Next message: mea culpa: "[ISN] Securing all pagers"
Forwarded From: sameer <sameer�t_private>
==
Dear Customer
ROLLOVER OF THAWTE ROOTS IN NAVIGATOR 3.X
Thank you for your continued support for Thawte's secure web
server digital certificate services. We're proud to have
announced recently that the Netcraft Secure Server Survey gives
us in excess of 20% of the global web server certificate
marketplace.
As you know, your server certificate is accepted by almost all
web browsers in active use today. That is because any browser
that ships today includes what we call a "Thawte Root
Certificate". The root is what allows a browser to verify a
Thawte signature.
I am writing to alert you to the impending rollover of the
Thawte Root embedded in Netscape Navigator 3.x, on July 27th.
Users of that browser will need to go through a 2 minute root
rollover process before July 27th to avoid seeing a short
warning message when they connect to your server.
INFORMATION FOR WEBMASTERS
A page dedicated to the management of root rollover for
webmasters can be found here:
http://www.thawte.com/certs/server/rollpolicy.html
We want to make the process as smooth as possible for you and
your users, and this page gives our recommended strategy for
webmasters. We would strongly urge all webmasters to implement
the simple recommendations we make there as soon as possible, to
ensure the easiest possible rollover for themselves and their
users.
WHAT CAUSES ROLLOVER?
It's good security practice to limit the validity period of any
certificate. Every CA limits the validity of its roots, so all
CA's are affected by root expiration and rollover. We are the
first global CA to have a root expire in a browser, but others
will face the problem shortly. We are extremely glad that the
only browser affected is Netscape Navigator 3.x. VeriSign faces
the expiration of its Nav 1, 2, 3 and 4, and IE 1, 2 and 3 roots
in 1999. As the industry matured it became acceptable for a CA
to use longer roots, which is why Thawte's Nav 4 and IE 4 roots
last until 2020. Users of Nav 3 who go through the rollover
essentially replace the old root with the Nav 4 root.
NOTES
Here are some answers to the immediate questions which may spring
to mind. If you have others please start with our web site, or
mail me personally.
What warning will users see?
After July 27th, those users who have not gone through the
quick rollover process will see a dialog box stating that
the root certificate that issued this site cert has expired,
and giving them the option to continue or cancel. The "continue"
button will let them establish a secure session as usual. The
quick rollover process eliminates these warnings till 2020.
How popular is Nav 3?
The best figures we have estimate Nav 3 as between 10 and 15% of
the active browser community. We believe that people buying on
the net tend to use newer browsers, so the actual effective rate
may be much lower. It is nonetheless significant, and we
encourage all webmasters to implement our recommendation even
if they feel the Nav 3 community is too small.
Where is this documented?
The rollover has been documented on our web site for many
months now, and has also been part of the enrolment pages
where you purchase your certs. We have also communicated
with most of the vendors who supply secure servers about the
rollover so their support desks are informed. We are
confident that the month between now and the expiration date
of our Nav 3 roots is plenty of time for all sites to take the
simple steps in our recommendation.
Who was the idiot who generated roots that were two years long?
I was. I'm writing to you both as President and as the person
who caused the problem in the first place. In my defence,
current thinking at the time suggested that shorter roots were
much more secure, and I did not expect Nav 3 to be a
significant player in two years' time. Those were the days of
constant betas and rapid evolution in the browser market. I
also did not believe that Thawte would ever certify 20% of the
servers on the net in such a short timeframe. Other CA's at the
time also had short roots, we're just the first CA with
significant market share to have one expire.
This belongs squarely on my doorstep, and that's why I'm
writing to you personally, and why I've set aside the next
month exclusively to helping you implement our recommendations,
and to making July 28th glitch-free for you and your users.
Please feel free to email me with your questions,
or to call me at our Cape Town office on +27 21 975 4675
from 8am to 7pm, GMT+2:00.
I believe we have penetrated the market so successfully, despite
the huge marketing budgets of our competitors, by aggressive
pricing (we're priced as if we faced a fully competitive market)
and by a focus on customer service. We look forward to the day,
soon, when our competitor's old roots expire, and we are on an
even playing field. I can tell you that our strategy is to
continue to enhance the operations and support side of our
business, to continue to build relationships with technology
vendors and partners, and to remain the price leader, worldwide,
in digital certificates and certificate services.
On a personal note, I would like to thank you for choosing
Thawte as your certificate provider. Two years ago we were a
one-person operation in Cape Town, South Africa, with a vision
of effective global certification. Today we're a tight team of
nearly 40 people worldwide focused on servicing the certificate
marketplace. That's still really small, but it's a team that has
helped certify thousands of businesses across nearly 90 countries,
at an average price less than one third our competitor's. We
could not have achieved any of that growth without your support.
Thank you for that, and I look forward to continuing to serve you
as the world of electronic commerce explodes around us.
Yours faithfully,
Mark Shuttleworth
President, Thawte
-o-
Subscribe: mail majordomo�t_private with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30
: Fri Apr 13 2001 - 12:58:10 PDT