EXHIBIT 10.30
AMENDMENT NUMBER ONE TO
MASTER DEVELOPMENT AND LICENSE AGREEMENT
THIS AMENDMENT NUMBER ONE TO MASTER DEVELOPMENT AND LICENSE AGREEMENT (the
"Amendment") by and between Security Dynamics Technologies, Inc., a Delaware
corporation, together with its Affiliates (collectively, "SDTI") and VeriSign,
Inc., a Delaware corporation ("VeriSign"), is made this __ day of December, 1998
(the "Effective Date") with respect to that certain Master Development and
License Agreement dated September 30, 1997 between SDTI and VeriSign (the
"Master Agreement").
RECITALS
WHEREAS, pursuant to the Master Agreement, SDTI engaged VeriSign to
customize certain computer software owned by VeriSign which related to digital
certificate authentication and local registration authority (the customized
software was referred to in the Master Agreement and herein as the "Developed
Technology");
WHEREAS, VeriSign granted to SDTI a nonexclusive license under VeriSign's
Intellectual Property Rights in its Pre-Existing Technology (each as defined in
the Master Agreement) to the extent it is incorporated in the Developed
Technology to use, copy, modify and prepare derivative works of the Developed
Technology, and to distribute the Developed Technology to End-Users; and
WHEREAS, SDTI and VeriSign desire to amend the Master Agreement to provide
that: (a) for a period of up to five (5) years from the Effective Date, VeriSign
will appoint SDTI its exclusive licensee for the Developed Technology, pursuant
to SDTI's payment of certain amounts described in this Amendment; and (b) SDTI
will embed in the Developed Technology certain software code owned by VeriSign
in order to ensure that the Developed Technology remains Functionally Compatible
(as defined below) with the VeriSign OnSite Platform (as defined below).
AGREEMENT
NOW THEREFORE, in reliance on the foregoing Recitals and in consideration
of the mutual consideration recited therein and contained herein, the parties
agree as follows:
1
1) Defined Terms. Any capitalized terms used herein without definition shall
--------------
have the meaning ascribed to such terms in the Master Agreement.
2) The following new defined terms are added to Section 1 of the Master
Agreement (Definitions):
-----------
1.23 "Affiliate" means any entity controlled by, controlling, or under
common control with, SDTI.
1.24 "Bundled Products" means a hardware or software product or service
created by a third party which incorporates the Developed Technology
or the Products.
1.25 "Contract Year" means, initially, the 364 consecutive days following
the Effective Date, and thereafter, each consecutive twelve-month
period.
1.26 "Functionally Compatible" means that the Developed Technology and the
VeriSign OnSite Platform are designed to enable a user of either
product to switch to the other product while maintaining much of that
user's application investment in the original product. The parties
anticipate that this objective will be accomplished primarily by
providing for certificate lifecycle protocol compatibility for
applications and toolkits interfacing with the products.
The term "Functionally Compatible" does not require: (A) that the
administrative interfaces for the Developed Technology and the
VeriSign OnSite Platform be identical, nor (B) that the management
and/or operation of the Developed Technology and the VeriSign OnSite
Platform be substantially similar.
1.27 "Net Revenue" means: (i) with respect to each sale or license of
Developed Technology and Products to any OEM, revenue which is
recognized by SDTI in accordance with generally accepted accounting
principles, net of discounts and returns, and (ii) with respect to
each sale or license of the VeriSign OnSite Service to any New OnSite
Customer, revenue which is recognized by VeriSign in accordance with
generally accepted accounting principles, net of discounts and
returns.
1.28 "New OnSite Customer" means any third party who purchases or licenses
the VeriSign OnSite Service subsequent to that party's purchase of
Products and/or Developed Technology from SDTI.
2
1.29 "OEM" means any third party engaged in the business of creating and
selling Bundled Products to End Users under OEM's own trademarks by
virtue of the authority of SDTI.
1.30 "Updates" means, collectively, Upgrades, Enhancements, and Error
Corrections.
1.31 "VAR" means any third party in the business of reselling or
distributing the Developed Technology or Products not as part of any
Bundled Product, whether under its own trademarks or trademarks
specified by SDTI, by virtue of the authority of SDTI.
1.32 "VeriSign OnSite Platform" means the public key infrastructure
platform created by VeriSign and required by End-Users to implement
the VeriSign OnSite Service, and any successor or replacement
platforms.
1.33 "VeriSign OnSite Service" means that digital certificate management
and issuing service marketed by VeriSign and currently known as
"OnSite", and any successor or replacement services.
