The companies will work together to promote SSL certificates and VeriSign’s new VeriSign Identity Protection service alongside Microsoft’s InfoCard technology.
Microsoft has settled upon high assurance certificates as the baseline for what constitutes trustworthiness online, and is poised to make this kind of SSL far more visible to the average web user in its forthcoming software.
VeriSign chief executive Stratton Sclavos announced at the RSA Conference in San Jose yesterday that his company is working with Microsoft of the next phase of encrypted web transactions, what he called mutual authentication.
At the most simple level of this relationship, an SSL-encrypted web page will have its URL highlighted green in the IE7 browser address bar to signify trust, but only if the web server has one of these expensive high-assurance certs.
Selling this type of certificate — which requires a manual validation of the cert buyer’s identity — is a space VeriSign dominates, even though its SSL business is taking a kicking at the lower end of the market from lower-validation services.
VeriSign also stands to see its brand pushed by Microsoft’s InfoCard browser wallet technology, which, as we reported yesterday, is also set to appear in IE7 and Vista.
Forget the SSL padlock that nobody notices in the bottom corner of the browser. With InfoCard, if a site is secured by one of VeriSign’s high-end certs, the company logo will be thrust in front the consumer before they submit the InfoCard to the site.
According to VeriSign director of product management Kerry Loftus, other SSL cert vendors — such as GeoTrust, which claims to be volume leader in the market — will not get plugged in this way because the validation is not high enough.
Companies such as GeoTrust make most of their sales selling certs cheaply and quickly by using relatively rudimentary automatic buyer validation, rather than doing Dun & Bradstreet lookups and credit checks on each buyer.
The intrinsic cryptographic security of the certs is identical in both cases. The only difference is how much work the SSL vendor has done to make sure the buyer is above board. Prices can vary quite wildly on this factor.
InfoCards will come in two flavors, Microsoft has said. There will be user-created cards stored and managed locally, not unlike the form-autofill functions in IE today, but there will also be provider-issued managed cards for certain applications.
VeriSign sees the InfoCard authentication being a two-way street. Not only will the user be able to see whether the site is trustworthy before submitting a card, but the site will, if they subscribe to VeriSign’s VIP service, be able to authenticate the user.
In a demo we saw yesterday, an online banking customer would be able to see in an InfoCard screen whether VeriSign had verified the bank’s identity before submitting an, and the bank could demand that the user authenticate herself with a one-time password token before the transaction completes.
