November 13, 2006 4:00 AM PST
With IE 7, green means go for legit sites
(continued from previous page)
"Mozilla is evaluating various solutions, participating in the CA Browser Forum, and actively encouraging discussion between vendors and users to find a resolution that serves the needs of everyone," a company representative said.
The guidelines Microsoft is adopting--officially called "Draft 11 of the CA Browser Forum guidelines for extended validation certificates"--were voted down as a standard at the forum's most recent meeting because they were not inclusive enough, several members of the CA Browser Forum told CNET News.com.
"I am very dissatisfied with the fact that noncorporate entities are being excluded," said Scott Harris, CEO of XRamp, a San Antonio, Texas-based seller of Web site certificates. "Small companies aren't getting phished, but to tell people that it is safe to buy from businesses with a green bar and then not allow small businesses to get it is just discriminatory."
On the other hand, Comodo says it's a good sign that after more than a year of talks there is real movement. The Jersey City, N.J.-based certification company started the CA Browser Forum effort last year to address the issue of Web site verification.
"The champagne is on the table and the glasses are chilling in the freezer and the cheeses are warming on the table, but we have not quite dug in yet," said Judy Shapiro, the vice president of marketing at Comodo.
Some wiggle room?
It will take some time for people to become used to the green bar in IE 7, Diorinos said. By the time that consumers really perceive the color-filled address bar in the browser as a trust indicator, small businesses should also be able to get the new certificates, he said.
Comodo hopes the guidelines will include all legitimate Web sites within 90 days of when IE 7 starts displaying the first green bar in early 2007. "Otherwise there will be material damage" to unincorporated entities, Shapiro said. VeriSign, the world's largest certificate issuer, thinks it will take at least double that time.
"I don't think it is a purposeful move to exclude certain types of businesses," said Spiros Theodossiou, a product manager at VeriSign in Mountain View, Calif. "We're still going through a number of steps to include them."
IE 7 is ready to support the new certificates. However, the browser bar won't turn green until Microsoft has issued new root certificates for Windows, so the browser can recognize the new extended validation certificates. That won't happen until January.
Meanwhile, certification authorities such as VeriSign, XRamp and Comodo will need to be audited before they can sell the new certificate type. This is to ensure they follow the correct practices. All three companies will sell the extended validation certificate, even if they disagree with Microsoft's move to adopt the draft guidelines.
Corporations that want the address bar to turn green when people visit their Web site will have to buy a new certificate. This process will include extra verification to identify the company as legitimate.
With regards to criticism that it's adopting a technology that isn't fully baked, Microsoft said it isn't ignoring the standards process. It is committed to creating a standard for the new certificates, but felt it should move ahead with the draft version to deal with the phishing problem, Diorinos said.
"We had a really good first step that we could make available to users today and help online transactions today, we did not want to keep it under wraps until we can have a great solution," he said. "We're still keeping an open eye on how to evolve this and make this a great solution as soon as possible."