3) Section 4.2 (Developed Technology) of the Master Agreement is hereby deleted
--------------------
in its entirety and replaced with the following new Section 4.2:
4.2 Developed Technology. On the terms and subject to the conditions set
--------------------
forth herein, VeriSign grants to SDTI an exclusive (subject to the
provisions of Paragraph 5 of Exhibit E of the Master Agreement),
---------
perpetual, worldwide license, under VeriSign's Intellectual Property
Rights in its Pre-Existing Technology to the extent that it is
incorporated in the Developed Technology to:
(a) use, copy, modify, and prepare derivative works of the
Developed Technology in Source Code Form and Object Code
Form;
(b) license, copy and distribute the Developed Technology and
Products in Source Code Form and Object Code Form to OEMs,
with rights to: (i) modify functions contained in the
Developed Technology, (ii) prepare derivative works of the
Developed Technology, (iii) incorporate the Developed
Technology into OEM's products in order to create Bundled
Products, and (iv) sublicense its rights with respect to the
Developed Technology in Object Code Form as part of the
Bundled Products to OEM's licensees for use only in their
own products;
3
(c) license, copy and distribute the Developed Technology and
Products in Object Code Form to VARs, with rights to further
distribute or resell the Products; and
(d) copy and distribute the Developed Technology in Source Code
Form (solely for deposit into escrow at the request of any
End-User) and Object Code Form to End-Users.
Notwithstanding anything to the contrary contained herein, from time to
time VeriSign may develop and sell software modules or other programs
which: (1) are part of the Developed Technology, and (2) are required by
VeriSign to be distributed in Source Code Form to users. In such event,
the rights granted to SDTI herein shall permit SDTI to copy and distribute
such software in Source Code Form to VARs and End-Users.
SDTI acknowledges that it shall retain its exclusive status for any
Contract Year only if SDTI elects to prepay the royalties for such Contract
Year in accordance with Section 5 of Exhibit E to the Master Agreement.
---------
VeriSign acknowledges and agrees that so long as SDTI retains its exclusive
status, VeriSign shall have no right to license, sell, market or distribute
the Developed Technology to any third party. Notwithstanding the
foregoing, SDTI acknowledges and agrees that during the term of this
Agreement, VeriSign may license or distribute to Strategic Partners (as
defined below) technology which performs functions substantially similar to
the Developed Technology (but which utilizes a code base substantially
different from the code base of the Developed Technology) for the purpose
of permitting those Strategic Partners to create a certificate issuing and
management service substantially similar to the VeriSign OnSite Service or
VeriSign's public certificate services (each, a "Similar Service"). For
purposes of this paragraph, the term "Strategic Partner" shall mean: (i)
any third party located outside of the United States with whom VeriSign
contracted to create a Similar Service, or (ii) any third party with whom
VeriSign has contracted to create an industry-specific vertical market for
a Similar Service, regardless of the geographic location of that entity.
During the term of this Agreement, SDTI may not: (i) license the Developed
Technology to any third party or use the Developed Technology itself for
the purposes of creating and marketing a service similar in purpose to the
VeriSign OnSite Service, or (ii) except as expressly permitted herein,
perform or permit any sublicensing or other distribution of the Developed
Technology in Source Code Form. SDTI's rights in the Developed Technology
licensed hereunder shall be limited to those expressly granted in this
Agreement.
4
4) The following new paragraph is inserted at the end of Section 4.3 (Access to
---------
Technology) of the Master Agreement:
----------
During the term of this Agreement, VeriSign shall provide to SDTI the
technical support and design consulting services set forth on Exhibit H
attached hereto. SDTI shall incorporate certain portions of the VeriSign
OnSite Platform into the Developed Technology, as SDTI's product release
schedule permits, in order to ensure that the Developed Technology is
Functionally Compatible with the VeriSign OnSite Platform. In addition,
VeriSign shall ensure that the VeriSign OnSite Platform remains Functionally
Compatible with the Developed Technology.
5) Section 4.4 (Trademarks) of the Master Agreement is amended by adding the
----------
following new paragraph (d) following existing Section 4.4(c):
(d) Notwithstanding anything to the contrary contained herein, VeriSign
acknowledges that: (i) SDTI shall have the right to market, distribute
and sell the Developed Technology and Products under its own trademarks,
and (ii) SDTI may permit OEMs and VARs to market, distribute and sell
the Developed Technology and Products under such party's trademarks.
