Extended Validation SSL

Extended Validation SSL:Reseller guide to selling EV

Troy Kitch, EV Product Marketing Manager

Jay Schiavo, EV Product Manager

June 14, 2007


Troy Kitch, EV Product Marketing Manager

June 14, 2007

* Anti-Phishing Working Group, May 2007

APWG finds 55,643 phishing sites in April 2007* APWG finds 55,643 phishing sites in April 2007* Increasing # of brands hijackedIncreasing # of brands hijackedPhishers targeting new typesPhishers targeting new types of web sitesof web sites

A serious phishing problem

http://www.antiphishing.org/reports/apwg_report_april_2007.pdf

Phishing worries the web consumer

90%90% of people canof people can’’t determine t determine a fake web site from a real one.*a fake web site from a real one.*

* Why Phishing Works,” April 2006. http://people.deas.harvard.edu/~rachna/papers/why_phishing_works.pdf** Forrester Research, December 2005. http://www.internetretailer.com/article.asp?id=17763

ConsequentlyConsequently 24%24% of people of people dondon’’t shop online at all.**t shop online at all.**

http://people.deas.harvard.edu/~rachna/papers/why_phishing_works.pdf

http://www.internetretailer.com/article.asp?id=17763

*Gartner, January 2007

Phishing impacts profits

U.S. eU.S. e--commerce alone loses nearlycommerce alone loses nearly

$2,000,000,000$2,000,000,000due to security concerns.*due to security concerns.*

Combating the phishing problem

Traditional SSL is a great technology for encryptionTraditional SSL is a great technology for encryptionEncrypts data between client and serverEncrypts data between client and serverProtects data in transmissionProtects data in transmissionPrevents manPrevents man--inin--thethe--middle attacksmiddle attacks

In the new Era of Phishing traditional SSL is not always sufficiIn the new Era of Phishing traditional SSL is not always sufficiententBrowser chrome identifiers are easily overlooked or misunderstooBrowser chrome identifiers are easily overlooked or misunderstood by d by end users end users DoesnDoesn’’t promote high authentication security to concerned consumerst promote high authentication security to concerned consumersDoesnDoesn’’t offer enough protection to brands at risk for phishingt offer enough protection to brands at risk for phishing

Industry-wide effort to create a solution

Certification Authority (CA)/Browser ForumCertification Authority (CA)/Browser ForumCertification Authorities:Certification Authorities:VeriSign, Inc.; thawte, Inc.; GeoTrust, Inc.; AmbironTrustWave; VeriSign, Inc.; thawte, Inc.; GeoTrust, Inc.; AmbironTrustWave; Certum; Comodo CA Certum; Comodo CA Ltd; Cybertrust; DigiCert, Inc.; Echoworx Corporation; Entrust, Ltd; Cybertrust; DigiCert, Inc.; Echoworx Corporation; Entrust, Inc.; GoDaddy.com, Inc.; GoDaddy.com, Inc.; IdenTrust, Inc.; ipsCA, IPS Certification Authority s.l.; Inc.; IdenTrust, Inc.; ipsCA, IPS Certification Authority s.l.; Network Solutions, LLC; Network Solutions, LLC; QuoVadis Ltd.; RSA Security, Inc.; TDC Certification Authority; QuoVadis Ltd.; RSA Security, Inc.; TDC Certification Authority; Trustis Limited; Wells Trustis Limited; Wells Fargo Bank, N.A.Fargo Bank, N.A.

Internet Browser Software Vendors:Internet Browser Software Vendors:KDE; Microsoft Corporation; Opera Software ASA; The Mozilla FounKDE; Microsoft Corporation; Opera Software ASA; The Mozilla Foundationdation

www.cabforum.orgwww.cabforum.org

Requirements for the solution

Still delivers encryptionStill delivers encryption


Still delivers encryptionStill delivers encryptionProvides stronger identity authenticationProvides stronger identity authentication

Identity validationIdentity validationQuality and compliance of participating CAs (annual audits)Quality and compliance of participating CAs (annual audits)Technological issues (backward compatibility, certificate revocaTechnological issues (backward compatibility, certificate revocation, etc.)tion, etc.)




