BEDFORD, MA.— In advance of next week's RSA Conference 2000, RSA Security Inc. (NASDAQ: RSAS) and ValiCert, Inc., today announced a joint effort to boost trust in e-business transactions by establishing a process for validating digital certificates as quickly and accurately as validating credit cards. The companies plan to achieve this goal through their Online Certificate Status Protocol (OCSP) Interoperability Initiative, a cooperative endeavor to advance this emerging Internet standard by establishing criteria and performing interoperability testing of third-party OSCP-enabled products to ensure they will work together.

RSA Security and ValiCert will combine their security expertise to establish the testing criteria that will be used to determine OCSP interoperability. Software developers will then be given the opportunity to perform the tests on their OCSP-enabled applications. RSA Security expects to post the test results on its Web site where organizations building e-business solutions can determine which products have demonstrated interoperability using these tests. The OCSP Interoperability Initiative is modeled after RSA Security's S/MIME Interoperability Center, where over 30 companies have tested their implementations online to ensure secure e-mail interoperability.

"Compliance with a standard is necessary but not sufficient for achieving interoperability, which must also include real-world testing before it is determined products will work together," said Scott Schnell, senior vice president of marketing for RSA Security. "ValiCert's demonstrated leadership with OCSP makes them the natural choice for a reference implementation, the standard by which others are measured. This initiative is designed to offer a win-win proposition for software vendors and their customers by promoting interoperability through standardized testing and public display of the results to ensure that OCSP-enabled applications will work together to everyone's benefit."

"OCSP provides greater trust in business-to-business transactions by providing an easy way to check in real-time the status of the millions of digital certificates being presented to e-business applications. In order for this to happen, organizations must be assured the OCSP-enabled applications they purchase will work together," said Sathvik Krishnamurthy, vice president of marketing and business development at ValiCert. "This initiative with RSA Security is an important milestone in helping to provide interoperable solutions for e-business."

The software being tested will use standard X.509 digital certificates generated by the RSA Keon™ Certificate Server, and OCSP interoperability will be determined through interaction with the ValiCert Validation Authority, the industry standard OCSP responder. ValiCert security architect Ambarish Malpani was the lead author of OCSP, which is rapidly gaining support as the industry standard for performing real-time certificate validation on the Internet.

"At this point in the evolution of e-business, it is clear the CRL (certificate revocation list) model is giving way to positive certificate validation, and the ability to obtain up-to-the-moment validity status will play an increasingly important role as the value and velocity of transactions increases," said Kristin Kupres, COO & CTO, Identrus. "We applaud the efforts of RSA Security and ValiCert in advancing the ability of solution providers worldwide to create interoperable products that respond to customer requirements."

In order to demonstrate OCSP interoperability, vendors will test their OCSP-enabled products in a real-world environment over the Internet. Initiative participants will test their products against the "designated reference implementation," the ValiCert Validation Authority. By performing such testing, vendors can more easily refine their products to achieve interoperability. The OSCP Interoperability Center on the RSA Security Web site will provide results of interoperability testing in one master matrix that includes version number, test dates and an archive of all test messages, and will provide a forum for up-to-date information about OCSP-enabled products.

About ValiCert
ValiCert is the leading provider of end-to-end, secure infrastructure solutions for e-Transactions. ValiCert's Validation Authority, SecureTransport and Digital Receipt services and products protect organizations before, during and after e-Transactions through comprehensive trust, transaction and proof solutions.

Through its technology and marketing alliances with the leading global providers of e-commerce and security services and products, ValiCert's e-Transaction solutions have become the de facto industry standard. ValiCert's customers include Global 2000 organizations in financial services, telecommunications, healthcare and government, and ValiCert's Worldwide Affiliate Network of ISPs, ASPs and other service providers ensures the highest level of service and support. ValiCert has headquarters in Mountain View, California, and can be reached on the Internet at www.valicert.com.

RSA Security Inc.
RSA Security Inc., The Most Trusted Name in e-Security™ helps organizations build secure, trusted foundations for e-businesses through its RSA SecurID® two-factor authentication, RSA BSAFE® encryption and RSA Keon™ public key management systems. With nearly a half billion RSA BSAFE-enabled applications in use worldwide, more than six million RSA SecurID users and almost 20 years of industry experience, RSA Security has the proven leadership and innovative technology to address the changing security needs of e-business and bring trust to the new, online economy. RSA Security can be reached at www.rsasecurity.com.

BSAFE and SecurID are registered trademarks, and Keon, RSA and The Most Trusted Name in e-Security are trademarks of RSA Security Inc. All other products and services mentioned are trademarks of their respective companies.

This press release contains forward-looking statements relating to joint efforts of RSA Security and ValiCert to establish a process for validating digital certificates by determining OCSP interoperability. Such statements involve a number of risks and uncertainties. Among the important factors that could cause actual results to differ materially from those indicated by such forward-looking statements are operational delays in implementation of the initiative, technical difficulties, product delays, software bugs and errors, inability of RSA to establish an OCSP Interoperability Center, general economic conditions and the risk factors detailed from time to time in RSA Security's periodic reports and registration statements filed with the Securities and Exchange Commission, including without limitation RSA Security's Annual Report on Form 10K (File No. 000-25120), filed on March 31, 1999 and on RSA Security's most recent Form 10Q, filed on November 15, 1999.