6) The following new Section 6.5 is inserted at the end of Section 6
(VeriSign's Obligations and Development Undertakings) of the Master
---------------------------------------------------
Agreement:
6.5 Transfer of Existing OEMs and Prospect List to SDTI.
----------------------------------------------------
(a) Transfer of Existing OEMs to SDTI. VeriSign acknowledges
----------------------------------
that, as of the date hereof, it has licensed the Developed
Technology to certain OEMs, including Cisco Systems. In
order to assure that those OEMs receive consistent support
and maintenance for the Developed Technology, VeriSign shall
use its best efforts to transfer customer support
obligations for those customers to SDTI. To that end,
VeriSign shall deliver to SDTI at no charge, within 30 days
following the Effective Date, all information currently in
VeriSign's possession which SDTI could reasonably be
expected to find useful in order to assume customer support
for those OEMs, including but not limited to customer
contracts, support records and bug tracking databases.
Following the Effective Date, VeriSign and SDTI will work
together to: (i) inform those OEMs of the transition, and
(ii) effect the transition in an orderly fashion, including
but not limited to implementation of a process pursuant to
which any maintenance and support calls relating to the
Developed Technology from those customers who elect to
receive support from SDTI that are received by VeriSign are
forwarded to SDTI.
5
(b) Transfer of VeriSign Prospect List to SDTI. In furtherance
------------------------------------------
of the transactions contemplated by this Agreement, within
30 days following the Effective Date, VeriSign will transfer
to SDTI its prospect list for potential purchasers of the
Developed Technology. VeriSign will provide reasonable
assistance to SDTI in connection with the transition of
these prospects to SDTI's sales force, including but not
limited to assistance with sales calls, and introductions to
customer contacts. Thereafter, VeriSign shall direct any
new leads for the Developed Technology to SDTI, and
following the Effective Date, the parties will implement a
process pursuant to which all such leads are so directed to
SDTI's sales force.
7) Section 9 of the Master Agreement (License Fees; Royalty Payments) is
------------------------------
amended by inserting the following new Section 9.6 after existing Section
9.5:
9.6 Prepaid Royalties. SDTI shall prepay royalties as described in
------------------
Paragraph 4 of Exhibit E hereto in order to maintain its status as
---------
exclusive distributor of the Developed Technology.
8) Section 10 (Confidential Information) of the Master Agreement is amended by
------------------------
inserting the following new Section 10.5 after existing Section 10.4:
10.5 News Releases. Following execution of this Agreement, SDTI and VeriSign
-------------
will jointly issue a news release regarding the transactions contemplated in
this Agreement. Otherwise, no public statements inconsistent with previously
authorized and released news releases shall be made or released to any
medium except with the prior approval of the other party, or as required by
law or governmental regulation.
9) Exhibit C to the Master Agreement (Statement of Work) is hereby amended by
---------
adding to the conclusion thereof the additional text contained in the
attached Exhibit C.
---------
10) The following new paragraphs 4 though 7 are added to Exhibit E to the
Master Agreement (License and Royalty Payments):
----------------------------
4) License Expansion Fee. Upon execution of this Amendment, SDTI shall
---------------------
pay VeriSign a license expansion fee equal to Five Hundred Thousand
Dollars ($500,000) in consideration of VeriSign's expansion of
license rights granted to SDTI pursuant to the Master Agreement.
5) Royalties on Sales of Products.
------------------------------
6
(a) Sales to OEMs. During the term of this Agreement, in
--------------
connection with the sale or license of Products to an OEM,
SDTI shall pay VeriSign the following royalties as follows:
(i) Object Code Licenses. With respect to licenses of the
---------------------
Developed Technology in Object Code Form, SDTI will
pay VeriSign a royalty equal to:
1. zero percent (0%) until such time as SDTI has
received Net Revenue equal to Two Million Eight
Hundred Thousand Dollars ($2,800,000) from OEMs who
have licensed the Developed Technology in Object
Code Form; and
2. the greater of (A) eighteen percent (18%) of Net
Revenue, and (B) eighteen percent (18%) of sixty
percent (60%) of RSA's current list price for such a
license, after such time as SDTI has received Net
Revenue in an amount greater than Two Million Eight
Hundred Thousand Dollars ($2,800,000) from OEMs who
have licensed the Developed Technology in Object
Code Form; and
(ii) Source Code Licenses. With respect to licenses of
---------------------
the Developed Technology in Source Code Form, SDTI will
pay VeriSign a royalty equal to Fifty Percent (50%) of
Net Revenue derived from the sale or license of
Developed Technology in Source Code Form to the OEM;
provided however, that SDTI will also pay VeriSign the
----------------
royalty specified in section 4(a)(i) above with respect
to any sales or licenses of Developed Technology in
Object Code Form to such OEM. Amounts due to VeriSign
pursuant to each sale or license described in this
paragraph 4(a)(ii) shall equal not less than Twenty-
five Thousand Dollars ($25,000).
