Enhanced Validation SSL = Cash Cow

"Web-based businesses face a crisis in consumer confidence because of phishing scams. But because of a new kind of SSL certificate, Web sites will be able to definitively demonstrate their identity, and customers will be able to confirm the identity of trusted sites"

- Tim Callan, director of product marketing for VeriSign

My crapola meter is going haywire on this one. In a couple of sentences Mr. Callan has managed to smear SSL in a big way - I take comfort in that Network World isn't exactly a mainstream/consumer magazine. But I bet Mr. Callan wishes it were and will probably take a stab at making sure this "fear campaign" does get maximum exposure.

I don't know about anyone else's experience in obtaining an SSL certificate, but if if memory serves, we did need to validate and provide business documents prior to being approved. If this process is lacking, then so be it, it should be improved. The process must be improved, but not by introducing a "new" product costing hundreds of dollar more!

Does this mean the "old" SSL is flawed? It has to be for this new product to have any merit - it's easily "phished" right? If so, and if there's no fixing it, and the only solution is the new EV SSL, then why continue selling "old" SSL certificates? Why dance around the issue?

I looked over the "features" of this new EV SSL, that supposedly protects the consumer - aka the meat, not some technical visual aid, that gives credence/weight/validity to the strength of the verification process, and unless I missed it, or if it's buried in some other document that's hidden from public view (aka the "real legalese"), it has nothing of the sort. The only mention of protection I could find is the same boiler plate warranty as standard SSL:

VeriSign SSL Certificates are covered by the NetSure Protection Plan with up to $250,000 in warranty protection. NetSure protects certificate holders against certain losses resulting from breach by VeriSign of the warranties included in your VeriSign SSL Certificate.

I see nothing in the above that adds weight to the promise of consumer protection at all - in fact it's not for the consumer to begin with, it's a protection for the holder of the cert (the buyer of the cert). If this new EV SSL is all about ensuring a business' trustworthiness to the consumer, then shouldn't a "verifier" be accountable to the consumer? What, all this for a green shade in the browser address bar? That's it??!!

Questions for Mr. Callan and the "consortium", answers in plain English please, hopefully visible to the web at large, devoid of legalese:

• So if a phishing site obtains an EV SSL, is the CA (Certificate Authority) liable?
• Unless the CA is held liable for "malpractice", doesn't the cycle of implied botched verification, simply propagate?
• What is the remaining value of "standard" SSL to the consumer? To the site owner?
  
• Why a new product? Can't the standard be addressed during renewal of the "standard" cert?
  
• Wasn't this whole concept of validating the SSL applicant part of the original "trusted 3rd party Certificate Authority"? What have these issuers been doing all this time? Wasn't a trusted Certificate Authority supposed to "vouch" for a seal holder? Now we have EV SSL that basically says, "oops, not really?". What value did they have over installing your very own CA (private CA)? Was it just to simply provide secure communication? Crapola! It takes about 3 or so clicks in IIS to install a Private CA (likely the same for all other platforms) and is commonly used for internal secure communication, SQL SSL, etc.!
• And by the way, certs aren't just for server SSL, what are we to make of Developer certificates? You know, the ones software makers obtain so that XP "trusts" the source of the program? Was this process also botched by issuers - and are therefore potentially "dangerous" since the process was "flawed" - any developer can obtain a digital certificate?

Talk about damaging consumer confidence and ecommerce! I think this consortium (The CA/Browser Forum) owes everyone answers. What have you been selling us in the past? Junk?