I spent a very interesting hour with Phil Libin, president of CoreStreet, learning about the company's method for providing "massively scalable validation products for identity management and access control" - that's how CoreStreet describes its business. First, though, we had to get over a couple of semantic hurdles which points up one of the things slowing down the convergence of pure security products with pure identity management tools.
CoreStreet comes from the security arena. It was founded by Silvio Micali, still a professor of computer science at MIT. His specialty is cryptography, which led to the company's emphasis on exploiting public-key infrastructure (PKI) in a new way. One of CoreStreet's science advisors is Ronald Rivest, also a computer science professor at MIT and the "R" in RSA Security.
In the security field, "validation" takes place after a person is authenticated. It refers to, in brief, the checking to see if the person's digital certificate has been revoked.
In identity management, validation occurs before there can be any authentication. It refers to, in brief, the checking of credentials given in verification of the information used to create a person's account.
While the two uses are similar in meaning, their places in the identification and authorization stream are quite different. Vocabulary will need to be standardized so that convergence can truly occur.
Still, CoreStreet hasn't had much trouble in selling its services to technology partners, such as Entrust, or to major clients, such as the Department of Defense or Fidelity Investments. CoreStreet has no trouble because it promises - and delivers - faster, safer and more reliable "validation" than anyone else. It is especially proud that as the number of users increases so too does CoreStreet's advantage over other, old-style, validation products. Here's why, as Libin explained it to me.
Traditionally, when a service needs to check to see if a user's digital certificate has been revoked, it uses the Traditional Online Certificate Status Protocol (T-OCSP). This is a series of interactions with a trusted responder, with each interaction requiring its own digital signature.
According to Libin, even the most optimized server can handle only 100 interactions per second. The typical response, when the number of users grows very large, is to multiply the number of trusted responders and place them near the users. But many industries and organizations have requirements about the security of the trusted responders, such as putting them in vaults, protecting them with 24-hour guards, and much more. Each of these servers can cost in the many hundreds of thousands of dollars. And there is no economy of scale. The 50th costs just as much as the first.
Since there didn't seem to be a way to cut the cost of trusted responders, CoreStreet's answer is to improve their efficiency - from 100 interactions per second up to thousands or tens of thousands. And, of course, when you hear how CoreStreet does it the immediate response is "Why that's so simple, why didn't I think of it!"
Simply put, CoreStreet uses those same trusted responders, but doesn't have them listening for anything. Instead, the responders are constantly evaluating the certificate status of each user and construct a response package asserting either the existence of a certificate or its revocation. At pre-determined times, these packages - signed by the trusted, secure servers - are sent out to what are, in effect, proxy responders. These low cost, clustered devices listen for validation requests and respond with the appropriate package. The requesting client still can verify (from the digital signature) that the package was generated by a trusted source but has no need to actually interact with that source.
To find out more, go to the "How it works" page at CoreStreet's Web site or, for a full-blown understanding, CoreStreet's dozen or so white papers go into excruciating detail. Who knows, it just might prompt you to have an "aha!" moment of your own.
Although there is no direct CoreStreet office in Australia, customers have several options obtaining the product including service providers such as Betrusted, PKI partners such as Entrust, financial services customer and now CoreStreet partner Identrus, and several of the global integrators.