Notwithstanding the foregoing, in the event that any
OEM desires to receive a copy of the Products in Source
Code Form to place in escrow pursuant to an executed
Source Code Escrow Agreement in effect between SDTI and
that OEM, then SDTI shall not be obligated to pay
VeriSign any royalties in connection with that copy of
the Product placed in escrow; provided that in the
--------
event that such copy of the Product is released from
escrow following the occurrence of any release
condition specified in the escrow agreement, then SDTI
shall pay VeriSign the royalties set forth in this
paragraph 4(a)(ii).
7
(b) Sales to VARs. During the term of this Agreement, in
--------------
connection with the sale or license of Products to a VAR,
SDTI shall not be obligated to pay VeriSign any royalties.
SDTI shall be obligated to pay the royalties set forth in this
Paragraph 4 only after SDTI has recouped in full all amounts
prepaid by SDTI pursuant to paragraph 6 of this Exhibit E. In
order to permit VeriSign to calculate royalties due to it
pursuant to the terms of Paragraph 4(a)(i) above, SDTI shall
deliver to VeriSign from time to time its current published price
list for the Developed Technology.
6) Royalty Prepayments. SDTI will prepay royalties in the following
------------------
amounts in order to maintain exclusive rights to distribute the
Developed Technology during up to the first five Contract Years of
the Agreement:
(a) In order to maintain its exclusive status in the First
Contract Year, SDTI will pay VeriSign an amount equal to One
Million One Hundred and Thirty Five Thousand Dollars
($1,135,000) (the "First Royalty Prepayment"), payable as
follows:
(i) Subject to the terms of Section 6(f) below, SDTI will
pay VeriSign Twenty-two percent (22%) of the First
Royalty Prepayment within forty-five (45) days
following the commencement of the first Contract Year;
(ii) Subject to the terms of Section 6(f) below, SDTI will
pay VeriSign Twenty-four percent (24%) of the First
Royalty Prepayment within forty-five (45) days
following the commencement of the second quarter of
the first Contract Year;
(iii) Subject to the terms of Section 6(f) below, SDTI will
pay VeriSign Twenty-six percent (26%) of the First
Royalty Prepayment within forty-five (45) days
following the commencement of the third quarter of the
first Contract Year; and
(iv) Subject to the terms of Section 6(f) below, SDTI will
pay VeriSign twenty-eight percent (28%) of the First
Royalty Prepayment within forty-five (45) days
following the commencement of the fourth quarter of
the first Contract Year.
(b) In order to maintain its exclusive status in the second
Contract Year, SDTI will pay VeriSign an amount equal to Two
Million Two Hundred Fifty Thousand Dollars ($2,250,000) (the
"Second Royalty Prepayment"), payable quarterly as follows:
8
(i) Subject to the terms of Section 6(f) below, SDTI will
pay VeriSign Twenty-two percent (22%) of the Second
Royalty Prepayment within forty-five (45) days
following the commencement of the second Contract
Year;
(ii) Subject to the terms of Section 6(f) below, SDTI will
pay VeriSign Twenty-four percent (24%) of the Second
Royalty Prepayment within forty-five (45) days
following the commencement of the second quarter of
the second Contract Year;
(iii) Subject to the terms of Section 6(f) below, SDTI will
pay VeriSign Twenty-six percent (26%) of the Second
Royalty Prepayment within forty-five (45) days
following the commencement of the third quarter of the
second Contract Year; and
(iv) Subject to the terms of Section 6(f) below, SDTI will
pay VeriSign twenty-eight percent (28%) of the Second
Royalty Prepayment within forty-five (45) days
following the commencement of the fourth quarter of
the second Contract Year.
