Baltimore's death spells gloom for PKI

The final slide of Baltimore from a £7bn software powerhouse to a company whose only asset is £25m in cash, signals the failure of PKI technology to match the hype of the past few years

The meeting of Baltimore Technologies' shareholders on Friday signals more than just the demise of a European software powerhouse, with a valuation at the height of the dot-com boom of £7bn, to a shell whose only assets are £25m in cash. It also embodies the general failure of PKI technology to match the hype that it generated over the past few years, say analysts.

At the extraordinary general meeting in Dublin, shareholders are expected to approve the sale of Baltimore's Public Key Infrastructure (PKI) technology to US-based beTrusted, the company formed by PricewaterhouseCoopers. The meeting is seen by many as merely a formality to dispose of Blatimore's one remaining software asset, in the shape of its core security software business: the UniCert PKI software.

Baltimore may have made many mistakes over the past years, but it has also been a victim of the almost complete failure of PKI technology to take off. A public key infrastructure is a framework that provides security services to an organisation using public-key cryptography. These services are managed using certificates which are issued from a central certificate authority.

"The promise of PKI hasn't happened," said Ovum principal analyst Graham Titterington. "And I don't think it will. It is expensive and costly to implement. Businesses have felt it is just not worth the expense. The whole thing turned out to be pie in the sky -- that's why Baltimore collapsed and why others have had lean times. Entrust, Verisign and RSA have had tough times too, but they had greater revenues and other revenue streams so they have survived and Baltimore hasn't because it failed to diversify."

Part of the problem with PKI in a public environment, said Titterington, is one of trust. "Who do you trust to issue the certificates? Even if the organisation issuing the certificates is trusted, what process have they been through before issuing each one? How do you know how much diligence they have been through?"

In March 2001, VeriSign, which acts as a certificate authority, issued two digital certificates to an individual who fraudulently claimed to be a Microsoft employee. The mistake led Microsoft to release a software update for all Windows releases dating back to 1995.

"It is conceivable that government-issued certificates could still happen," said Titterington, "but the jury is still out on that." Indeed, Spain and Belgium have taken a lead in this area, with the governments there issuing digital certificates to citizens, but even governments face the problem of making sure that when they authenticate a person, they know with absolute certainty that that person is who they say they are.

"You have to go to great lengths to verify who is applying for a certificate," said Titterington. "Also, if anyone can issue forged certificate in any way then the whole operation becomes debased. If 1 percent of certificates were forgeries and 99 percent genuine, the trust of that 99 percent of certificates would drop through the floor."

Although wide use of certificates for e-commerce has failed to materialise, some companies are using them internally, where a server in the datacentre can issue the certificates and HR departments can be trusted to authenticate users.

James Governor, principal analyst at RedMonk, aggress that PKI has on the whole failed to happen. "Waiting for PKI to take off is like waiting for Godot," he said. "A lot of people can see why it is useful for e-commerce but we haven't seen it happen. A lot of people tried to push for top down but it hasn't worked."

Baltimore's mistake, said Governor, was to bet the house on PKI. "It is also difficult to sell a portfolio that has a lot of different pieces related by a theme, and you're trying to tie them together," said Governor, referring to Baltimore's attempt a year ago to package up its PKI technologies.

BeTrusted, the company formed by PricewaterhouseCoopers, which in September placed a bid for Balimtore's PKI business, is predictably more upbeat about the technology. The company offered £5m cash in the hope of acquiring as customers the 300 companies that use Baltimore's UniCert technology. "Over 75 percent of our clients have made significant investments in Baltimore's PKI suite, which we have implemented and operated for many years," said John Garvey, chief executive of beTRUSTed, at the time. "We understand the importance of UniCert as a critical global infrastructure product and we commit to continue unchanged Baltimore’s high-level of support and development."

The consensus seems to be that PKI does have a future, but it's just not here yet. Bijan Khezri, who was chief executive of Baltimore before the EGM but who was due to become executive chairman after the meeting, said: "The long-term competitiveness of the PKI business requires critical mass."

Sadly, Baltimore won't be around to see it happen. Following the completion of the proposed disposal, the company's assets will consist primarily of cash currently held, proceeds from the disposal and the hardware and software support business. In a statement, Baltimore said it intends to sell this residual business "shortly". Thereafter, it said, it will seek to ensure that shareholder value is maximised by pursuing one of a number of options available to it: "These options include returning cash to the shareholders, making a new acquisition or being involved in a reverse takeover."

"It's sad," said Governor. "It would have been nice to have a somewhat dominant security company coming out of our geography. We all got a bit carried away saying great, here's a European company that will make a difference, but it didn't happen."

Graham Titterington said: "Today is really a formality. For the industry and IT world Baltimore died when it began selling off its technologies."