Extended Validation SSL, More Secure or Just a Racket?

Nalfeshnee writes "The Register is reporting on the new 'Extended Validation SSL' cert currently being touted by Verisign. Vista and IE7 will be using this but not, apparently, Firefox anytime soon. For this the Verisign Product Marketing Director Tim Callan squarely blames the Firefox dev team for 'not keeping up' with their new technology. However, the whole thing just seems to be a way for Verisign to enjoy ridiculous markup on selling 'more secure' certs."

Color coded?

[eric76 (679787)]

Verisign say 99 per cent of sites will be get the "ok" and the address bar left white. Only outfits which fork out for an extended validation SSL will get the psychological filip of "green for go". Firms will have to stump up about 150 per cent of what they currently do for an SSL certificate.

I'm colorblind. Would I ever notice the difference?

Yes.

[khasim (1285)]

IE 7 will have different icons on the location bar to indicate that a site has the "higher" level of "security" (translation: "bought the new certificate").

Certs are a joke

[rs79 (71822)]

In a world where even PayPal can't get it right (and nobody cares) what does it matter?

"Oh, it's an https site. It's encrypted. Cool". Next.

Some time when you're really bored look at the low level ssl stuff (with openssl or something) and notice all the errors. The browsers ignore so many of these I think it's all a big joke.

Re:

[rs79 (71822)]

"paypal gets a lot right"

I have a screen shot on a computer around here someplace of a browser alert window pointing out the cert domain doesn't match the domain. It was about 2-3 years ago. I can't remember for sure but I think it was www.paypal.com (the cert) didn't match paypal.com (which is what I type in).

The points remain:
1) People don't care if the cert is valid or not or in many cases if it's even signed by a root auhority the browser knows about
2) There are lots of errors in certs the browsers igno

Re:Color coded?

[interiot (50685)]

Don't worry. Once consumers realize that the new "super duper" certs are being given out to phishers as well, Verisign will come out with a 3rd level of verification ("extra super duper certificates") that cost 50% more, and they'll have to go to a numbering or lettering scheme ("1", "2", "3"). This will also facilitate the periodic addition of new levels whenever consumers realize Verisign still isn't doing the job they say they're getting paid to do.

Most colorblind people can tell white from green

[wsanders (114993)]

However, they feel just as dumb as everyone else after they've been suckered into paying an extra $1000 for a Verisign Super-duper Whiz-Bang Mega-Ultra Cert.

To be honest there is a difference between a cert from a real CA and some $10 cert from some outfit that doesn't care anything more about your true identity than whether your credit card payment goes through. Google for "high assurance" vs "low assurance".

Re:

[TheRaven64 (641858)]

On the otherhand, CACert, which is free, requires to see two forms of government issued ID, one of which must have a photograph.

Sadly, CACert's root certificate is still not included with Mozilla, although a number of distributions include it.

Re:CACert

[TheRaven64 (641858)]

The Mozilla foundation did not have a good set of criteria for including a cert. Originally they pretty much just used the same ones as IE (pay a big heap of money). Now they do have a set of rules, and the CACert people are trying to prove that they comply with them. It should be done Real Soon Now(TM).

Secure?

[Kazrath (822492)]

Has anyone found an effective way of cracking regular SSL? Is not the whole point of SSL to just slow down the decryption to a point where even if decrypted the data is old enough to be useless?

I mean hell if SSL is weak encryption and we need stronger encryption should I not SUE verisign right now for providing a false sense of saftey?

Re:

[Jahz (831343)]

Has anyone found an effective way of cracking regular SSL? Is not the whole point of SSL to just slow down the decryption to a point where even if decrypted the data is old enough to be useless?

I mean hell if SSL is weak encryption and we need stronger encryption should I not SUE verisign right now for providing a false sense of saftey?

1. You have clearly not read the article, or even the entire /. summary.
2. Who is talking about cracking SSL? Nobody... the underlying algorithm algorithms can be changed.
3.

