Post on 23-Sep-2018
Extended Validation SSL:Reseller guide to selling EV
Troy Kitch, EV Product Marketing Manager
Jay Schiavo, EV Product Manager
June 14, 2007
Extended Validation SSL:Reseller guide to selling EV
Troy Kitch, EV Product Marketing Manager
June 14, 2007
* Anti-Phishing Working Group, May 2007
APWG finds 55,643 phishing sites in April 2007* APWG finds 55,643 phishing sites in April 2007* Increasing # of brands hijackedIncreasing # of brands hijackedPhishers targeting new typesPhishers targeting new types of web sitesof web sites
A serious phishing problem
Phishing worries the web consumer
90%90% of people canof people can’’t determine t determine a fake web site from a real one.*a fake web site from a real one.*
* Why Phishing Works,” April 2006. http://people.deas.harvard.edu/~rachna/papers/why_phishing_works.pdf** Forrester Research, December 2005. http://www.internetretailer.com/article.asp?id=17763
ConsequentlyConsequently 24%24% of people of people dondon’’t shop online at all.**t shop online at all.**
*Gartner, January 2007
Phishing impacts profits
U.S. eU.S. e--commerce alone loses nearlycommerce alone loses nearly
$2,000,000,000$2,000,000,000due to security concerns.*due to security concerns.*
Combating the phishing problem
Traditional SSL is a great technology for encryptionTraditional SSL is a great technology for encryptionEncrypts data between client and serverEncrypts data between client and serverProtects data in transmissionProtects data in transmissionPrevents manPrevents man--inin--thethe--middle attacksmiddle attacks
In the new Era of Phishing traditional SSL is not always sufficiIn the new Era of Phishing traditional SSL is not always sufficiententBrowser chrome identifiers are easily overlooked or misunderstooBrowser chrome identifiers are easily overlooked or misunderstood by d by end users end users DoesnDoesn’’t promote high authentication security to concerned consumerst promote high authentication security to concerned consumersDoesnDoesn’’t offer enough protection to brands at risk for phishingt offer enough protection to brands at risk for phishing
Industry-wide effort to create a solution
Certification Authority (CA)/Browser ForumCertification Authority (CA)/Browser ForumCertification Authorities:Certification Authorities:VeriSign, Inc.; thawte, Inc.; GeoTrust, Inc.; AmbironTrustWave; VeriSign, Inc.; thawte, Inc.; GeoTrust, Inc.; AmbironTrustWave; Certum; Comodo CA Certum; Comodo CA Ltd; Cybertrust; DigiCert, Inc.; Echoworx Corporation; Entrust, Ltd; Cybertrust; DigiCert, Inc.; Echoworx Corporation; Entrust, Inc.; GoDaddy.com, Inc.; GoDaddy.com, Inc.; IdenTrust, Inc.; ipsCA, IPS Certification Authority s.l.; Inc.; IdenTrust, Inc.; ipsCA, IPS Certification Authority s.l.; Network Solutions, LLC; Network Solutions, LLC; QuoVadis Ltd.; RSA Security, Inc.; TDC Certification Authority; QuoVadis Ltd.; RSA Security, Inc.; TDC Certification Authority; Trustis Limited; Wells Trustis Limited; Wells Fargo Bank, N.A.Fargo Bank, N.A.
Internet Browser Software Vendors:Internet Browser Software Vendors:KDE; Microsoft Corporation; Opera Software ASA; The Mozilla FounKDE; Microsoft Corporation; Opera Software ASA; The Mozilla Foundationdation
www.cabforum.orgwww.cabforum.org
Requirements for the solution
Still delivers encryptionStill delivers encryptionProvides stronger identity authenticationProvides stronger identity authentication
Identity validationIdentity validationQuality and compliance of participating CAs (annual audits)Quality and compliance of participating CAs (annual audits)Technological issues (backward compatibility, certificate revocaTechnological issues (backward compatibility, certificate revocation, etc.)tion, etc.)
Requirements for the solution
Still delivers encryptionStill delivers encryptionProvides stronger identity authenticationProvides stronger identity authentication
Identity validationIdentity validationQuality and compliance of participating CAs (annual audits)Quality and compliance of participating CAs (annual audits)Technological issues (backward compatibility, certificate revocaTechnological issues (backward compatibility, certificate revocation, etc.)tion, etc.)