(c) In order to maintain its exclusive status in the third
Contract Year, SDTI will pay VeriSign an amount equal to
Three Million Dollars ($3,000,000) (the "Third Royalty
Prepayment"), payable quarterly as follows:
(i) Subject to the terms of Section 6(f) below, SDTI will
pay VeriSign Twenty-two percent (22%) of the Third
Royalty Prepayment within forty-five (45) days
following the commencement of the third Contract Year;
(ii) Subject to the terms of Section 6(f) below, SDTI will
pay VeriSign Twenty-four percent (24%) of the Third
Royalty Prepayment within forty-five (45) days
following the commencement of the second quarter of
the third Contract Year;
(iii) Subject to the terms of Section 6(f) below, SDTI will
pay VeriSign Twenty-six percent (26%) of the Third
Royalty Prepayment within forty-five (45) days
following the commencement of the third quarter of the
third Contract Year; and
(iv) Subject to the terms of Section 6(f) below, SDTI will
pay VeriSign twenty-eight percent (28%) of the Third
Royalty
9
Prepayment within forty-five (45) days following the
commencement of the fourth quarter of the third
Contract Year.
(d) In order to maintain its exclusive status in the fourth
Contract Year, SDTI will pay VeriSign an amount equal to
Four Million Dollars ($4,000,000) (the "Fourth Royalty
Prepayment"), payable quarterly as follows:
(i) Subject to the terms of Section 6(f) below, SDTI will
pay VeriSign Twenty-two percent (22%) of the Fourth
Royalty Prepayment within forty-five (45) days
following the commencement of the fourth Contract
Year;
(ii) Subject to the terms of Section 6(f) below, SDTI will
pay VeriSign Twenty-four percent (24%) of the Fourth
Royalty Prepayment within forty-five (45) days
following the commencement of the second quarter of
the fourth Contract Year;
(iii) Subject to the terms of Section 6(f) below, SDTI will
pay VeriSign Twenty-six percent (26%) of the Fourth
Royalty Prepayment within forty-five (45) days
following the commencement of the third quarter of the
fourth Contract Year; and
(iv) Subject to the terms of Section 6(f) below, SDTI will
pay VeriSign twenty-eight percent (28%) of the Fourth
Royalty Prepayment within forty-five (45) days
following the commencement of the fourth quarter of
the fourth Contract Year.
(e) In order to maintain its exclusive status in the fifth
Contract Year, SDTI will pay VeriSign an amount equal to
Four Million Dollars ($4,000,000) (the "Fifth Royalty
Prepayment"), payable quarterly as follows:
(i) Subject to the terms of Section 6(f) below, SDTI will
pay VeriSign Twenty-two percent (22%) of the Fifth
Royalty Prepayment within forty-five (45) days
following the commencement of the fifth Contract Year;
(ii) Subject to the terms of Section 6(f) below, SDTI will
pay VeriSign Twenty-four percent (24%) of the Fifth
Royalty Prepayment within forty-five (45) days
following the commencement of the second quarter of
the fifth Contract Year;
10
(iii) Subject to the terms of Section 6(f) below, SDTI will
pay VeriSign Twenty-six percent (26%) of the Fifth
Royalty Prepayment within forty-five (45) days
following the commencement of the third quarter of the
fifth Contract Year; and
(iv) Subject to the terms of Section 6(f) below, SDTI will
pay VeriSign twenty-eight percent (28%) of the Fifth
Royalty Prepayment within forty-five (45) days
following the commencement of the fourth quarter of
the fifth Contract Year.
(f) All royalties (including prepaid royalties) due from SDTI
shall be nonrefundable, and prepaid royalties shall be
payable by SDTI net 30 days from the date of any invoice
from VeriSign. In no event shall SDTI be in breach
hereunder for failure to pay any royalties not invoiced by
VeriSign. Royalties prepaid in each Contract Year are
cumulative and do not expire; e.g. in the event that
royalties which would be due to VeriSign in any Contract
Year are less than royalties prepaid by SDTI to date, then
SDTI shall receive credit for all unused royalties prepaid
to date. For example, if at the start of the third Contract
Year, SDTI has prepaid royalties to VeriSign in the amount
of $3,350,000, but royalties otherwise due to VeriSign from
SDTI's sale of Products during the first Contract Year and
second Contract Year equal only $1,000,000, then SDTI is
credited with an additional $2,350,000 of prepaid royalties
in addition to royalties prepaid by SDTI for the third
Contract Year.
