VeriSign's Gaffe Spurs Debate

Solution providers are divided about the future of VeriSign and the role of digital certificates after the security company revealed it mistakenly issued digital certificates to someone posing as a Microsoft employee.

"VeriSign lost a lot of credibility on the trust dimension because of this," says Larry Ponemon, president of security services firm Guardent, Waltham, Mass. "The digital certificate could fall out of favor as a tool of authentication."

But Jeff Johnson, chairman and chief strategy officer at Metases, an Atlanta-based security services firm, says people will soon forget the incident.

VeriSign, Mountain View, Calif., disclosed in late March that it issued two digital certificates in January to an individual posing as a Microsoft representative. The certificates, which the company has since revoked, could have allowed the imposter to create code that appears to come from Microsoft but is destructive.

Human error led to the issue of the false certificates, VeriSign says. The company says it is adding more manual checks and balances to prevent such events in the future.

The incident drives home the nontechnical aspect of information security, says Wayne Pierce, director of service development, Athena Security, a Cambridge, Mass.-based solution provider. The imposter obtained Microsoft certificates through a more traditional form of fraud, not by hacking. "The technology could be perfectly fine, but they didn't look at the people side of it," he says.

VeriSign's honesty about its mistake should help prevent backlash against the use of digital certificates, Pierce says, adding that it's hard to tell how big of a security risk the use of false certificates poses.

Still, concern about the incident may open the door for other forms of digital identity authentication.