Re:

[cortana (588495)]

If you read their terms of service you will see that they "guarantee" sweet fuck all.

On a related note, I was doing some poking around the other day and noticed this:

$ certtool -i < /etc/ssl/certs/Verisign_Class_1_Public_Primary_Cer tification_Authority.pem

X.509 certificate info:

Version: 1
Serial Number (hex): 00:CD:BA:7F:56:F0:DF:E4:BC:54:FE:22:AC:B3:72:AA:55
Subject: C=US,O=VeriSign\, Inc.,OU=Class 1 Public Primary Certification Authority
Issuer: C=US,O=VeriSign\, Inc.,OU=Class 1 Publi

Re:Secure?

[tyler_larson (558763)]

Has anyone found an effective way of cracking regular SSL?

No.

Is not the whole point of SSL to just slow down the decryption to a point where even if decrypted the data is old enough to be useless?

No.

I mean hell if SSL is weak encryption and we need stronger encryption should I not SUE verisign right now for providing a false sense of saftey?

No.

SSL (and TLS) aren't encryption algorithms, they're protocol standards. These protocols make use of existing encryption algorithms to secure data. Many of these algorithms have a variable level of complexity, depending on things like key size. Since security (including encyrption) is always a tradeoff of resources versus security, the goal is to tweak the configuration parameters (again, such as key length) to find a level of security such that an attack against the cipher is less profitable an option than the next best choice, such as kidnapping the document's author. Those who require greater security can use turn up the complexity at the expense of using more resources.

As computation capability increases, the complexity of encryption system is increased to compensate, usually by increasing key length. If a flaw is discovered in a given encryption algorithm making it too easy to break, or if the algorithm isn't capable of being expanded to account for better decryption technology (such as DES) then that algorithm is discarded in favor of some stronger replacement. SSL remains the same.

Verisign's "Extended Validation" program has nothing to do with cipher strength, key length, or encryption. Instead, it's indicative of the vetting process that the company had to undergo to get the certificate. To get a certificate for citibank.net, I have to verify that I own that domain. I don't, necessarily, have to verify that I represent Citibank [1]. Under this High Assurance program, Verisign will vouch, not only for the validity of the domain, but also for the validity of the organization owning that domain.

This is a Good Thing, since there currently is only one tier of validation. An SSL certificate is designed to prevent man-in-the-middle attacks, which it does well. What it doesn't protect against (though we act as if it does) is forged identity attacks. Certificates used for financial transactions, for example, should go through a stronger vetting process than certificates used for securing a blog.

[1] In reality, almost all CAs do extended verification when the other party sounds like a high-profile company or financial institution. Nonetheless, Mistakes do happen [washingtonpost.com].

Re:Secure?

[TheSpoom (715771)]

GoDaddy High Assurance SSL. [godaddy.com]
Comodo Trusted SSL. [trustlogo.com]
GeoTrust True BusinessID. [geotrust.com]

Business identity validation SSL certificates have been around for a long time. The only thing different about VeriSign's offering is that they're partnering with Microsoft to have the bar turn green if their more expensive cert is detected, to the disadvantage of all other SSL providers. This is an attempt by VeriSign to make it effectively necessary for businesses to use their cert so customers won't think that their site is insecure.

There's so much wrong with this attempt to gain a monopoly without adding anything of value to the market... but par for the course for VeriSign.

It's called "open source"

[truthsearch (249536)]

Hey Verisign, it's called "open source". If you'd like the feature added submit a patch and they'll consider it. Until then the people working on it will finish when they can. Thanks.

Re:

[Zeinfeld (263942)]

Hey Verisign, it's called "open source". If you'd like the feature added submit a patch and they'll consider it. Until then the people working on it will finish when they can. Thanks.

The Register was putting word's into Tim's mouth. They are the ones who used the phrase 'dragging their heels', not Tim.

The Mozilla team have been part of the EV development process from the start.