(g) Notwithstanding the foregoing, SDTI may at its sole
discretion, elect not to maintain its exclusivity at any
time. In the event that SDTI elects not to maintain its
exclusivity, SDTI will: (i) inform VeriSign in writing of
its decision at least ninety (90) days prior to the end of
any Contract Year; (ii) if SDTI so elects not to maintain
exclusivity during the first three Contract Years, deliver
to VeriSign, within thirty (30) days following delivery of
such notice, an amount equal to the royalty prepayment which
would otherwise be due for the first two quarters of the
following Contract Year; (iii) if SDTI so elects not to
maintain exclusivity during the fourth Contract Year,
deliver to VeriSign, within thirty (30) days following
delivery of such notice, an amount equal to the royalty
prepayment which would otherwise be due for the first
quarter of the fifth Contract Year; and (iv) have no further
obligation to pay the remaining royalty prepayments
described in this paragraph; provided however, that any
----------------
payments remaining for the Contract Year in which the
election not to maintain exclusivity is made must be paid on
the schedule set forth in this Section 6. In the event SDTI
elects not
11
to maintain its exclusivity during the fifth Contract Year,
SDTI will not owe any additional royalty prepayments to
VeriSign.
(h) Upon expiration of the fifth Contract Year, the license
granted herein shall be nonexclusive, unless otherwise
agreed in writing by the parties.
7. Sale of the VeriSign OnSite Service. During the term of this
-----------------------------------
Agreement, VeriSign shall pay SDTI a bounty equal to Eight
Percent (8%) of Net Revenue received by VeriSign by each New
OnSite Customer during that customer's first year of using the
VeriSign OnSite Service. VeriSign shall deliver to SDTI amounts
due to SDTI hereunder within thirty days following the end of
each calendar quarter, together with a report including
sufficient information to enable SDTI to calculate amounts due to
SDTI during such prior calendar quarter. Such report shall
include the name of the New OnSite Customer, the first year
revenue recognized by VeriSign from that New OnSite Customer, and
shall be deemed to be Confidential Information.
Furthermore, VeriSign shall keep all proper records and books of
account and proper entries therein relating to its sale of the
VeriSign OnSite Service to New OnSite Customers. On no less than
30 days' prior written notice and no more than once annually,
SDTI may request that an independent certified public accountant
audit the applicable records during regular business hours at
VeriSign's offices to verify statements rendered hereunder. SDTI
shall bear the expenses of any such audit; provided that if such
audit reveals that bounties paid by VeriSign for any period are
less than 95% of what should have been paid by VeriSign, on
SDTI's request, VeriSign shall pay the reasonable costs of such
audit in addition to royalties then due and owing to SDTI.
11) Amount Due Under Statement of Work. Pursuant to the original statement of
----------------------------------
work set forth as Exhibit C to the Agreement, SDTI agreed to pay VeriSign
an amount equal to Three Hundred Sixty Thousand Dollars ($360,000) (the
"Final Milestone Payment") upon completion of the final milestone of work
due from VeriSign. As a result of reprioritization of work that SDTI has
requested that VeriSign complete, SDTI agrees to pay VeriSign the Final
Milestone Payment upon occurrence of Release 1 as set forth in the revised
Statement of Work attached hereto as Exhibit C. Release 1 is currently
---------
targeted to occur on January 28, 1999.
12) No Conflict with Noncompetition Agreement. Subject to the terms of Section
-----------------------------------------
4.2 hereof, VeriSign acknowledges and agrees that the arrangements
contemplated by this
12
Amendment, and SDTI's performance of its obligations hereunder, do not
conflict with the noncompetition obligations of SDTI set forth in Paragraph
2.1 of the Non-Compete and Non-Solicitation Agreement dated April 1995 in
effect between VeriSign and SDTI's subsidiary, RSA Data Security, Inc.
("RSA").
13) Execution of RSA Amendment. Simultaneously herewith, RSA and VeriSign are
--------------------------
executing Amendment Number Two to BSAFE/TIPEM Master License Agreement
dated April 18, 1995 (the "RSA Amendment"). The parties acknowledge and
agree that execution of the RSA Amendment is a condition to the
effectiveness of this Amendment, and if either party fails to execute the
RSA Amendment, then this Amendment is void and of no force and effect.
14) Counterparts. This Amendment may be executed in counterparts, each of
------------
which shall be an original and together which shall constitute one and the
same instrument.
15) Effect of Amendment. This Amendment amends the Master Agreement as of the
-------------------
Effective Date, and except as amended hereby, the Master Agreement shall
continue in full force and effect.
IN WITNESS WHEREOF, the parties have executed this Amendment Number One as of
the date first above written.
VERISIGN, INC. SECURITY DYNAMICS TECHNOLOGIES,
INC.
