PositiveSSL???

I’ve spent some time looking through these forums and reading Melih’s posts about the differences between HA and LA certs. In particular, how Comodo’s business is different from other CA’s business such as GeoTrust (or what used to be GeoTrust).

But now, I have a look at PositiveSSL and I’m left very confused. I believe that this product used to be called LiteSSL, and it appears to be the exact type of product that Comodo suggests is causing harm to the industry. But this is a Comodo product.

What is the difference??

There simply is no material difference between Geotrust certificate and Positivessl certificate.

So why is Comodo selling these certificates?
Isn’t this against what Comodo is trying to achieve?

Very good questions indeed. These are the questions we spent days pondering over!

Let me give you our logic:

  1. We provide these certificates, but we inform the customer about its assurance level, our competitors don’t necessarily do that and they pass it as if they are as good as highly validated certificates. This allows us to educate the buyer of the certificates. If the buyer is tempted to opt for a “quick cert” because they don’t know any better, we are hoping to grab their attention so that we can inform them about the differences.

2)These low assurance certs don’t have any “organisation/end entity validation”. Which means you are on a site but you can’t be sure whose site it is really. Comodo, unlike our competitors in the market place provide a free means of providing Identity assurance (www.idauthority.com) . This way, even though the low assurance ssl they get has no identity assurance, but we don’t let our customer stay unprotected with no identity assurance and provide them a free identity assurance! This way, at least they will have both security and identity assurance. Again something our competitors don’t do

3)Responsible people should make as much money as possible, because they do responsible things with it: as you can see above, even though we charge for this low assurance ssl service, we do it so that we can divert the unaware customers from our competitor’s hands and educate/inform the customers and arm them with the right tools so that they are running their businesses with their users’s trust fully in place!

I hope i was able to explain well.
if not, pls feel free to ask any questions.

Melih

Melih,

Very honest answers. I’m impressed.

Okay, let me ask this then. What is the future for LA certs? I see two things going on that will affect them. First, the decisions that are being made as part of the CA Forum (of which you obviously have a large influence). Secondly, the new security/phishing features that are being built into Vista (that will trickle down to other browsers). Do you know of other things that will influence the future?

So what do you think will happen to LA certs in 2 years when these changes occur? I don’t think they’ll go away. If they will, then Verisign’s purchase of GeoTrust was senseless. Since I don’t think that the Verisign people are stupid (actually quite the opposite) they must certainly believe that GeoTrust has something worthwhile - otherwise they would have let them die a natural death.

What’s your feelings on this?

First of all:
My views on why Verisign bought Geotrust:
Its purely for the “shareholder window dressing”. so that they can say they are the largest SSL provider. That’s all! Neither the revenue nor the low assurance certs were, again I emphasise that this is my personal opinion, of any interest to verisign. Of course it also does not hurt to have few extra customers that they can sell EV (Enhanced Validation (or whatever it stands for lately :slight_smile: ) certs when the new standard has been setup :-).

If you look at Verisign’s financials, they had to mention Geotrust in their financials recently because geotrust had taken enough market share and its easier for verisign to pay the “shut up” money to geotrust than having to explain to their shareholder why they are loosing market share.
so in my opinion there are two reasons

1)internal issue of reporting to their shareholders
2)having extra customers who needs to upgrade to EV certs

of course why geotrust sold to Verisign is another story (not why verisign bought them but why geotrust sold to them, if you know what i mean).

LA certs: well, no point in encrypting something for someone if you don’t know who that someone is!
for all you know, you could be encrypting it for a fraudster! That’s what an LA cert is, as it is used today. A digital certificate must have identity assurance in it, otherwise encryption is useless. Will we have these in 2 years from now? Definitely, but their usage in terms of % will be diminishing as merchants will start understanding the difference and utilise technologies that will give confidence to their users.

Ok, let me give you some insight into my thought process:
Human race has been doing “risk assessment” forever! When we eat we do risk assesment, when we walk we do risk assessment! Its what keeps us alive against dangers! In the physical world we have good enough sense and indicators that allows us to do that. Then comes the virtual world. Where there is ZERO indicator about what is good or bad and bad could look as good as good and you have no means to validate! Puff, goes risk assessment! Now we are blind! you go to a site, they have what you need, but do you trust them to buy? I bet you would not be asking that question in your local shopping mall as you trust your surroundings. But with the virtual world, the “Pixels” are your only indicator to do risk assesment and that ain’t assesment!

This is why, Internet has yet to happen for Small to Medium businesses. Because they don’t have the tools to establish trust with their customers. thats why majority still only shop with bigger online retailers! this is why Internet has gained the big brands and not yet the small guys!

So removing the what little assurance SSL had, for a quick profit is good for for certain certification authority shareholders, but bad for the ecommerce, merchants and users!

So how will we give an ability to merchants so that they can say: “hey look, I am legit, don’t worry you can shop with me, honestly I exist and its not just a simply web page to grab your credit card!” and give an ability to end users to say: " lets verify what this website says is authentic".

That is the issue I have been trying to resolve. That’s why I setup CA Forum (now called CAB Forum with B being Browser people).

Now we hope to have a standard where browsers will display some extra indicator so that we can assess risk better ;-).

Of course, this is, in my opinion, one small step for CAB forum and still one small step for what the Internet needs! But nevertheless its a step forward!

I will be working relentlessly to help create a trusted and secure eco-system for all of us!

Melih

I think you are on shaky ground, Melih.

ChoicePoint offers similar services to IdAuthority.