The real issue is that IE7 is harder to change once released. So the different deployment strategies make sense.

I don't get it

[Lord Grey (463613)]

I had never heard of "Extended Validation SSL" so I went to Google. Among the hits was something from Thawte, so I went there. It turned out to be a FAQ [thawte.com]. This FAQ contained such gems as:

4. Why is High Assurance/Extended Validation SSL being implemented?

Answer:

Improved online identity assurance, and improved browser representation of online identities, will empower users to better protect themselves against malicious and suspicious activity, which has gradually been eroding user confidence in digital security, including online shopping and banking. thawte's commitment to establishing and implementing High Assurance/Extended Validation SSL standards, and to being one of the first to offer compliant product lines, underscores our commitment to enabling a secure digital environment for all.

And:

6. What is the difference between High Assurance/Extended Validation/Enhanced Validation SSL certificates and existing SSL certificates?

Answer:

The online identity assurance process is intended to be more comprehensive and standardized across the entire industry. Whereas currently online identity assurance processes vary from CA to CA, the new standards/processes under discussion by the CA Browser Forum, will have to be adhered to by all CAs if they wish to offer High Assurance/Extended Validation SSL certificates. This will encourage greater confidence in CAs as well as the processes that are used to vet and issue digital certificates. thawte's commitment to establishing and implementing High Assurance/Extended Validation SSL standards, and to being one of the first to offer compliant product lines, underscores our commitment to enabling a secure digital environment for all.

Is it my imagination, or is this new Extended Validation SSL thing, in the end, just a bunch of paperwork? I may simply be missing the point. If someone can point to a better description of this thing that makes sense, please do so.

Re:

[hardburn (141468)]

It may solve some problems, like having a few guys claiming to be from Microsoft showing up at VeriSign's offices and walking off with a signed SSL key for MS.

This is only one of the many major problems that SSL has, though. I don't see how this can address the problems of international domain names (where glyphs for certain characters can look the same, but aren't). I also doubt that it gives assurances about the security practices of the company (why would a cracker sniff a few credit cards at a time of

Re:I don't get it

[skiflyer (716312)]

Overall, this seems like a way to make the customer pay again for the CA's own bad practices.

That pretty much sums up this garbage. This is what SSL is supposed to already be, but as anyone who has filed for an SSL certificate already knows the whole thing pretty much works as a handshake... you're who, yes, ok, credit card with that name please, great, here you go.

And what about this "standardized across the industry"... I bought an SSL certificate from a 3rd party because they're in the Firefox/Opera/IE default trust lists, and because they cost $40 a year instead of $400, is this really a new industry standard or is this just Verisign's way of artificially creating a new market now that there's too much competition?

I'm going to guess

[tkrotchko (124118)]

I'm guessing the certificate security itself isn't changed. What they're saying is they're just going to do more research on a company before they hand out certificates. Right now you fill in a form, fax it in, and *presto* you get certs. Now, I guess someone will actually call and check before issuing.

They could do this now with regular SSL, but they couldn't charge more money... too much competition out there.

The thing is, the encryption of SSL is not at issue; it's just a new product to market.

Re:I don't get it

[by Anonymous Coward]

I used to work at a certain SSL place, so here's what I could gather.

Right now to get a cert it's a phone call verification or something else that can be done remotely.

For High Assurance CAs, the issuer has to fly a person out to the physical site, take pictures of the site, go inside, take pictures of at least two(?) employees, get names of workers, get signatures, and so on. At least that was the idea last I heard.

Rather than a remote validation, which I guess is easier to forge and easier to issue a mistake to by accident, this requires in person validation and lots of other crap you can't do without actually going there and checking it out. You decide if it's worth it. If not seeing that "special green color" stops just a few customers from using your site, it probably is.