By: /s/ Xxxxxxxx Xxxxxxx By: /s/ Xxxxxx X. Xxxxx
---------------------- ---------------------
Title: President and CEO Title: Chief Operating Officer
-------------------- -------------------------
13
EXHIBIT "C"
STATEMENT OF WORK
SCOPE OF ENGINEERING SUPPORT FOR RSA LICENSE OF OEM PRODUCT
-----------------------------------------------------------
This document is the fifth draft of the proposed scope of VeriSign Engineering
Support that will be provided as part of the RSA contract to license the
VeriSign OEM product.
1. MAINTENANCE
-----------
VeriSign will provide fixes to bugs reported by RSA. Bug fixes will normally be
distributed in the form of periodic maintenance releases, or in the case of
severe bugs patches will be supplied.
2. TECHNICAL SUPPORT
-----------------
Technical support will be provided to RSA to assist in problem diagnosis and
resolution. This support will be provided to RSA Engineering, and will not be
provided directly to RSA customers.
3. DESIGN CONSULTING
-----------------
Design consulting services will be provided to RSA to assist RSA in developing
enhancements and modifications to the OEM product. This is expected to be in
the form of responding to questions about the internals of the OEM product, and
providing advice about how to best implement a new feature or modification.
Two areas where VeriSign anticipates that design consulting will be required are
in the areas of key management and support for hardware signers.
The design consulting support will be limited to 1 man month of effort.
4. FEATURE ENHANCEMENTS
--------------------
RSA has identified a number of additional features that are required, and has
requested that they are delivered in four releases. These features will be
delivered on both the Solaris and NT platforms.
RELEASE 1
---------
Release 1 will be an intermediate development release and will not have the same
level of testing performed on it as other releases. Integration and QA time
will be limited to 5 days in order to have minimal impact on the ship dates of
the later releases.
4.1 CREATE A HOME PAGE AT THE SUBSCRIBER WEB SERVER THAT LINKS TO EACH
JURISDICTION'S USER SERVICES PAGE.
A page will be created that contains a link to each jurisdiction's user services
page.
4.2 DUAL KEY SUPPORT
A form of dual key support will be implemented according to the specification
that SDI supplied to VeriSign. The implementation of this requirement will
allow the user to select the type of certificate (signing, encryption or both
signing and encryption) from the enrollment form. If two certificates are
required, two separate enrollments will have to be done. In addition to
providing the capability to request
14
and deliver certificates that have the key usage se in this way, modifications
will be made to allow multiple certificates for the same DN but with different
key usage.
4.3 FURTHER AUTOMATION OF INSTALLATION
Currently, the Master Encryption Key and the access control signers must be
created by the system administrator after installation. Support will be
provided to move these tasks to installation. Currently, the Web UI passes
certain parameters to the CGI programs that perform the processing required.
Instead of this, the installation process that RSA will write will capture the
required input and pass it to the CGI programs. It is not expected that any
change of functionality will be required of the OEM product to support this
change, and it is assumed that the installation process will start the query
manager before creating the access control signers. RSA will be performing this
task.
RELEASE 2
---------
4.4 REMOVE THE REQUIREMENT TO RESTART THE SIGNING SERVER AFTER THE CREATION OF
NEW SIGNERS
Currently after signer has been added using the signer wizard, the signing
server must be restated manually so that the new signer can be loaded in to the
signing server. The need to perform this manual step will be eliminated.
Instead, the signer wizard will send a message to the signing server to that
will cause it to load the new signer automatically.
4.5 USE ONE LINK FOR CERTIFICATE RETRIEVAL
Currently, there are separate links for certificate retrieval, one for each
browser type. A change will be implemented such that there is one link that
will work for both the Netscape and the IE browsers.
4.6 IMPORT SIGNER FUNCTION
Currently the PKCS10 Certificate Signing Request is generated as a file, and the
user has to retrieve it from the file system. Instead of this, an option from
the signer management function will be added that displays the PKCS10 as a
BASE64 encoded string that can be easily copied from the page.
RELEASE 3
---------
4.7 INTERNATIONAL SUPPORT
Currently, text that is present in the Web pages of the user interface and the
messages stored in the logging server can be localized, but entry fields do not
support international character sets. Additional support will be implemented to
allow international character sets to be used in the majority of entry fields.
This support will be the same as tat implemented in VeriSign's core software,
briefly described as follows. Each Web page of the UI can have a new name value
pair added that defines that encoding scheme to be 7 bit ASCII, 8 bit or multi-
byte. Sophia uses this value to then translate the encoding scheme into UTF8
using the support that is in Solaris 2.6 (which is a pre-requisite). The UTF8
encoded data is then used by the backend, and data is stored in the database in
the UTF8 format. Although the CA software does have the capability of putting
the UTF8 representation of the international character set into a certificate,
this is not a practice that VeriSign currently follows because many applications
that use certificates to do yet have the support to deal with this.
