The last item is very important when choosing a certificate provider, or for that matter, when planning your enterprise’s Public Key infrastructure. For this discussion, we’ll limit our choices to the top three online Certificate Authorities: Verisign, Thawte, and Entrust.
Most Certificate Authorities (CA’s) recognize that real people are dealing with real uncertainties, especially since an increasing number of online users are becoming informed of the real dangers of the Internet. From the visitor’s point of view, confidence is everything. Who are they sending their private information to? How many parties will the information pass through? Will that information be protected against fraud, identity theft, and general eavesdroppers?
All CA’s use the same underlying SSL and encryption technologies to produce and manage their certificates. They also offer similar “site seals” - clickable images you can place on your web pages to visually boost visitor confidence – to “vouch” for your online identity.
CA’s differ mainly in the ways they authenticate and verify your business identity. Those that more strictly authenticate and verify your information are able to embed that information within your digital certificate, which in turn can be viewed and confirmed by website visitors. In theory, the more information visitors trust has been independently verified, the more confident they can be when doing business with you.
thawte, acquired in 2000 by VeriSign, is known for using the most stringent authentication and verification procedures, requiring proof of domain name ownership and other legal documentation to complete the enrollment process. However, thawte has recently added a low-cost certificate option, the SSL123 certificate, for those who need a certificate issued in minutes and validated only in the respect of the registered domain name.
Verisign, on the other hand, has a much less-involved enrollment process. To compensate, Verisign’s approach is to offer NetSure “insurance” that protects you against economic loss resulting from unauthorized or illegal use of your SSL certificate. Verisign also offers packages that bundle SSL Certificates with online payment services, network security auditing, e-commerce security analysis, and website monitoring.
Entrust’s enrollment / verification process is similar to thawte’s, and their certificates are comparatively cheaper than the other two players. Entrust certificates are compatible with most browsers, but currently doesn’t offer step-up certificates (see below) or Verisign-like fraud protection.
Both thawte and Verisign offer standard SSL certificates and “step-up” certificates (SGC SuperCert and Secure Site Pro, respectively). These certificates extend full 128-bit encryption to international users whose browsers, due to export laws, only support 40-bit or 56-bit encryption capabilities. According to thawte’s website, these browsers generally run on Windows 2000 operating systems that shipped prior to about March of 2001 and did not subsequently have Microsoft's High Encryption pack or Service Pack 2 installed. The majority of US browsers are automatically enabled to use 128-bit encryption.
Selecting an Appropriate Digital Certificate
So which provider do you go with? Use the chart below as a guideline:
You have a global website that sells high value items or processes sensitive information:
