi-vendor alliance – have the goal to accelerate the implementation of interoperable PKI solutions. However true interoperability has not been shown yet. RSA and Entrust just made an announcement in February regarding the interoperability of their products.

The following players will still dominate the corporate in-house PKI Market: Entrust, Baltimore, Microsoft and maybe RSA. Microsoft will become a new player with its Windows XP operating system. However, this assumes that the Windows XP systems will be rolled out in full. The required time frame will vary, however, even in very optimistic scenarios, this will not happen within the next 2 years. In the meantime, the existing PKI vendors will try to fight the current market position. Baltimore has strongly teamed up with Microsoft to seamlessly interoperate with the Windows operating systems; Entrust and RSA will proceed with their own products. RSA bought Xcert, a Canadian PKI company. It was a known secret that RSAs Keon PKI could not compete with the leading PKI vendors. In addition to the established vendors, products were also shown by Computer Associates and by several smaller vendors. Their chances in the market are very limited. We do not see new players besides Microsoft who could be a threat to the established PKI vendors. We assume that the consolidation process in the PKI segment will continue and at least a large non-PKI company will swallow one of the existing PKI players. Mergers could also happen. Influencing factors are: financial liquidity, strength of strategy, and attractiveness to potential buyers.

Identrus

Even though Identrus was not present with an own booth, several product providers showed Identrus components. Many product vendors are offering a suite of Identrus compatible products. iTRUST Solutions will compile this information and provide it to existing customers and selected parties. Currently the success of Identrus depends on the applications supported and the liability and warranty situation. Because some of the key issues are still pending, it is hard to give a final statement on the future of Identrus.