November 03, 2010

VeriSign takes the "Trust" out of "SSL certificates"

In a funny little announcement that will have CA industry fans scratching their heads for a year or so, Verisign announces a one day sale of its "Trust seals":

According to VeriSign, "The VeriSign Trust seal shows the world that VeriSign has confirmed your identity and your site has passed the VeriSign malware scan."

A year's worth of service for a VeriSign Trust seal normally sells for $299. During the "Dollar Day" sale, which will run from 12:01AM PST to 11:59PM -- "from midnight to midnight," said Tim Callan, head of marketing for VeriSign trust services at Symantec -- VeriSign is offering a $298 discount on one year's worth of Trust seal.

A comment of background. VeriSign recently closed a deal to sell its CA (Certification Authority) to Symantec. For CAs, this was a big development, because VeriSign has about three quarters of the market, it would be like General Motors selling its car division to some random dude with a car parts shop.

The big issue then for VeriSign and Symantec is how to slice and dice the various brands and assets up to maintain the integrity of the deal [1]. VeriSign more or less pioneered the use of the word "Trust" as with a lot else, hence the term "Trust Business." A curiosity that arose from the sale was whether Symantec was to be Trusted with the Business, as it were. Apparently they are:

Available since April 2010, the VeriSign Trust seal is an alternative to the company's older seal. "The 'VeriSign Secured' circle-and-check VeriSign Seal has historically been yoked to our VeriSign SSL certificate, which meant that you had to be using VeriSign SSL Certificates to get a seal," said Callan.

"But many small businesses outsource their shopping cart to a third party like Yahoo or eBay, where they can't get SSL," said Callan. These third-party shopping carts are typically secured with SSL on their own, as indicated by the URL starting with HTTPS or SHTTP. "This means that credible businesses are penalized for being too small. So we are creating a standalone version of the seal. Businesses have to be secure, and have their identify confirmed... but they don't have to be using SSL."

Is that for real? Yes it is. Indeed, over at CAcert (where I do lots) we have long recognised that the use of these words in the context of the overall certificate business was confusing and could present substantial difficulties if challenged in court [2].

The word "Trust" is more or less taboo in CAcert, and has been for many years; instead, we do other things that IMNSHO are far more sustainable, useful and justifiable. These are loosely grouped under the term RELY, generally written in caps to signal its special status as a word of much meaning.

Using the opportunity at hand, the new manager has wisely firewalled the issue as a separated brand and business. Which leaves the rest of the CA business to swing back into line in their own time.


[1] this is a standard business problem. For example, IBM had to do the same when it sold its market-leading laptops to Lenova, giving them a 5 year franchise on the use of the IBM brand.

[2] That's euphemistic code for "open to charges of deceptive trading practices" or other salacious troublemongering by an aggrieved plaintiff. I also hasten to point out that I have from time to time warned CAs about sailing too close to the wind, and VeriSign to its credit had become more careful about using the term too aggressively. Which is to say, I claim voce piano, there's more to this than idle grumbling about a successful competitor's annoyingly successful brand.

Posted by iang at November 3, 2010 07:31 PM | TrackBack
Comments

Ironically, this site (financialcryptography.com) has an unknown CA.

Posted by: pgl at November 8, 2010 04:20 AM

Ironically, it's very well known. Just not by you!

You can download the root by going to this URL:

http://www.cacert.org/index.php?id=3

Enjoy!

Posted by: CAcert's root at November 8, 2010 06:57 AM
Post a comment









Remember personal info?






Hit preview to see your comment as it would be displayed.