Becomes more visible to the consumer/end userBecomes more visible to the consumer/end userBrowser vendors willing to change the browser UI if a minimum stBrowser vendors willing to change the browser UI if a minimum standard andard for identity validation was developedfor identity validation was developed
Requirements for the solution
Still delivers encryptionStill delivers encryptionProvides stronger identity authenticationProvides stronger identity authentication
Identity validationIdentity validationQuality and compliance of participating CAs (annual audits)Quality and compliance of participating CAs (annual audits)Technological issues (backward compatibility, certificate revocaTechnological issues (backward compatibility, certificate revocation, etc.)tion, etc.)
Becomes more visible to the consumer/end userBecomes more visible to the consumer/end userBrowser vendors willing to change the browser UI if a minimum stBrowser vendors willing to change the browser UI if a minimum standard andard for identity validation was developedfor identity validation was developed
IndustryIndustry--wide adoption and supportwide adoption and support
The Extended Validation (EV) solution
X.509 Certificates with encryptionX.509 Certificates with encryptionSame strong level of encryption protectionSame strong level of encryption protectionUses existing technologyUses existing technology
The Extended Validation (EV) solution
X.509 Certificates with encryptionX.509 Certificates with encryptionSame strong level of encryption protectionSame strong level of encryption protectionUses existing technologyUses existing technology
Stronger identity authentication Stronger identity authentication -- CA/Browser Forum guidelinesCA/Browser Forum guidelinesRequirements for how certificate content is validatedRequirements for how certificate content is validatedNew WebTrust auditsNew WebTrust audits
The Extended Validation (EV) solution
X.509 Certificates with encryptionX.509 Certificates with encryptionSame strong level of encryption protectionSame strong level of encryption protectionUses existing technologyUses existing technology
Stronger identity authentication Stronger identity authentication -- CA/Browser Forum guidelinesCA/Browser Forum guidelinesStandardized requirements for certificate content validationStandardized requirements for certificate content validationNew WebTrust auditsNew WebTrust audits
More visible browser UI displayMore visible browser UI displayPulls content direction from certificatePulls content direction from certificateClear display in browser chromeClear display in browser chromeEV certificates have a unique identifier differentiating them frEV certificates have a unique identifier differentiating them from nonom non--EVEVBackward compatible for legacy browsersBackward compatible for legacy browsers
IE7 EV user interface
Clear information about site securityClear information about site security
Trust badge rotates to show Certification AuthorityTrust badge rotates to show Certification Authority
IE7 EV support launched at RSA IE7 EV support launched at RSA 20072007
IE7 on Windows XP, Server 2003 IE7 on Windows XP, Server 2003 and Windows Vistaand Windows VistaIE7 now over 31% usage share IE7 now over 31% usage share worldwideworldwide
Firefox Firefox Extension available for VeriSign Extension available for VeriSign EV SSL Certificates EV SSL Certificates -- over 50,000 over 50,000 downloads after only one monthdownloads after only one monthFirefox 3.0 roadmap included EV Firefox 3.0 roadmap included EV supportsupport
Opera announced intent to Opera announced intent to support EVsupport EV
Browser support for EV SSL today
Source: Market Share (by Net Application), May, 2007
Over 1075 EV sites live today*Over 1075 EV sites live today*EE--commerce: eBay, PayPal, Overstockcommerce: eBay, PayPal, OverstockFinancial: 5Financial: 5thth/3/3rdrd Bank, ING, Schwab PC WorldBank, ING, Schwab PC WorldTravel: Travelocity, Alaska AirTravel: Travelocity, Alaska Air
Over 3,000 business have applied for EV CertificatesOver 3,000 business have applied for EV Certificates
EV SSL adoption
*Source: Netcraft, June 2007
Popular response to the EV green bar
93%93% of participants prefer to shop on sitesof participants prefer to shop on sitesthat show the EV green barthat show the EV green bar
* source: Tec-Ed research, January 2007
Popular response to the EV green bar
93%93% of participants prefer to shop on sitesof participants prefer to shop on sitesthat show the EV green barthat show the EV green bar
* source: Tec-Ed research, January 2007
97%97% are likely to share their credit cardare likely to share their credit cardinformation on sites with the EV green bar, information on sites with the EV green bar, as opposed to only 63% with nonas opposed to only 63% with non--EV sitesEV sites
Popular response to the EV green bar
