Opening up Internet security

A unique moment in the history of high tech will occur Sept. 20, when RSA Security Inc.'s key patents, which are fundamental to most Internet security, expire.

What happens after that will be nothing short of a water shed for the security industry. Observers predict two major trends: the development of security tool kits engineered for performance and for specific markets, such as wireless, and the availability of far more security products in the United States.

"This represents a pretty big milestone. People are waiting for this," said Mike Serbinis, chief security officer of San Francisco-based Critical Path Inc., which uses secu rity tools from Baltimore Technologies plc. "Three years ago, I was at a startup [since acquired by Critical Path], and we were debating then what we would do around the patents expiring. It turns out it will all be good for users."

RSA's patents, which the company has guarded zealously for 16 years, cover encryption and decryption as well as the initialization of public- and private-key pairs—all cornerstones for secure transactions. The patents are, however, effective only in the United States. To license the technology, vendors have had to pay RSA an upfront fee as well as a small percentage of revenues from their products. In addition, RSA has had exclusive rights in the United States to sell tool kits that incorporate RSA algorithms.

This one-two punch has hampered not only domestic security vendors but also international security companies trying to sell home-grown technologies in the United States.

"It would have been not only costly but time-consuming to engineer that," said Andrew Morbitzer, senior vice president of marketing at Baltimore Technologies, which is based in Dublin, Ireland. "And think about it: If you're a big international company, we'd be selling you one thing overseas and another thing [in the United States]. This is why having the same product with the same bits available anywhere is really a watershed."

Baltimore serves as a prototype to the kinds of developments U.S. corporations can expect as a result of the patent expiration. The PKI (public-key infrastructure) vendor plans to announce Sept. 11 that, as of the patent expiration on Sept. 26, it will create one consistent product line to sell globally that includes its own tool kits. Currently, only international products include Baltimore's own tools.

With a consistent product line established, the second part of Baltimore's plan is to bring some products to the United States that it has so far marketed only overseas. One such product is a Web-based PKI management product. Standard in Baltimore PKI deployments overseas, this product enables users to log in and manage PKI credentials from any browser. In the United States, Baltimore has had to include a Win32 client that requires installation and maintenance and, officials say, dampens the user experience.

Morbitzer, who said the Sept. 26 date has been circled on his calendar for years, expects other RSA rivals, such as Entrust Technologies Inc., to take advantage of the event as well. Entrust officials in Plano, Texas, declined to comment on the company's plans.

In addition to a product launch, Baltimore will use the patent expiration date as a springboard for a massive marketing campaign to establish itself as a prime RSA competitor and premier security vendor. Baltimore will also likely consolidate its tools under a single brand name and begin marketing them aggressively in the United States as tools that increase performance of RSA's code while also targeting new markets, such as wireless, officials said.

Despite Baltimore's chest beating, RSA takes a decidedly different view to the expiration of its patents, calling it a "nonevent" and downplaying Baltimore's Melvillean take.

"Some competitors would have you believe we're bilking them and taking their firstborn," said Scott Schnell, RSA's senior vice president of marketing. "But the cost is not even worth discussion. Innovation is rewarded with patents, and some people will always be jealous of that."

Critical Path's Serbinis took a more basic view. "Building a product four different ways is an expensive endeavor; innovation will proceed a lot faster now," he said. "And there are a lot of smart mathematicians and cryptographers overseas dying to get innovations into the U.S."

Sign of things to come

Baltimore's three-step security plan