Becomes more visible to the consumer/end userBecomes more visible to the consumer/end userBrowser vendors willing to change the browser UI if a minimum stBrowser vendors willing to change the browser UI if a minimum standard andard for identity validation was developedfor identity validation was developed




Becomes more visible to the consumer/end userBecomes more visible to the consumer/end userBrowser vendors willing to change the browser UI if a minimum stBrowser vendors willing to change the browser UI if a minimum standard andard for identity validation was developedfor identity validation was developed

IndustryIndustry--wide adoption and supportwide adoption and support

The Extended Validation (EV) solution

X.509 Certificates with encryptionX.509 Certificates with encryptionSame strong level of encryption protectionSame strong level of encryption protectionUses existing technologyUses existing technology



Stronger identity authentication Stronger identity authentication -- CA/Browser Forum guidelinesCA/Browser Forum guidelinesRequirements for how certificate content is validatedRequirements for how certificate content is validatedNew WebTrust auditsNew WebTrust audits



Stronger identity authentication Stronger identity authentication -- CA/Browser Forum guidelinesCA/Browser Forum guidelinesStandardized requirements for certificate content validationStandardized requirements for certificate content validationNew WebTrust auditsNew WebTrust audits

More visible browser UI displayMore visible browser UI displayPulls content direction from certificatePulls content direction from certificateClear display in browser chromeClear display in browser chromeEV certificates have a unique identifier differentiating them frEV certificates have a unique identifier differentiating them from nonom non--EVEVBackward compatible for legacy browsersBackward compatible for legacy browsers

IE7 EV user interface

Clear information about site securityClear information about site security

Trust badge rotates to show Certification AuthorityTrust badge rotates to show Certification Authority

IE 7 phishing filter color scheme

Suspect site

Known phishing site

IE7 EV support launched at RSA IE7 EV support launched at RSA 20072007

IE7 on Windows XP, Server 2003 IE7 on Windows XP, Server 2003 and Windows Vistaand Windows VistaIE7 now over 31% usage share IE7 now over 31% usage share worldwideworldwide

Firefox Firefox Extension available for VeriSign Extension available for VeriSign EV SSL Certificates EV SSL Certificates -- over 50,000 over 50,000 downloads after only one monthdownloads after only one monthFirefox 3.0 roadmap included EV Firefox 3.0 roadmap included EV supportsupport

Opera announced intent to Opera announced intent to support EVsupport EV

Browser support for EV SSL today

Source: Market Share (by Net Application), May, 2007

Over 1075 EV sites live today*Over 1075 EV sites live today*EE--commerce: eBay, PayPal, Overstockcommerce: eBay, PayPal, OverstockFinancial: 5Financial: 5thth/3/3rdrd Bank, ING, Schwab PC WorldBank, ING, Schwab PC WorldTravel: Travelocity, Alaska AirTravel: Travelocity, Alaska Air

Over 3,000 business have applied for EV CertificatesOver 3,000 business have applied for EV Certificates

EV SSL adoption

*Source: Netcraft, June 2007

http://www.ebay.com/

Popular response to the EV green bar

93%93% of participants prefer to shop on sitesof participants prefer to shop on sitesthat show the EV green barthat show the EV green bar

* source: Tec-Ed research, January 2007




97%97% are likely to share their credit cardare likely to share their credit cardinformation on sites with the EV green bar, information on sites with the EV green bar, as opposed to only 63% with nonas opposed to only 63% with non--EV sitesEV sites




97%97% are likely to share their credit cardare likely to share their credit cardinformation on sites with the EV green bar, information on sites with the EV green bar, as opposed to only 63% with nonas opposed to only 63% with non--EV sitesEV sites

77%77% of participants report that they would of participants report that they would hesitate to shop at a site that previously showed hesitate to shop at a site that previously showed the EV green bar and no longer does sothe EV green bar and no longer does so


