Users have a tendency to ignore or bypass digital certificate errors, undermining the whole system of trust. What can be done to improve the user's security experience in light of that fact? What are browser vendors missing?
VeriSign has been working closely with browser vendors to improve the user experiences, but there isn't enough real estate in the browser to do it perfectly. But many vendors, especially Microsoft, are doing innovative things like Extended Validation (EV) certificates. When a user browses to an EV-protected Web site, an EV-enabled browser [such as Microsoft Internet Explorer 7, Mozilla Firefox 2, and Opera 9.5] will turn the address bar green, identifying that the site as trusted using the strongest assurance we can offer today. Users can trust EV certificates. It is proven that sites that use EV certificates have much lower abandonment rates than sites without EV. For example, Overstock.com found users were abandoning their shopping cart at the point at which they were supposed to put in their credit card information ... at the moment they really needed to trust the vendor. Overstock.com start using EV certificates and saw a 16,000 times return on investment.
Critics say that Extended Validation is really asking consumers to pay more for the trust assurance that they were originally promised in normal Class 3 Web site certificates. How do you respond?
EV gives the certification authority vendor more time to do the proper validation. With EV, we do a complete background investigation, including a financial check, articles of incorporation, and verifying their identity.
But that's included with the normal Class 3 certs. What's different?
We ensure the subject is who they say they are and that they own the domain.
Again, VeriSign does this with Class 3 certificates, so what's different?
VeriSign has always done a high-quality assurance job, but more time to conduct the background investigation means improved security for everyone. Plus, prior to EV, each CA [certification authority] could determine what processes were performed to provide assurance. A user could not be assured about whether a CA vendor did the same high-quality checks without reading the assurance statements. EV defines what assurance processes must be accomplished prior to the issuance of an EV certificate. An EV certificate means consistent, standard assurances across CA vendors.
How will Web services, SaaS (software as a service), and cloud computing affect VeriSign and DNS over the next 10 years?
Any new Web functions, like Web 2.0, will impact us. Today, it's normal for a single Web site page to generate 20 DNS queries. [Our challenge is] not only scaling, but making sure that services are always reliable, especially with services such as TV and telephony coming over the Internet. With some new services, we have created a game-changer. Our VeriSign Identity Protection Services generate a single token or one-time password on any device the customer or vendor desires (such as a cell phone or credit card). It can be used across multiple sites and vendors. You can use that one token to do a lot more in your life than you previously could using older technologies.
In the future, you might be able to say something similar to the LifeLock CEO on TV [who promotes his identity protection service by reading out his Social Security number] and say, "My real password is ..." and not minimize your security. The authentication, identity, and protection will be in the cloud. Ask yourself: Would we use bank cards as much as we do today if they only worked at your bank? No, banks created the ATM network to allow users to shop and spend nationwide and globally. We've essentially done the same thing in the online world. We allow one token or password to be used in multiple places. It's like an ATM network for the online world. Visit our new Personal Identity Portal to see the beta. It's very cool.
A few years ago, VeriSign dropped Network Solutions to pick up the RFID contract resolution work. It was predicted that the RFID resolution traffic would be orders of magnitude bigger than DNS. How has that project scaled over the last few years? Is it bigger than DNS yet?
No, RFID is still fairly new and hasn't surpassed DNS traffic levels yet. We've seen a recent uptick in the garment industry. They use it to track inventories and to help keep inventories low. We expect the RFID work to grow, but we want to focus on our core services of DNS, SSL certificates, and identity and authentication services.