93%93% of participants prefer to shop on sitesof participants prefer to shop on sitesthat show the EV green barthat show the EV green bar
* source: Tec-Ed research, January 2007
97%97% are likely to share their credit cardare likely to share their credit cardinformation on sites with the EV green bar, information on sites with the EV green bar, as opposed to only 63% with nonas opposed to only 63% with non--EV sitesEV sites
77%77% of participants report that they would of participants report that they would hesitate to shop at a site that previously showed hesitate to shop at a site that previously showed the EV green bar and no longer does sothe EV green bar and no longer does so
How EV impacts VeriSign as a CA
More stringent auditing requirementsMore stringent auditing requirementsPointPoint--inin--time readiness audit required before issuing EVtime readiness audit required before issuing EVAnnual WebTrust audit enforcing EV standardsAnnual WebTrust audit enforcing EV standards
Operational prerequisitesOperational prerequisitesCertificate status checking Certificate status checking –– OCSP investmentOCSP investmentEmployee and third party requirementsEmployee and third party requirementsData and record requirementsData and record requirements
Only properly trained and authorized personnel can validate ordeOnly properly trained and authorized personnel can validate order r information for EV certificatesinformation for EV certificates
Requirements
How EV impacts VeriSign as a CA
More stringent auditing requirementsMore stringent auditing requirementsPointPoint--inin--time readiness audit required before issuing EVtime readiness audit required before issuing EVAnnual WebTrust audit enforcing EV standardsAnnual WebTrust audit enforcing EV standards
Operational prerequisitesOperational prerequisitesCertificate status checking Certificate status checking –– OCSP investmentOCSP investmentEmployee and third party requirementsEmployee and third party requirementsData and record requirementsData and record requirements
Only properly trained and authorized personnel can validate ordeOnly properly trained and authorized personnel can validate order r information for EV certificatesinformation for EV certificates
Strong demand for VeriSign EV since launchStrong demand for VeriSign EV since launch
82%82% EV market share for VeriSign*EV market share for VeriSign** source: Netcraft, June 2007
Requirements
Results
How selling EV may impact you as a reseller
Additional effort for authenticating EV certificatesAdditional effort for authenticating EV certificatesRequirements
How selling EV may impact you as a reseller
Additional effort for authenticating EV certificatesAdditional effort for authenticating EV certificates
Upselling premium products bring higher margins Upselling premium products bring higher margins -- $$$$$$Expanded product offering for your customersExpanded product offering for your customers
VeriSign Secure Site with EV and Secure Site Pro with EVVeriSign Secure Site with EV and Secure Site Pro with EVDifferentiate yourself as reseller with broader portfolio of proDifferentiate yourself as reseller with broader portfolio of productsductsYour customers differentiate themselves with both premium brand Your customers differentiate themselves with both premium brand and and premium authenticationpremium authentication
88%88% trust the name VeriSign on a site*trust the name VeriSign on a site*
* source: Tec-Ed research, January 2007
Results
Requirements
Eligibility
Who can get EV?Who can get EV?CorporationsCorporationsRegistered government entitiesRegistered government entitiesUnincorporated business entitiesUnincorporated business entities
Legally recognized business entities whose existence can be Legally recognized business entities whose existence can be verified with a government agencyverified with a government agency
Verification procedure: overview
Web site owners undergo uniformly high level of validationWeb site owners undergo uniformly high level of validationPhysical existencePhysical existenceOperational existenceOperational existenceDomain name controlDomain name controlRequesterRequester’’s authorizations authorization
EV verification takes longerEV verification takes longer
EV order: documentation
EV enrollment requestEV enrollment requestSubscriber agreement signed by certificate approverSubscriber agreement signed by certificate approverAlternative Alternative –– legal opinion letterlegal opinion letterBank letter for organizations less than 3 years oldBank letter for organizations less than 3 years old
32
EV order: contacts
EV certificate requesterEV certificate requesterReceives and manages the certificateReceives and manages the certificateCan be a reseller contactCan be a reseller contact
EV certificate approverEV certificate approverEmployed by organization to use the certificateEmployed by organization to use the certificateAuthority to approve certificate ordersAuthority to approve certificate ordersDirector level or above or in direct line of managementDirector level or above or in direct line of managementVerifiable authorityVerifiable authority
EV order: actions
VeriSign Secure Site with EV or VeriSign Secure Site Pro with EVVeriSign Secure Site with EV or VeriSign Secure Site Pro with EV
Available in 1 or 2 year validityAvailable in 1 or 2 year validitySame CSR generation requirementsSame CSR generation requirementsOrganization information must be accurately submittedOrganization information must be accurately submitted
Placing EV certificate orders
Verification process takes longer than for standard certificatesVerification process takes longer than for standard certificatesValidation guidelines can be downloaded at Validation guidelines can be downloaded at http://www.verisign.com/static/DEV040034.pdfhttp://www.verisign.com/static/DEV040034.pdf
Certificate issued via email to the Technical ContactCertificate issued via email to the Technical ContactChain root certificateChain root certificate
Primary Intermediate root that issues EV cert is Primary Intermediate root that issues EV cert is ‘‘VeriSign Class 3 Extended VeriSign Class 3 Extended Validation SSL SGC CAValidation SSL SGC CAPrimary Root EV cert is VeriSign Class 3 Public Primary CA Primary Root EV cert is VeriSign Class 3 Public Primary CA ––G5 (IE7 browsers) G5 (IE7 browsers) which is cross certified with VeriSign Class 3 Public Primary CAwhich is cross certified with VeriSign Class 3 Public Primary CA (legacy browsers)(legacy browsers)Installation guide can be downloaded at Installation guide can be downloaded at http://www.verisign.com/static/DEV040046.pdf http://www.verisign.com/static/DEV040046.pdf
Highly recommend site seal installationHighly recommend site seal installationEV Upgrader functionalityEV Upgrader functionality
Problem reporting available 24x7 at http://www.verisign.com/suppProblem reporting available 24x7 at http://www.verisign.com/support/sslort/ssl--certificatescertificates--support/extendedsupport/extended--validationvalidation--certificatecertificate--complaint/index.html complaint/index.html Revocation procedures same as with standard certificates Revocation procedures same as with standard certificates (need challenge phrase)(need challenge phrase)
Seeing the EV green bar
Backward compatibleBackward compatibleOlder browsers recognize EV same as traditional SSL certificatesOlder browsers recognize EV same as traditional SSL certificates
FireFirefox extension available for VeriSign EVfox extension available for VeriSign EVDownloadable from Downloadable from https://addons.mozilla.org/enhttps://addons.mozilla.org/en--US/firefox/addon/4828US/firefox/addon/4828First and currently only brand to enable EV green bar on FirefoxFirst and currently only brand to enable EV green bar on Firefox#4 most downloaded security extension#4 most downloaded security extension
Seeing the EV green bar – IE7
Internet Explorer 7 (IE7) on Microsoft Windows Vista automaticalInternet Explorer 7 (IE7) on Microsoft Windows Vista automatically ly updated to display EV interfaceupdated to display EV interface
Default installation EVDefault installation EV--enabledenabled
IE7 on Microsoft Windows XP needs root update to display EV greeIE7 on Microsoft Windows XP needs root update to display EV green n barbar
EV UpgraderEV Upgrader™™ prompts seamless and automatic update prompts seamless and automatic update First technology to automatically enable green bars on XP clientFirst technology to automatically enable green bars on XP clientssPhishing filter must be turned on (an option recommended by MicrPhishing filter must be turned on (an option recommended by Microsoft osoft during the installation routine)during the installation routine)
Your reseller/host role
Understand the validation process for EV SSLUnderstand the validation process for EV SSLProvide trusted brands to your customersProvide trusted brands to your customersBe the SSL expert for your customersBe the SSL expert for your customers
Upselling premium products like EV brings in higher margins Upselling premium products like EV brings in higher margins -- $$$$$$You differentiate yourself as reseller by offering a broader porYou differentiate yourself as reseller by offering a broader portfolio tfolio of productsof productsYour customers differentiate themselves to their customers with Your customers differentiate themselves to their customers with EV EV and the VeriSign brandand the VeriSign brand
Remember
Next Steps
For more information about reselling EV, please contact your account manager directly
Download the archive within 48 hours from VeriSign’s Web site at www.verisign.com.
Please submit your questions via the Q+A box