Category Archives: trustbearer

For Archival Purposes

You probably could’ve guessed that this blog has been retired since VeriSign acquired TrustBearer in April of this year.  We’ve also retired the domain, but we still get a fair amount of traffic here, so I’m moving this blog back to it’s original WordPress URL,

Yes, this will break some inbound links, but at least the content will still be searchable. Thanks to everyone who has read and contributed over the years.


The TrustBearer Roadshow Moves from San Francisco to New Orleans

Last week TrustBearer was at the RSA Conference. Next week, we will be in New Orleans, at Card Tech Secure Tech 2009: The Americas (CTST).

TrustBearer Poker Tables

We had a righteous time at RSA. We showed off our latest engineering accomplishments. We had a party, sponsoring poker tables at Verisign’s casino night. And, we observed the apparent themes of this years conference.

Overheard, here and there, in the Moscone Center at the RSA conference was an adage— something like “nothing is new at such an industry conference”. You could also add that the difference between a new technology and a one that is re-packaged to look new is hard to distinguish.

At RSAC, there were many product claims contemporaneous with the world we live in. For several years now, many companies have bragged about the ‘greenness’ of their products. This year, adapting to economic realities, many businesses have marketed their products as pedestrian and cost-effective—the later, a trusted stand-by for marketers. There was also a natural swarm of companies towards health care and government verticals due to presidential directives, economic stimulus packages, and the admission that these are more vibrant parts of the current economy.

Just as with economic factors, broader technological trends have found a place in the messaging of security and identity companies. There is virtualization, for one. Consider also smart phones and mobile communications. There were dozens of companies at RSA showing mobile products; several of these are singularly devoted to two-factor authentication with mobile phones. Perhaps, the most permeable marketing meme, in this regard, was the talk of cloud computing and services— “security in the cloud”.

You might say ‘TrustBearer is Moving PKI to the Cloud’

With anxiety, I write that we’re moving PKI to the cloud in order to improve credential management and end-user authentication. But this is a tiresome, clichéd way to say it.

A core philosophy of TrustBearer products is the simplification of using credentials with PKI. We use modern web technologies, what you might call Web 2.0 or cloud services, to achieve this. However, the principle of our approach is actually to relocate the gears of PKI from the client to a dynamic, centrally managed service. We want to free the end-user of PKI from burdensome tasks and decisions.

What’s New

Our latest products and features are continuing to simply the issuance, management, usage, and renewal of identity credentials. At RSA, we showed how we’ve integrated TrustBearer technology with Verisign Managed PKI, the improve the user experience here:

Improved Installation
We’ve reduced the steps required to install our cross-platform browser add-on. The installation does not require administrative rights and does not require the browser to be restarted, or even refreshed.

2-Click Issuance; 0-Click Renewal
With two clicks, users are issued a pin-protected, federally-validated certificate, which is linked to a an existing account for two-factor authentication.

2-Click Enrollment

When a certificate is going to expire, it can be auto-renewed. This is managed by a policy, but in the simplest sense a user’s certificate is automatically updated, without user interaction.

Auto Certificate Renewal

The case of renewal, illustrates the work we’ve been doing to make PKI easier to administer. At the server, TrustBearer provides a central place to manage policies for keys; certificate issuance and renewal; whitelisting and blacklisting authentication factors (e.g. software tokens); and delegating trust.

Newly Supported Devices
We now support Trusted Platform Modules, a built-in crypto-processor on almost all business PCs. We’ve also developed a software token, encrypted with AES-128 or AES-256, for users that don’t have a hardware token.

If you are interesting in a demo, contact us.

TrustBearer Desktop: free trial

User's experience TrustBearer Desktop as a Windows tray.

Users experience TrustBearer Desktop as a Windows tray.

In addition to our web-based products, TrustBearer makes desktop middleware for the use with government-issued smart cards (e.g. PIV, CAC, TWIC) and other security devices. TrustBearer Desktop provides the following features:

  • Secure Windows domain login using a smart card
  • Digital signing, encryption, and decryption of Outlook e-mails using PKI credentials on the smart card
  • Secure smart card login to websites requiring SSL client authentication
  • Digital signing of documents using applications like Microsoft Word or Adobe Acrobat
  • PIN verify and change available in the Windows system tray

You can download a trial copy of the software at the  TrustBearer Desktop page.

Fast support for the Finnish eID

Shortly after our launch of TrustBearer OpenID, a citizen of Finland tried to use his Finnish eID (FineID) with no success.  We send a request to Finland’s PRC and promptly received a small suite of sample cards.  In less than 2 days of device coding and debugging, the FineID was added to the suite of supported devices.Finnish eID

This has turned out to be yet another great example of how TrustBearer Live makes it easy to tack on additional support without dealing with new software downloads and the headaches that brings.

If you run into any troubles using your FineID on our OpenID Provider, please let us know by contacting

Update: We currently support FineID Version 2 in both the “eID” and “organizational” profiles.  We do not yet support Version 1 due to data model differences.