SSL Vendor X, I love thee not

Rule #1 in this girl’s Guide to the Internet is: Never post your home address. Whether you are a 14-year-old in a chat room or a 30-something girl geek registering a domain, it makes sense to keep that information private.

In keeping with that rule, I use my work address when registering my own domains. Other people I know use post office boxes. I do not consider such a thing as bizarre or unexpected behaviour. As long as I can receive postal mail at the specified address, I do believe that I have satisfied the original registration requirement.

Unfortunately, at least one SSL vendor does not agree. I attempted to get a certificate for my domain yesterday, and ran into a wee little roadblock. Sadly, there is no trust relationship between the company that I registered my domain with, and the company I attempted to get a certificate from. The only method that the SSL vendor has instituted to ensure that I own my domain is to demand an exact match of address information between a submitted copy of a real-world credential and the WHOIS database entry for my domain:

Dear Pamela Dingle,

Thanks for writing to us.

We like to inform you that, according to validation we
follow the below process:
1. Inorder to activate your account, we need any of
the supporting documents exactly to match with the
account details.

2. And for issuing certificate, we need the account
details to match with whois.

Alternatively, you can change your account details for
which you can provide the documents.

We look forward to your response.

As it is highly unlikely that I will be able to produce a copy of an “official” document containing my work address, the only alternative that the SSL company is willing to entertain is for me to update my WHOIS information with my home address, so that it matches my drivers license. I consider that unacceptable, and I think it is a perfect example of users being railroaded into placing more information than they want into the public domain. Yes, I could temporarily change my information to my home address to get the cert and change it back. Yes, I could probably get my company to request the certificate, because we’re a small company and because I have a nice boss. That isn’t the point.

The point is that most people will do what the vendor asks, because they are being held hostage. They want SSL. They are told they have no other options. It is easier to accomodate under duress, than to stand up and say no.

I think that there are other options. The goal shouldn’t be to prove where I live, but to prove that I have control over the domain. I could, for example, change my WHOIS data to say “SSL VENDOR X SUX”. Besides making me feel better, I think it would prove some measure of control over my domain, but just in case, I could set it to a mutually agreed upon string. That would be a lot tougher to spoof than oh, say a photoshopped drivers license, yes? Ideally, wouldn’t it be great if the SSL company could receive an assertion from the company I registered my domain with, attesting to the fact that I own the domain? I’d like to see that happen.

Until then, SSL Vendor X can stuff it, and I will try and find a vendor who will take my money and treat information I wish not to disclose with a little more respect. Wish me luck.

3 thoughts on “SSL Vendor X, I love thee not

  1. What manner of ‘official document’/’real-world credential’ is the SSL issuer looking for with the matching address?
    (For example, you mention a driver’s license, but it’s likely that a large business with a domain would have the business’ mailing address be on the WHOIS record, but the business’ employees would not have the company address on their driver’s license). Does your city or county government have a DBA registration database?

  2. Hi Mark!

    Businesses have to go through a different (but equally annoying) set of hoops. They have to provide articles of incorporation, DUNS numbers, things like that. I have run into issues before applying for company certificates, where we forgot to update our WHOIS record when we moved – we failed our ‘automatic’ validation because the address we wrote on our CSR didn’t match with the WHOIS database. Come to think of it, that was the same SSL company… :)

  3. Yep it sometimes seems strange to me that it can (for some issuers) even be easier for a one-person business to get an SSL certificate for a domain as a business than that individual to get an SSL certificate for a domain as an individual, as the business gives a layer of ‘indirection’, a persona for the individual that’s at least partially under the individual’s control. For while governments tend to frown on individuals having multiple copies of a personal credential (such as a not wanting citizens to have multiple passports or driver’s license simultaneously valid) or with different attributes, they seem to be happy with individuals creating as many businesses as they desire. Let us know when you find a vendor willing to work with you in issuing you a SSL cert.

Comments are closed.