Microsoft to stack the deck against small businesses.

[RegDCP]

Microsoft to stack the deck against small ecommerce online businesses.

Microsoft announced that starting next month version 7 of Internet Explorer will start flagging certain ecommerce sites as green for "safe".

This will require site owners to get extensive, (and most likely expensive), checks done by such agencies as VeriSign and Comodo and have a separate check run through WebTrust.

Because many of the steps rely upon government filings, general partnerships, unincorporated associations, sole proprietorships and individuals are currently barred from getting these certificates.


In November, a consortium of certificate vendors and browser makers rejected Microsoft's draft but MS is proceeding regardless.

Article at Yahoo News http://news.yahoo.com/s/ap/20061224/...locks_checks_3

Reg Charie

[wige]

It sounds interesting, although not the first time I have heard about IE7 using extended validation certificates. From the rumors I have heard floating around, once a certificate system is put in place, other browsers already have the mechanism in place to recognize these certificates as well.

My understanding of this extended certificate is a bit limited, but what I have read is that this is not intended to be used as a certification of general businesses and organizational web sites, but rather to recognize financial institutions and other specific sites that are frequently targeted by phishing scams. None of the listed requirements seems more strict than I had to go through to obtain my encryption certificate last year, and although it is not easy (or perhaps even possible) for non-business entities to obtain the certificate, it is not intended to be issued to such entities.

These certificates are dual purpose, they should be able to "sign" unencrypted web pages, and will also support 256-bit encryption over traditional SSL connections similar to the common SSL certificates e-commerce sites use now. The difference is that these new certificates will require a more in depth background check of the business requesting them, and more information about that business (including contact information) will be included in the actual certificate that the browser displays.

Reading the latest version of the proposed specification (Version 1.0 Draft 11 dated 10/20/06) is somewhat ambiguous about whether or not the business needs to be incorporated. The document mentions in several places the business must be registered with an "incorporation authority" but the specification boils this down to the following, which seems the be the basic requirement to qualify as a legal entity for the purposes of the certificate:

Quote:

Originally Posted by EV SSL Certificate Specification 1.0 Draft 11

Verify that the Applicant is a legally recognized entity, in existence and validly formed (e.g., incorporated) with the Incorporating
Agency in Applicant’s Jurisdiction of Incorporation, and not designated on the records of the Incorporating Agency by labels such as "inactive," "invalid," "not current," or the equivalent.

The "in existence and validly formed" phrase indicates to me that any legally registered business would qualify so long as, by the laws of their jurisdiction, they are properly registered.

As a side note, I have been trying for a few months now to get information about these certificates from a few different CAs so that I can register and have the certificate ready when this feature is finally implemented, but no one at these companies seems to have much information yet.

[wige]

I did finally get an answer from one of the companies that will be issuing these certificates. They told me that the certificates will be available to all types of legally registered businesses except sole proprietorships. Corporations, partnerships, LLCs would all qualify for the certificates.

[RegDCP]

Quote:

Originally Posted by wige

I did finally get an answer from one of the companies that will be issuing these certificates. They told me that the certificates will be available to all types of legally registered businesses except sole proprietorships. Corporations, partnerships, LLCs would all qualify for the certificates.

That sucks big time.
I have been running my business as a provincially registered sole prop since 98 primarily due to tax considerations.
It is no less a legal business than a corporation, partnership, or LLC.

Wige, do you have any contact info where we may voice our objections?

Reg

[wige]

Unfortunately, I don't have any contacts that high up. The people I have spoken to so far have been mostly sales and technical people working for companies that will be selling the certificates once they are available.

As far as the why (based on the limited info I have been able to track down): Under law, most businesses become legal entities unto themselves. A corporation, partnership and LLC all have their own legal existance. A sole proprietorship is, in some ways, tied more closely with the proprietor. This is fine in most cases, but liabilities are handled differently under the law. The new certificate makes the statement that the site with the certificate is a unique legal entity with a real address, a certified business address and that entity is the proven owner of the certified domain. Because in many jurisdictions a sole proprietorship is not considered a unique legal entity (in liability it is bound with the proprietor) the consumer does not have some of the legal protections that are available when dealing with other business structures.

[Corey Bryant]

They are only trying to protect people. Chances are smaller businesses might not even want or have the need for this EV SSL. Unfortunately way too many people fall for phishing emails all the time and this seems like a good way to protect those people.

It will just make most consumers look twice before entering their credit card. I am just surprised that Microsoft was able to work something out with the SSL issuers. They released the news article almost a year ago. Once the validation process is finalized, I think it will be a lot cheaper.

One of the problems is that so many SSL issuers are not verifying the person buying the cert. If all the companies at least verified that, we might not even have a need for this