You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Sameer Parekh <sa...@c2.net> on 1998/06/23 20:43:28 UTC

Confusion regarding our VeriSign rebate announcement

I think a little background will address your concerns. We are neither
penalizing Thawte nor getting a kick-back from Verisign. Our goal
is to offer users a choice and make Stronghold more valuable to them.

We applaud the work Thawte is doing and consider them a fine CA. We've
had good experiences dealing with Thawte and our customers have also
had good things to say.

The Thawte root cert expiring in older brousers is sound security
practice, agreed. In fact, Verisign is doing the same thing next year.
We do the same thing with our internal certs, individual PGP keys, etc.
Sound security principles or not, though, our customers responded to
the news of Thawte's root cert expiring in the older browsers in two
very different ways.

One set of people are nonplussed. They realize that the affected
browsers are only about 20% of the total browser market, many of whom
realize they're running older browsers and many may have been meaning to
get around to upgrading browsers, anyway. They know visitors to their
site can easily upgrade the cert in their browser by taking a minute
or two to click on a URL once. The other set, however, was much more
concerned. They are worried that visitors will lose the impulse to do
business with them during the time it takes to upgrade the cert or,
worse, that they'll see an error message, not understand it and think
the site is not secure, never doing business with them again.

We put notice about rootcerts expiring on our web site within a day
or two of when we first heard about it. The first thing it listed was
Thawte's URL about the roll-over, providing instructions for upgrading
certs in browsers. It mentioned that Verisign's would similarly
expire in the older browsers, but just a year or so later:
http://www.c2.net/products/stronghold/support/KeysNCerts.php#rootcerts

(BTW, it's been updated a little since to add the July date, and that
the affected legacy browsers make up about 20% of total browsers, and
just a few days ago to reflect the new URL for the Verisign promotion.)

After hearing about the rootcerts expiring and the issues some of our
users raised, we began discussions with Verisign to see whether there
was anything we could do to accomodate the second set of users, the
ones who were not happy about needing to rely on visitors to upgrade
their own browser certs. 2 months later, we announced the Verisign
offer.

We used to just offer a free digital certifcate from Thawte; a $125.00
value. We now offer the choice of a free Thawte cert OR $125.00 off the
price of a Verisign certificate. The best the other guys can do is offer
you a coupon for $25.00 dollars off the purchase of a Thawte certificate -
the very same certificate we've included for free with each copy of
Stronghold 2.0 since its release.

While we were under no obligation to provide a solution to this matter, we
realized that a lot of customers would question the value of a bundled
Thawte cert, given the impending root cert complications. We found that
some of our customers opt for Verisign certs and never retrieve their
Thawte bundle at all. We decided to offer a choice: you can still get a
free bundled digital certificate from Thawte and have affected users
upgrade their root cert OR you can get a discount on a Verisign cert
and have users of the older browsers upgrade in 1999.

We don't get any money from Verisign. The value to us is that our users
like being given a choice. It adds value to the overall package. And,
if Thawte wishes to make an offer for people who wish to switch from
Verisign when Verisign's certs expire in the older browsers next year,
we'll pass that along to our customers as well.

As for Thawte, it is unfortunate for them that their expiration happened
to hit a year earlier than Verisign's and they are losing some customers
who are switching, true. But this way the customers that do switch
don't feel they lost money by having had a Thawte cert, and are less
likely to be disgruntled about Thawte. This gives Thawte a good chance
at reclaiming some of these customers next year, and possibly some of
Verisign's as well. I don't think this has escaped Thawte's notice. We're
not penalizing Thawte for doing the right thing.

As for our end, customers get an additional choice. We get no money from
Verisign, but we do get happier customers.
--
Sameer Parekh                                   Voice:   510-986-8770
CEO                                             FAX:     510-986-8777
C2Net                                           http://www.c2.net/