|
Earlier this week in a press release, VeriSign said that they are selling their SSL certificate business to Symantec. VeriSign is the dominant player in this market, having absorbed competitor Thawte in 1999, and Geotrust in 2006. Three years ago, when VeriSign decided to divest its non-core businesses, they kept the certificate business. So what’s changed?
I don’t have any secret insights into VeriSign’s plans, but there are two separate reasons that the SSL business will never again be the cash cow that it used to be. One is that it’s now clear that there is no hope for stopping the race to the bottom in SSL certificates and prices. When I got my first SSL certificate from Thawte in about 1999, it cost several hundred dollars, I sent them lots of documentation, had lengthy phone calls, and the process took a week or two. The most recent cert I bought, from a Geotrust reseller, cost $12.95, took about 10 minutes, and all they verified was that I could click on a link in an e-mail sent to the postmaster@ the domain of the certificate. The older certificate might have had a better warranty or higher promise of reimbursement for loss, but all I care about is that it makes browsers show a little lock rather than a warning screen, and I expect that’s what 99.9% of the other customers want, too.
A couple of years ago the industry invented Extended Validation certificates, the ones that turn the browser address bar green, basically to roll back the process and prices to what they were in the 1990s. VeriSign’s EV certificate is $995, but the race to the bottom has been even faster there, with GoDaddy now offering them for $99.99. EV certificates still require some amount of manual document inspection, so nobody’s going to make much money at that price.
This sort of price competitive commodity business is exactly the kind that VeriSign does not want to be in. They’ve always sought out businesses where there are few or preferably no competitors, no price competition, and the structure of the business makes it hard for new entrants. This describes their main remaining business, the domain registry for .COM and .NET.
The final nail in the SSL coffin is DNSSEC, cryptographically signed entries in the DNS itself. DNSSEC has been around the corner for about the past decade, but this year is turning that corner, with DNSSEC signing data now available in .ORG and some smaller domains, and scheduled to be added to the DNS root in July. DNSSEC provides a chain of signatures chaining back to a known trustworthy signer (VeriSign, in fact, at the DNS root), not unlike the way that SSL works. But DNSSEC doesn’t have a business model, since it will be included with existing domain registrations as registries and registrars upgrade their systems to handle it. There will be a market for DNSSEC provisioning and management tools, but that’s not what VeriSign does except at the very highest end, perhaps selling crypto vaults to other top level domains. The security threats that DNSSEC addresses aren’t exactly the same as the ones that SSL certificates do, but they’re pretty close. So that’s it for VeriSign’s SSL business.
The flip side of the coin is why would Symantec want the SSL cert business it if VeriSign doesn’t, but that’s pretty clear from the press release. It can be an upsell for the retail security products that Symantec already sells, a place where a $15 cert (with a cost of goods probably about 2 cents) could be a nice incremental line of business.
Sponsored byWhoisXML API
Sponsored byVerisign
Sponsored byIPv4.Global
Sponsored byRadix
Sponsored byCSC
Sponsored byDNIB.com
Sponsored byVerisign
The SSL business may have issues, but I think those are rather minor compared to the problems the DNS business faces. The core weakness of the DNS business is that the whole thing can evaporate at contract renewal.
GoDaddy should be able to make a good profit on a $99 EV certificate. As with most administrative processes, it gets really cheap when done repeatedly. It is even cheaper if you can decide to only serve a limited number of countries and only accept specific documentation. Setting up to do EV is a fairly significant cost, but once it is done and you have your audit, most of the requests are going to be routine. And renewals are even easier.
DNSSEC could in theory be a threat to the SSL business, but at the moment there is still no plan for getting keys from the second level domains into the gTLD. I can start signing hallambaker.com tomorrow, but the only place I can register my key at the moment is Paul Vixie’s DLV scheme.