Jay Schiavo, EV Product Manager

June 14, 2007

How EV impacts VeriSign as a CA

More stringent auditing requirementsMore stringent auditing requirementsPointPoint--inin--time readiness audit required before issuing EVtime readiness audit required before issuing EVAnnual WebTrust audit enforcing EV standardsAnnual WebTrust audit enforcing EV standards

Operational prerequisitesOperational prerequisitesCertificate status checking Certificate status checking –– OCSP investmentOCSP investmentEmployee and third party requirementsEmployee and third party requirementsData and record requirementsData and record requirements

Only properly trained and authorized personnel can validate ordeOnly properly trained and authorized personnel can validate order r information for EV certificatesinformation for EV certificates

Requirements

How EV impacts VeriSign as a CA

More stringent auditing requirementsMore stringent auditing requirementsPointPoint--inin--time readiness audit required before issuing EVtime readiness audit required before issuing EVAnnual WebTrust audit enforcing EV standardsAnnual WebTrust audit enforcing EV standards

Operational prerequisitesOperational prerequisitesCertificate status checking Certificate status checking –– OCSP investmentOCSP investmentEmployee and third party requirementsEmployee and third party requirementsData and record requirementsData and record requirements

Only properly trained and authorized personnel can validate ordeOnly properly trained and authorized personnel can validate order r information for EV certificatesinformation for EV certificates

Strong demand for VeriSign EV since launchStrong demand for VeriSign EV since launch

82%82% EV market share for VeriSign*EV market share for VeriSign** source: Netcraft, June 2007

Requirements

Results

How selling EV may impact you as a reseller

Additional effort for authenticating EV certificatesAdditional effort for authenticating EV certificatesRequirements

How selling EV may impact you as a reseller

Additional effort for authenticating EV certificatesAdditional effort for authenticating EV certificates

Upselling premium products bring higher margins Upselling premium products bring higher margins -- $$$$$$Expanded product offering for your customersExpanded product offering for your customers

VeriSign Secure Site with EV and Secure Site Pro with EVVeriSign Secure Site with EV and Secure Site Pro with EVDifferentiate yourself as reseller with broader portfolio of proDifferentiate yourself as reseller with broader portfolio of productsductsYour customers differentiate themselves with both premium brand Your customers differentiate themselves with both premium brand and and premium authenticationpremium authentication

88%88% trust the name VeriSign on a site*trust the name VeriSign on a site*


Results

Requirements

Eligibility

Who can get EV?Who can get EV?CorporationsCorporationsRegistered government entitiesRegistered government entitiesUnincorporated business entitiesUnincorporated business entities

Legally recognized business entities whose existence can be Legally recognized business entities whose existence can be verified with a government agencyverified with a government agency

Verification procedure: overview

Web site owners undergo uniformly high level of validationWeb site owners undergo uniformly high level of validationPhysical existencePhysical existenceOperational existenceOperational existenceDomain name controlDomain name controlRequesterRequester’’s authorizations authorization

EV verification takes longerEV verification takes longer

EV order: documentation

EV enrollment requestEV enrollment requestSubscriber agreement signed by certificate approverSubscriber agreement signed by certificate approverAlternative Alternative –– legal opinion letterlegal opinion letterBank letter for organizations less than 3 years oldBank letter for organizations less than 3 years old

32

EV order: contacts

EV certificate requesterEV certificate requesterReceives and manages the certificateReceives and manages the certificateCan be a reseller contactCan be a reseller contact

EV certificate approverEV certificate approverEmployed by organization to use the certificateEmployed by organization to use the certificateAuthority to approve certificate ordersAuthority to approve certificate ordersDirector level or above or in direct line of managementDirector level or above or in direct line of managementVerifiable authorityVerifiable authority

EV order: actions

VeriSign Secure Site with EV or VeriSign Secure Site Pro with EVVeriSign Secure Site with EV or VeriSign Secure Site Pro with EV

Available in 1 or 2 year validityAvailable in 1 or 2 year validitySame CSR generation requirementsSame CSR generation requirementsOrganization information must be accurately submittedOrganization information must be accurately submitted