Re:

[not-enough-info (526586)]

I went to verisign to get some facts direct. They have a "live chat" feature that pops up when you go to the faq.
According to their customer rep "Doreen", there's really nothing special about this.
What I got out of the chat session:

• The encryption is the same, or possibly the same, but probably not better.
• So far other CAs are not onboard with this (but "expected to follow suit" whoopee.)
• The only informational resources they give their people are the faq page and the MS blog.
• Doreen freely admits to knowing le

They SHOULD be doing this for everyone...

[dolphinling (720774)]

I think I remember reading about this either on firefox dev blogs or mailinglists or IRC. IIRC, the upshot was that verisign should be doing "extended validation" type things on all their clients. The validation they have now is really pretty shoddy, shoddy enough that they'd be risking getting kicked out if they weren't so big and so many websites would break. But that's just my memory, which could be bad, you'd have to look into it yourself.

Racket

[AKAImBatman (238306)]

More Secure or Just a Racket?

Definitely sounds like a racket to me. If you get the green bar by paying Verisign 150%, how does that differ from today's security certificates? Other than having to pay more money, and only being able to be verified by Verisign, that is. (Doesn't sound racket-y at all. Or was that rickety?) While they make it sound like the Green Bar is an excellent method of knowing that Amazon is really Amazon, I think it's actually a reverse attempt. By getting Amazon to use this spiffy new green bar, Verisign is attempting to legitimize their new technology in the eyes of the consumer. Little will actually change for the consumer, as he already knows when he's surfing Amazon.

The only place it would supposedly help is with Phishing. But since Phishing sites can't get certificates anyway, what does this help? If the lock isn't good enough, just change the URL Bar green for every VERIFIED certificate received. That will have the EXACT same effect.

The new certificates are double plus super good.

[khasim (1285)]

#1. In order to issue the new certificates, the Certificate Authorities (CA's) will be "required" to follow "industry standard" practices in "verifying" whomever applies for a new certificate.

#2. This additional "verification" is what will cost the additional money.

#3. Any business that does not pay the additional fees to be "verified" by "industry standard" practices will be ... the same as they are today.

#4. Phishing depends upon a person making a single error in judgment, one time. This will not stop phishing.

This will not stop anything. This is stupid. You're paying EXTRA to have someone do the verification they were supposed to be doing already. Imagine trying to run a business like that.

Boss - "I paid you last week, but you barely did any work. I'm going to fire you."

Employee - "If you give me a 50% raise, I'll perform the work to industry standards."

Boss - "Okay, that sounds like a good deal to me."

Sadly its commonplace....

[woolio (927141)]

This is stupid. You're paying EXTRA to have someone do the verification they were supposed to be doing already.

ROTFL...

You mean like pay a mailing/shipping company insurance for them to do their own job?

Or paying extra for an extended warranty? (To guard against stuff that shouldn't be crappy in the first place)

Or paying a credit card company EXTRA MONEY for them to taken YOUR PAYMENT "express" ?

Or paying extra money for a "Service Plan" to get "updates" to bug-ridden software?

Or paying a monthly fee for a

Re:

[CerebusUS (21051)]

But since Phishing sites can't get certificates anyway, what does this help?

Actually, I don't think phishing sites have much trouble getting certs. Several SSL providers merely check that you own the domain the cert is registered to. If I'm the registrant of amaz0n.com, I'll approve the ssl purchase and have a cert. It tells you absolutely nothing about whether you can trust the person running the website you've connected to.

I'm guessing this is going to end up a lot like the "Made for Windows" certifica

Re:

[AKAImBatman (238306)]

In the first link, they're self-signed certs that trigger the "Stop the World, something's wrong!" message. If consumers are ignoring this already, I'm afraid that a "green bar" isn't going to be much more effective.

The second link is more problematic, but the solution is simple. If a cert authority can't do proper due dillegence, then remove them from the browser's trusted list until they correct their procedures. They're obviously not trustworthy. Giving Verisign an artificial monopoly on something they s

Riiight.