VeriSign does not currently have an implementation on NT, and this will be
created as part of this task in a manner as close to the above implementation as
possible. Further, it is assumed that the Progress database is able to handle
UTF8, and if work has to be done that is specific to the use of Progress that is
not included
15
within the scope of work.
RELEASE 4
---------
4.8 ADD CF/LF AS LINE TERMINATORS TO ALL THE INSTALLED TEXT FILES NO NT.
CR/LF will be added as line terminators to the installed text files on NT.
4.9 EXPORT SIGNER FUNCTION
A new function will be added that is the inverse of the Import Signer function.
It will provide the capability to sign a CSR of a signer that is resident in
another OEM CA server. In this way, a hierarchy can be created with the other
CA subordinate to the OEM CA that performs this new function. This function
will allow the import of a CSR, will be able to sign the CSR and will be able to
export the signed CA certificate.
4.10 PROVIDE SUPPORT FOR THE CRS PROTOCOL
Support will be implemented for the CRS protocol so that the OEM CA can provide
services supported by this protocol. These services include enrollment, pickup,
and revocation.
16
4.11 CERTIFICATE VALIDATION MODULE
This is a standalone module that plugs into a Netscape or IIS Web server and
performs CRL retrieval and certificate validation. Currently, it works with the
VeriSign Onsite 4.0 service. This module will be made to work with the OEM CA.
That is, the certificate validation module will be able to download CRLs from
the OEM CA in the same way that it does today from the VeriSign Onsite service.
4.12 API FOR AUTOMATED AUTHENTICATION
An API will be developed that will provide the capability to be able to
interfere with a user written function that will provide automated approval of a
certificate request. The capability that will be provided will be functionally
similar to that which is provided by the Onsite auto admin toolkit. However,
the implementation will be different because there is no need to distribute the
functionality to a front end RA as is done in Onsite. Instead, the API that
currently exists in the auto admin toolkit will be implemented in the CA server
so that the user does not have to set up the auto admin toolkit which is
designed for use in a service environment.
4.13 AUTOMATED CERTIFICATE RENEWAL FEATURES
In Onsite 4.0, a number of features for automated certificate have been added.
These features will be added to the OEM CA product.
4.14 ADD DATABASE PURGE CAPABILITY.
A database purge capability will be created so that old entries can be purged
from database tables. A UI will be provided that requests the system
administrator to provide a date prior to which all entries will be purged.
RESOURCE ASSUMPTIONS
--------------------
VeriSign will commit resources as follows:
1/1/99 to 4/22/99 - 4 Engineers
4/23/99 to 12/31/99 - 3 Engineers
It is assumed that the design consulting is evenly distributed throughout the
year. If heavy consulting is needed in a particular period, this may impact the
release schedule, and VeriSign will inform RSA at the time of the request for
consulting.
17
SCHEDULE FOR RELEASES
---------------------
The target dates for the release are as follows:
Release 1 1/28/99
Release 2 3/4/99
Release 3 4/23/99
Release 4 9/28/99
5. OPEN ISSUES
-----------
RSA has expressed an interest in being able to have the Application Integration
Toolkit included in the scope of this agreement. The licensing issues
associated with this are currently being researched.
18
Exhibit H
---------
VeriSign Support
----------------
During the term of this Agreement, VeriSign shall provide to SDTI person-power
equivalent to up to three persons dedicated to maintenance, technical support,
design consulting, compatibility, and enhancement of the Developed Technology.
In the first Contract Year, the specific named set of deliverables for the
activities specified above are outlined in Exhibit C (Statement of Work), and
any VeriSign support efforts will be directed toward fulfilling those
deliverables. In subsequent years and at least annually, VeriSign and SDI will
meet to determine the allocation of person-power to the categories specified
above. The parties acknowledge and agree that the primary purpose of these
ongoing activities is for maintenance and support of the Developed Technology
and to ensure that the Developed Technology is Functionally Compatible with the
VeriSign OnSite Platform.
In order to ensure that the products are Functionally Compatible, VeriSign shall
deliver to SDTI updates for the VeriSign OnSite Platform as required by SDTI at
no cost.
After completing necessary maintenance and technical support for SDTI, remaining
person-power will be applied to design consulting and enhancement activity as
determined at the meeting discussed above.
19