Placing EV certificate orders

Verification process takes longer than for standard certificatesVerification process takes longer than for standard certificatesValidation guidelines can be downloaded at Validation guidelines can be downloaded at http://www.verisign.com/static/DEV040034.pdfhttp://www.verisign.com/static/DEV040034.pdf

Certificate issued via email to the Technical ContactCertificate issued via email to the Technical ContactChain root certificateChain root certificate

Primary Intermediate root that issues EV cert is Primary Intermediate root that issues EV cert is ‘‘VeriSign Class 3 Extended VeriSign Class 3 Extended Validation SSL SGC CAValidation SSL SGC CAPrimary Root EV cert is VeriSign Class 3 Public Primary CA Primary Root EV cert is VeriSign Class 3 Public Primary CA ––G5 (IE7 browsers) G5 (IE7 browsers) which is cross certified with VeriSign Class 3 Public Primary CAwhich is cross certified with VeriSign Class 3 Public Primary CA (legacy browsers)(legacy browsers)Installation guide can be downloaded at Installation guide can be downloaded at http://www.verisign.com/static/DEV040046.pdf http://www.verisign.com/static/DEV040046.pdf

Highly recommend site seal installationHighly recommend site seal installationEV Upgrader functionalityEV Upgrader functionality

Problem reporting available 24x7 at http://www.verisign.com/suppProblem reporting available 24x7 at http://www.verisign.com/support/sslort/ssl--certificatescertificates--support/extendedsupport/extended--validationvalidation--certificatecertificate--complaint/index.html complaint/index.html Revocation procedures same as with standard certificates Revocation procedures same as with standard certificates (need challenge phrase)(need challenge phrase)

Seeing the EV green bar

Backward compatibleBackward compatibleOlder browsers recognize EV same as traditional SSL certificatesOlder browsers recognize EV same as traditional SSL certificates

FireFirefox extension available for VeriSign EVfox extension available for VeriSign EVDownloadable from Downloadable from https://addons.mozilla.org/enhttps://addons.mozilla.org/en--US/firefox/addon/4828US/firefox/addon/4828First and currently only brand to enable EV green bar on FirefoxFirst and currently only brand to enable EV green bar on Firefox#4 most downloaded security extension#4 most downloaded security extension

https://addons.mozilla.org/en-US/firefox/addon/4828

Seeing the EV green bar – IE7

Internet Explorer 7 (IE7) on Microsoft Windows Vista automaticalInternet Explorer 7 (IE7) on Microsoft Windows Vista automatically ly updated to display EV interfaceupdated to display EV interface

Default installation EVDefault installation EV--enabledenabled

IE7 on Microsoft Windows XP needs root update to display EV greeIE7 on Microsoft Windows XP needs root update to display EV green n barbar

EV UpgraderEV Upgrader™™ prompts seamless and automatic update prompts seamless and automatic update First technology to automatically enable green bars on XP clientFirst technology to automatically enable green bars on XP clientssPhishing filter must be turned on (an option recommended by MicrPhishing filter must be turned on (an option recommended by Microsoft osoft during the installation routine)during the installation routine)

Your reseller/host role

Understand the validation process for EV SSLUnderstand the validation process for EV SSLProvide trusted brands to your customersProvide trusted brands to your customersBe the SSL expert for your customersBe the SSL expert for your customers

Upselling premium products like EV brings in higher margins Upselling premium products like EV brings in higher margins -- $$$$$$You differentiate yourself as reseller by offering a broader porYou differentiate yourself as reseller by offering a broader portfolio tfolio of productsof productsYour customers differentiate themselves to their customers with Your customers differentiate themselves to their customers with EV EV and the VeriSign brandand the VeriSign brand

Remember

Next Steps

For more information about reselling EV, please contact your account manager directly

Download the archive within 48 hours from VeriSign’s Web site at www.verisign.com.

Please submit your questions via the Q+A box

http://www.verisign.com/

Extended Validation SSL

Documents

Transcript of Extended Validation SSL