[TubeSteak (669689)]

The padlock encryption symbol used by browsers has been effectively meaningless for some time, and consumer paranoia surrounding fraud remains a barrier to using online commerce for many.

In response, the verification industry in the form of the CA browser forum has come up with extended validation SSL, where the certificate really is a guarantee of kosher status. Honest.

Thank you The Register for saying what I was thinking.

Re:

[Midnight Thunder (17205)]

The padlock encryption symbol used by browsers has been effectively meaningless for some time, and consumer paranoia surrounding fraud remains a barrier to using online commerce for many.

Silly us, we should haver been using two padlock symbols the whole time.

Charging more to do what they should be doing.

[datajack (17285)]

The online identity assurance process is intended to be more comprehensive and standardized across the entire industry. Whereas currently online identity assurance processes vary from CA to CA, the new standards/processes under discussion by the CA Browser Forum, will have to be adhered to by all CAs if they wish to offer High Assurance/Extended Validation SSL certificates. This will encourage greater confidence in CAs as well as the processes that are used to vet and issue digital certificates. thawte's commitment to establishing and implementing High Assurance/Extended Validation SSL standards, and to being one of the first to offer compliant product lines, underscores our commitment to enabling a secure digital environment for all.

Err, excuse me.. isn't the verification of the identity of the applicant of the certificate exactly what the CAs are meant to be doing anyway?

I thought that that is why we had these 'trusted' third-parties, to vouch for the identity of the certificate owner - that is the fundamental basis of PKI and certificates. If they weren't doing that before (which they clearly weren't doing properly), what the hell were they doing?

So, we're paying them extra to get a 'fixed' version of something that they caused to be broken in the first place because they couldn't do their job properly. WHy should paying an extra 50% on top of their fees all of a sudden make us able to trust them now?

Re:

[skiflyer (716312)]

Couldn't agree more, posted a similar concept a little higher up... but reading it in your words makes me wonder, is there a class action lawsuit in the near future for standard SSL users?

Are you really surprised?

[Rosco P. Coltrane (209368)]

So, a product is proposed by Verisign (the guys who tried to shove their shoddy SiteFinder search engine down your throat by abusing their monopoly) and Microsoft (the guys who have been shoving their shoddy DOS and Windows down your throat for decades by abusing their monopoly).

You know what? I'm quite sure it's a shoddy product they're trying to shove down people's throat for some reason...

Gaah! Please skip the revisionism.

[ScentCone (795499)]

shoving their shoddy DOS ... down your throat ... abusing their monopoly

Right! Because DOS was definitely the only O/S upon which big business was doing business, say, back in the 1980's.

And then there were those enormous numbers of consumers using DOS instead of Apple II machines or Ataris or Amigas... Shoved down their throats? Come on. If you're going to rant about MS market share, at least skip over the part when it was anything but a sure thing, before all of the other platform makers wheezed an

Scam...

[tomstdenis (446163)]

This is coming from the people who stole DNS, and sell certificates for hundreds of dollars which take milliseconds to make....

Now we're supposed to get a more "trustworthy" cert and make our address bar green?

Fuck you Verisign.

Tom

Do disreputable sites get them?

[iabervon (1971)]

The only way to judge whether this is legitimate is to see whether sites that do fraudulent things (get traffic from mistyped domain names, send out "renewal" requests to non-customers, etc) are able to get these certificates. If Verisign is able to make sure that sites that do these things or have a history of doing them can't get certificates, then maybe they'll mean more than current SSL certificates.

Of course, there are technical issues with a PKI system without trusted root certificates, so it might no

Re:

[Kelson (129150)]

The only way to judge whether this is legitimate is to see whether sites that do fraudulent things (get traffic from mistyped domain names, send out "renewal" requests to non-customers, etc) are able to get these certificates.

I think you're being too subtle [slashdot.org] for this site [slashdot.org]...

Uh, what was the middle choice again?

[Medievalist (16032)]

"More secure or just a racket?"