I doubt that you’d like to see Comodo and IdAuthority names used in the same connection as the two links below talk about GeoTrust and ChoicePoint:

http://blog.washingtonpost.com/securityfix/2006/02/the_new_face_of_phishing_1.html
http://businessprofile.geotrust.com/servlet/com.kx.was.servlets.CPUGBNclient?GT46060061

I always thought that you were opposing weak validation techniques and that’s what made Comodo STAND OUT from the crowd.
Netcraft in their surveys used to inidicate that Comodo doesn’t issue LA certs.

http://survey.netcraft.com/surveys/analysis/https/2005/Jun/

I guess it’s time to let everyone know that you’ve succumbed to the same low business practices as your competition…

Dmitri

NO Dmitri, they are not the same: Let me explain: ChoicePoint is “Self Registration” whereas IDAuthority is Full Validation. The difference is when you register to IDAuthority we validate your details, with ChoicePoints its self registration of information and I don’t believe there is a validation like IDAuthority Validation

I doubt that you'd like to see Comodo and IdAuthority names used in the same connection as the two links below talk about GeoTrust and ChoicePoint:

http://blog.washingtonpost.com/securityfix/2006/02/the_new_face_of_phishing_1.html
http://businessprofile.geotrust.com/servlet/com.kx.was.servlets.CPUGBNclient?GT46060061

I always thought that you were opposing weak validation techniques and that’s what made Comodo STAND OUT from the crowd.
Netcraft in their surveys used to inidicate that Comodo doesn’t issue LA certs.

http://survey.netcraft.com/surveys/analysis/https/2005/Jun/

I guess it’s time to let everyone know that you’ve succumbed to the same low business practices as your competition…

NO…As you know, I am the guy who initiated the Green Bar (EV Certificates) on IE and (soon other browsers) for a new kind of highly validated certificates. Also, buying low assurance certs from others end up being just that… however buying from Comodo will enable Comodo to educate the customer about the differences and invite them to use a more validated cert. So the point is: a customer who buys a low assurance cert has a better chance of understanding and becoming a validated online merchant if they buy from Comodo.

Thanks

Melih

I’m a bit confused - if IdAuthority validates the identity, then the cert is no longer LA.
If you’re not authenticating the identity when you’re issuing a cert - what good is IdAuthority?

How is this supposed to stop people from registering a domain name under bogus credentials and then requesting a domain validated cert?

My real concern is, if you’re opening a door to LA certs, why do you think you will not end up in the same trouble boat as GeoTrust and ChoicePoint?

Dmitri

P.S. this is not a flame - I need to know what to tell my customers

I understand Dmitri… and I am here to help…

LA certs will always be LA certs… we can’t help that… the positive thing with our offering is even though they get a LA cert, they have the ability to get themselves validation with IDAuthority… Other CAs do not offer that. And the way to display that you are validated by IDAuthority is by displaying our Trustlogo. So we are not relying on the LA cert to display trust.

Hope this explains.

Melih

But Trustlogo is not included with PositiveSSL.
And so what that a crook will be registered with IdAuthority automatically.

More over, I’d like to understand this:

https://www.discount-shop.de/
http://www.trustlogo.com/ttb_searcher/trustlogo?v_querytype=W&v_shortname=SC2&v_search=www.discount-shop.de&x=6&y=5

and this:

https://www.ancientcoinjewelry.co.il/
http://www.trustlogo.com/ttb_searcher/trustlogo?v_querytype=W&v_shortname=SC2&v_search=www.ancientcoinjewelry.co.il&x=6&y=5

Both of these are your customers.

Dmitri

PositiveSSL itself is a low assurance product. the IDAuthority is an additional product… It does not change the validation type for Positive SSL as such. The point is: we give people an opportunity to get themselves trusted even when they buy Low Assurance SSL…

What is your point about the above domains? They have a low Assurance ssl product and display a static Seal. They have not registered for IDAuthority. Its upto the customer to register to IDAuthority, and unlike other providers who simply want to just sell low assurance without giving the customers to improve their online trust, Comodo provides this service free of charge!

Melih

Thank you for the explanation.

I guess, where my confusion about these sites comes from is that according to Sectigo

“… in order to provide critical identity assurance for your site, every Positive SSL come with FREE register in IdAuthority.”

So, were the customers able to opt-out of this great free service?
My apologies, this does come in from unfamiliarity with the product and its’ options.

i see…
no problem at all :slight_smile:

Yep… its a great service and its free… now you know “How much” Comodo actually does by providing free service and products to make Internet a safer place… no other company does as much or even close to what we do I am afraid, and its a shame that they don’t…

thanks

Melih

Ok.
To avoid further confusion and to become familiar with the process, I decided to try out the PositiveSSL myself and ordered a trial version of PositiveSSL.
After 1 minute of completeing the order I had an email waiting for me with the confirmation code and a link on where to enter it.
After entering the code, I was able to download the cert from the Management Area.

Guess what, IdAuthority displays the following message:

“IdAuthority Credentials not available for this site”

Nowhere during the process of applying for PositiveSSL did I see how to opt-out of IdAuthority.
I didn’t see an option of registering with IdAuthority either.
What am I missing?

Dmitri

Hi Dmitri

its an opt in process as such… people don’t get it automatically… they must choose to do it and send us information etc.
if you want to be in it, send me a PM and i will get you to our validation people who can validate and put you in IDAuthority…

thanks
Melih

Hi Melih,
Do you think it might make sense to actually specify that explanation on positivessl.com website where it talks about IdAuthority?
Oh, and BTW, clicking on KPMG webtrust logo at www.positivessl.com comes back with:
“Invalid domain [http://www.positivessl.com/]: please contact your practitioner.”

Dmitri

Thanks Dmitri

we will look into this most definetely…

thanks

Melih