This is the hard part of PKI. And the reason I don’t think it very likely that ICANN’s proposal will go anywhere is that the people working on DNSSEC still thing that PKI is a 100% scam and that they don’t need to think about any of the practical issues. In fact only about 70% of PKI is a scam. There are things you don’t need, there are things we thought you would need that turn out not to be necessary. But some of the real world issues don’t go away if you ignore them. And one of the big ones is getting your keys into a zone and letting other people rely on them without being sued up the wazoo.
There are real liabilities in operating a PKI which is why PEM failed as an unpaid IANA activity. ICANN is not going to stand behind the DNS root and it is pretty unsure who will. I predict that everyone will try to avoid standing behind any keys and that as a result there will be a signed root, signed second level domains and a gap in the middle that is always about to be filled in if people wait another DNSEXT unit (18 months).
As you point out there is no business model. And in the absence of an actual functional role for DNSSEC there is not really a lot of point in any of the registrars building out infrastructure to support it.
That does not mean that DNSSEC is hopeless, only that it is not going to be deployed through the efforts of the people at ICANN and the rump of VeriSign. The way to build out DNSSEC is through the existing SSL business that has already solved the business and liability issues. In effect a DNSSEC key signing is simply an SSL wildcard certificate.
We could easily build a scheme that makes waiting for ICANN to get its act together unnecessary. Instead of people looking to validate DNS records hooking up to ICANN root, we reuse the WebTrust infrastructure that allready allows for redundant, competitive CA services.
Which contract renewal moment, for which registry, during the past decade, has been even remotely in doubt?
In the past the main argument VeriSign has used is that the bar to servicing the .com contract is so high that there could not possibly be another credible bidder. Which is of course true if you take the view that the only way to manage the registry is as a sole source contract to the incumbent. Of course there really isn't any reason that all the servers servicing .com need to be run by the same contractor. Multiple contractors would increase diversity and improve resilience. Most tier1 and Tier2 carriers could and would opt to service their own .com. All they need is a dynamic DNS feed from an authoritative source. There are two ways in which the .com contract can be made to go poof. The first is that the anti-trust lawsuit succeeds and the guaranteed renewal clause is stripped out. The second is that ICANN abandons the nonsense of the hierarchical registry and starts offering TLDs on an all-comers basis. TLDs would trump .com names any day. If you look into the contract in some detail there is another way to radically change the contract terms. But it requires rather more imagination to spot it than is present in Virginia, I think. Up to now there really hasn't been a constituency that has been concerned enough about VeriSign to want to eliminate it. One of the side effects of the SSL disposal is that they have now set up clear battle lines between themselves and the SSL industry. Only one of the two can survive long term.
The GNSO-VI-Feb10 WG mailing list is public, so I don't need to self-quote.
As policy, it is simply a requirement that a Registry Operator (RO) allow Registrants, and Registrars, to pass through their selection of Registry Service Provider (RSP), a very small wart on EPP, and for Registrars to be able to discover what RSPs exist for a given RO, another very small wart on EPP. We should do this more often.I am not sure how far this goes. I would think that to be useful Comcast needs all the .com zone or none of it.
What I am proposing is that the 100 or so top global ISPs essentially opt out of the public distribution of .com and the other TLDs in favor of local dynamic update feeds from the authoritative source.
This allows the ISPs to control their own infrastructure and destiny while reducing the critical nature of the public distribution. I am pretty sure that those top 100 ISPs would account for 90%+ of internet traffic and pretty much 100% of critical infrastructure anyone cares about.
Losing a dynamic feed is nowhere near as serious as losing the authoritative resolver. All that happens with a feed outage is that the data being served is stale. The Internet used to work quite well with a 24 hour delay in updates. And in any case, any DoS attack on such a feed would require knowledge of the end points.
People would still care a great deal about keeping the public distribution going, but failure would no longer be an existential threat to the Internet and the incentive to attack would be likewise reduced.
VeriSign has no incentive to support such a proposal because the only way they can justify $6 a name is to make the job as difficult and expensive as possible.