C'mon, ScuttleMonkey, are you trying to get a job as a pollster for Karl Rove?

"Would you be more likely or less likely to vote for John McCain for president if you knew he had fathered an illegitimate black child?"

All the brower teams and SSL CAs agreed to this

[miller60 (554835)]

The article is, not surprisingly, VeriSign's version of events. The Extended Validation standard emerged from talks among a consortium of browser makers (the IE team, Mozilla, Opera and Konqueror) and a ghroup of SSL certificate authorities, which includes not only VeriSign but also geoTurst (since bought by VeriSign), Comodo, Entrust and Go Daddy. The group is known as the The CA/Browser Forum, the group of certificate authorities and browser developers that is working with the American Bar Association's Information Security Committee on finalizing an open standard for the validation process, which is to be followed by all participating CAs. So this isn't just a VeriSign issue, but the culmination of an 18-month process.

The plan was for all the browsers to implement the color bar scheme, based on IE's implementation. There were optimistic announcements by all involved, but no final standard has emerged. VeriSign and other SSL certificate authorities are preparing to start selling these in January. It's not clear to me if Firefox/Mozilla has actually opted out or is just moving more slowly than MSFT in incorporating the changes in the browser. Mozilla tends to be deliberate about SSL-related changes in the browser.

Re:

[Zeinfeld (263942)]

The article is, not surprisingly, VeriSign's version of events. The Extended Validation standard emerged from talks among a consortium of browser makers (the IE team, Mozilla, Opera and Konqueror) and a ghroup of SSL certificate authorities, which includes not only VeriSign but also geoTurst (since bought by VeriSign), Comodo, Entrust and Go Daddy.

No the article is the Register's version. Its hard to tell but there is actually a panel session on this at RSA Europe and the other vendors are on the panel.

Spinal Tap Syndrome...

[pandrijeczko (588093)]

..."but our Verisign certificate goes up to 11!"

What about this paragraph?

[skiflyer (716312)]

One snarl-up for Mozilla may have been working out an alternative to the rest of Microsoft's site-rating system. As well as getting dishing out green address bars, servers at Redmond will blacklist dodgy and suspect sites, which can look forward to red and amber flashing up.

I don't feel all paranoid about this, and I think the technology is a good concept, but dang, do we want any for profit company to be the one in charge of maintaining these lists? And what's the appeal process, if my online store got l

racket?

[nosferatu-man (13652)]

Verison is involved.
Everything Verisign does is a racket.
Therefore, it's a racket.
Q.E.D.

Where's the specification?

[Animats (122034)]

Has anyone actually been able to find the specification for "high assurance" certificates? Apparently this is being closely held. The spec comes from something called the "CA Browser Forum", which is invitation-only and doesn't seem to have a web site. A standard was supposed to be issued in August, but apparently agreement wasn't reached until a meeting in September. There are many press releases, but no hard data.

So that's why it's not in Mozilla.

It's actually a good idea. Early in the history of SSL, getting a certificate required presenting appropriate business identification info to the certificate issuer. The problem is that some issuers (GoDaddy comes to mind) started issuing "domain only" SSL certificates; the only verification is that the domain can get email. Then, instead of revoking GoDaddy's root certificate for this, the other cert issuers copied GoDaddy's approach. Now anybody can get a meaningless certificate with a meaningless Relying Party Agreement.

The way it's supposed to work is that the certificate issuer bears financial responsibility for misidentification of the certificate owner. Some certificates from Verisign have a Relying Party Agreement [verisign.com] that does provide a financial guarantee to the party relying on the certificate - $100 for a class 1 cert, $5000 for a class 2 cert, and $100,000 for a class 3 cert. Most of the other issuers have relying party agreements which promise nothing and deliver less.

So what's happening is that, soon, you'll be able to tell the difference between the crap certificates and the good ones. Before you buy. The idea is that if you put your credit card into a site that showed a green toolbar in IE, and it wasn't really the company it should have been, you can collect from the certificate issuer. This puts certificate issuers on the hook for phishing losses.

