[ISN] Thawte certificate rollover

From: mea culpa (jerichot_private)
Date: Mon Jul 06 1998 - 19:13:11 PDT

  • Next message: mea culpa: "[ISN] Securing all pagers"

    Forwarded From: sameer <sameert_private>
    Dear Customer
    Thank you for your continued support for Thawte's secure web
    server digital certificate services.  We're proud to have
    announced recently that the Netcraft Secure Server Survey gives
    us in excess of 20% of the global web server certificate
    As you know, your server certificate is accepted by almost all
    web browsers in active use today.  That is because any browser
    that ships today includes what we call a "Thawte Root
    Certificate". The root is what allows a browser to verify a
    Thawte signature.
    I am writing to alert you to the impending rollover of the
    Thawte Root embedded in Netscape Navigator 3.x, on July 27th. 
    Users of that browser will need to go through a 2 minute root
    rollover process before July 27th to avoid seeing a short
    warning message when they connect to your server.
    A page dedicated to the management of root rollover for
    webmasters can be found here:
    We want to make the process as smooth as possible for you and
    your users, and this page gives our recommended strategy for
    webmasters.  We would strongly urge all webmasters to implement
    the simple recommendations we make there as soon as possible, to
    ensure the easiest possible rollover for themselves and their
    It's good security practice to limit the validity period of any
    certificate.  Every CA limits the validity of its roots, so all
    CA's are affected by root expiration and rollover.  We are the
    first global CA to have a root expire in a browser, but others
    will face the problem shortly.  We are extremely glad that the
    only browser affected is Netscape Navigator 3.x.  VeriSign faces
    the expiration of its Nav 1, 2, 3 and 4, and IE 1, 2 and 3 roots
    in 1999.  As the industry matured it became acceptable for a CA
    to use longer roots, which is why Thawte's Nav 4 and IE 4 roots
    last until 2020.  Users of Nav 3 who go through the rollover
    essentially replace the old root with the Nav 4 root.
    Here are some answers to the immediate questions which may spring
    to mind.  If you have others please start with our web site, or
    mail me personally.
    What warning will users see?
      After July 27th, those users who have not gone through the
      quick rollover process will see a dialog box stating that
      the root certificate that issued this site cert has expired,
      and giving them the option to continue or cancel.  The "continue"
      button will let them establish a secure session as usual.  The
      quick rollover process eliminates these warnings till 2020.
    How popular is Nav 3?
      The best figures we have estimate Nav 3 as between 10 and 15% of
      the active browser community.  We believe that people buying on
      the net tend to use newer browsers, so the actual effective rate
      may be much lower.  It is nonetheless significant, and we
      encourage all webmasters to implement our recommendation even
      if they feel the Nav 3 community is too small.
    Where is this documented?
      The rollover has been documented on our web site for many
      months now, and has also been part of the enrolment pages
      where you purchase your certs.  We have also communicated
      with most of the vendors who supply secure servers about the
      rollover so their support desks are informed.  We are
      confident that the month between now and the expiration date
      of our Nav 3 roots is plenty of time for all sites to take the
      simple steps in our recommendation.
    Who was the idiot who generated roots that were two years long?
      I was.  I'm writing to you both as President and as the person
      who caused the problem in the first place.  In my defence,
      current thinking at the time suggested that shorter roots were
      much more secure, and I did not expect Nav 3 to be a
      significant player in two years' time. Those were the days of
      constant betas and rapid evolution in the browser market. I
      also did not believe that Thawte would ever certify 20% of the
      servers on the net in such a short timeframe. Other CA's at the
      time also had short roots, we're just the first CA with
      significant market share to have one expire.
      This belongs squarely on my doorstep, and that's why I'm
      writing to you personally, and why I've set aside the next
      month exclusively to helping you implement our recommendations,
      and to making July 28th glitch-free for you and your users.
      Please feel free to email me with your questions,
      or to call me at our Cape Town office on +27 21 975 4675
      from 8am to 7pm, GMT+2:00.
    I believe we have penetrated the market so successfully, despite
    the huge marketing budgets of our competitors, by aggressive
    pricing (we're priced as if we faced a fully competitive market)
    and by a focus on customer service.  We look forward to the day,
    soon, when our competitor's old roots expire, and we are on an
    even playing field.  I can tell you that our strategy is to
    continue to enhance the operations and support side of our
    business, to continue to build relationships with technology
    vendors and partners, and to remain the price leader, worldwide,
    in digital certificates and certificate services.
    On a personal note, I would like to thank you for choosing
    Thawte as your certificate provider.  Two years ago we were a
    one-person operation in Cape Town, South Africa, with a vision
    of effective global certification.  Today we're a tight team of
    nearly 40 people worldwide focused on servicing the certificate
    marketplace. That's still really small, but it's a team that has
    helped certify thousands of businesses across nearly 90 countries,
    at an average price less than one third our competitor's. We
    could not have achieved any of that growth without your support.
    Thank you for that, and I look forward to continuing to serve you
    as the world of electronic commerce explodes around us.
    Yours faithfully,
    Mark Shuttleworth
    President, Thawte
    Subscribe: mail majordomot_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:58:10 PDT