Unfortunately, the rules and the Relying Party Agreements for the new certificates haven't yet appeared, so we can't tell if the rules are tough enough to make this work. Since they're being drafted by the certificate issuers, there will probably be some loophole that lets them off the hook.

SSL and Extended SSL

[Kazrael (918535)]

Honestly, I believe that there should be a WC3 conference to contribute a single CA that makes its way onto all browsers. Give the WC3 CA site an automated system for generating certs, including an open API and then combine DNS registration protocals with the CA gen protocals. Publicly open the API, and charge small, if anything. This service is an easy one to implement. The real issue is getting browsers to add it to its automatically trusted CA list. I can create SSL at home, but I can't get browsers

Microsoft

[nurb432 (527695)]

"See only we are secure"

phffft

Fund raising idea for firefox

[NaCh0 (6124)]

Mozilla.org should get into the SSL certificate reselling business and set the location bar to green when one of the mozilla signed certs is present. Verisign could then have the option of paying a royalty to mozilla.org for each extended certificate if they want green URL bars too.

You want TECHNOLOGY? Ok, here's some.

[Sloppy (14984)]

"Technology?" Give me a break. They're looking at what authority signed the cert, and if the web browser has been told to dogmatically trust that authority more than others, then it turns something green.

Actually, it's not a bad idea. There are degrees of trust, and showing it to the user is fine. But you bet your ass this is mostly just a cashgrab from Verisign.

A Firefox implementation of extended validation can only be a matter of time, since the Mozilla Foundation knows in order to compete it cannot afford for its browser to be just as good as IE7; it has to be better.

Good news. There's a way to do this, that will absolutely embarrass MSIE, making its version of https look completely insecure by comparison, and screw Verisign over, in the process.

Support an OpenPGP-based cert model [gnu.org] (perhaps using GNU TLS library [gnu.org], perhaps not). Suddenly, you can have certs that are signed by multiple authorities, including users themselves, and display a whole spectrum of trust metrics. Equifax can make mistakes and issue an incorrect cert to a bank [washingtonpost.com], but can three CAs all make the same mistake, without a conspiracy? And what if you get the bank's fingerprint on your snailmail statements, or there's a sign showing the fingerprint when you walk into it, and thus you can cert it yourself? What if you haven't ever been to the bank (ok, I can't imagine that) but you have 3 friends who have, and you have certified them, and told your computer they are each marginally trusted, and they all certify the bank? Three friends are sure as hell a lot more trustworthy than some faceless corporation named Verisign, whose identification policies you don't even know, whose private key storage policy you don't even know, and in fact doesn't have a single employee you have even met, assuming they have any employees at all and aren't a robot in the basement of a building at the NSA.

what's the price structure?

[epine (68316)]

If the extra up-front validation is the main thing, Verisign should be charging a high one-time-fee for undertaking those steps, then charging a low low monthly rate to rest on their laurels and do nothing further. Somehow I doubt that's the price structure they adopted here.

Re:

[DragonWriter (970822)]

So, Verisign realizest that their practices are insecure and broken, but instead of fixing their practices and being a good CA, they are instead creating a new kind of "we actually did our job" certificate that requires new code for browsers to recognize?

I mean, wouldn't it make more sense for Verisign to do the same thing (if they wanted to get some money for insecure certs but still have a more secure cert) to create a new Certification Authority name also run by Verisign that actually does their job, and

Re:

[ebyrob (165903)]

I mean, wouldn't it make more sense for Verisign to do the same thing (if they wanted to get some money for insecure certs but still have a more secure cert) to create a new Certification Authority name also run by Verisign that actually does their job, and not require any browser code changes?

But then how would you tell the old CA apart from the new CA? It isn't like your browser loudly proclaims which CA is validating a particular domain. Or are you suggesting they revoke their own current CA status?