128-bit
SSL Global Server IDs:
Frequently
Asked Questions
This
document answers many of the most common questions about SafeScrypt's 128-bit
SSL Global Server IDs, included with Secure Site Pro and Commerce Site Pro
Services. For general information about SafeScrypt's 40-bit Secure Server IDs,
see Secure Site Solutions: Frequently Asked Questions.
VeriSign
128-bit Global Server IDs: The Basics
What
are VeriSign 128-bit SSL Global Server IDs?
What
are VeriSign Secure Site Pro and Commerce Site Pro Services?
What
is the difference between a VeriSign 40-bit Secure Server ID and a VeriSign
128-bit Global Server ID?
What
is the difference between Secure Site Services and Commerce Site Services?
Why
do I need a 128-bit Global Server ID?
How
can I put a VeriSign logo on my site to tell my customers the site uses a
128-bit SSL Global Server ID?
Can
I try 128-bit Global Server IDs before purchasing?
How
128-bit SSL Global Server IDs Work
What
is "strong encryption"?
How
do 128-bit SSL Global Server IDs protect transactions?
What
Web server software works with 128-bit SSL Global Server IDs?
What
Web browsers are compatible with 128-bit SSL Global Server IDs?
What
if visitors to my site are not using a compatible Web browser?
What
is Server Gated Cryptography (SGC)? What is the relationship between SGC and
128-bit SSL Global Server IDs?
How
to Qualify to Purchase 128-bit SSL Global Server IDs with Secure Site Pro or
Commerce Site Pro
Why
must my organization qualify to purchase a 128-bit SSL Global Server ID?
What
categories of customers may obtain a 128-bit SSL Global Server ID for their
sites?
Are
there any countries in which 128-bit Global Server IDs may not be used?
How
to Enroll for and Purchase 128-bit SSL Global Server IDs
What
information must a foreign organization submit to SafeScrypt to get a Secure
Site Pro or Commerce Site Pro service with a 128-bit SSL Global Server ID?
What
information must a U.S. company submit to SafeScrypt to obtain a 128-bit SSL Global
Server ID?
Must
customers submit information to any U.S. government agencies?
How
long will it take for SafeScrypt to issue the 128-bit Global Server ID included
with Secure Site Pro or Commerce Site Pro after all the necessary information
has been submitted?
What
if I already have a VeriSign 40-bit SSL Secure Server ID (included with Secure
Site and Commerce Site)? Can I upgrade to a 128-bit SSL Global Server ID?
--------------------------------------------------------------------------------
VeriSign
128-bit SSL Global Server IDs: The Basics
--------------------------------------------------------------------------------
Q.
What are VeriSign 128-bit SSL Global Server IDs?
128-bit
SSL Global Server IDs are a form of Digital ID, the electronic counterpart to
driver's licenses, passports, and business licenses. You can present a Digital
ID electronically to prove your identity or your right to access information or
services online. VeriSign 128-bit SSL Global Server IDs enable your site to
conduct authenticated, strongly encrypted on-line commerce. Customers will be
able to submit credit card numbers or other personal information to your site
with the assurance that they are doing business with you (not an impostor's
"spoof" of your site) and that the information which they are sending
to you cannot be intercepted or decrypted by anyone else.
Technically,
Digital IDs, also known as digital certificates, bind the identity of your
organization to a pair of electronic keys that can be used to encrypt and sign
digital information. A Digital ID makes it possible to verify someone's claim
that they have the right to use a given key, helping to prevent people from
using phony keys to impersonate other users. Used in conjunction with encryption,
Digital IDs provide a complete security solution, assuring the identity of one
or all parties involved in a transaction.
A
Digital ID is issued by a trusted third party called a Certification Authority
(CA) - in this case, SafeScrypt. CAs establish the identity of the people or
organizations to which they issue Digital IDs. Once a CA has established an
organization's identity, it issues a certificate that contains that
organization's public key.
--------------------------------
Q.
What are VeriSign Secure Site Pro and Commerce Site Pro Services?
Secure
Site Pro and Commerce Site Pro services, part of VeriSign's family of Site
Trust services, include a digital certificate, or 128-bit SSL Global Server ID,
which enables your Web site customers to verify your site's authenticity and to
communicate with it securely via state-of-the-art SSL encryption, which
protects confidential information-such as credit card numbers, online forms,
and financial data - from interception and hacking. Your Web server software
and all the leading Web browsers are already enabled for SSL: all you need is a
128-bit SSL Global Server ID to take advantage of it. In addition to Global
Server IDs, VeriSign Site services offer you a set of additional features and
benefits that help you secure your site:
Authentication:
VeriSign's thorough process of verifying the identities of its Server ID
services customers means that your e-commerce site can offer visitors the
ultimate in credibility.
VeriSign
Secure Site Seal: Display the most widely recognized trust brand on your site
to give your customers the confidence to communicate and transact business with
you.
NetSure:
For your peace of mind, Secure Site Services are backed by up to $250,000 of
NetSure protection, an extended warranty program that protects you against
economic loss resulting from the theft, corruption, impersonation, or loss of
use of a certificate.
Training
Discount: VeriSign's training programs help you stay on top of the latest Web
site security techniques to keep your site as safe as possible.
Network
Solutions dotcom Directory Listing: Show users of this leading site directory
that your site is secured for e-commerce by VeriSign trust services.
Free
30-Day Server ID Revocation and Replacement: Conveniently replace your ID at no
extra charge
Keynote
Perspective Web Site Performance Measurement Service: Included with Secure Site
Pro. Measure and optimize your site's performance to maximize customer
satisfaction with the global, real-time Keynote Perspective service.
Qualys
Network Security Auditing Service: Included with Secure Site Pro and Commerce
Site Pro. Protect your network from hackers by scanning it regularly to
identify its vulnerabilities.
Netcraft
E-Commerce Security Analysis: Maximize site security for the most trustworthy
user experience.
Two-Day
Turnaround of Server ID Delivery: Get Server IDs up and running on your site as
fast as possible.
Payflow
Pro Online Payment Management Service: Included with Commerce Site Pro.
Securely accept and process credit card, debit card, purchase card, and
electronic check payments.
--------------------------------
Q. What is the difference between a VeriSign
40-bit SSL Secure Server ID and a 128-bit SSL Global Server ID?
The
primary difference between the two types of VeriSign Server IDs is the strength
of the SSL session that each enable. Secure Sockets Layer (SSL) technology is
the industry-standard method for protecting Web communications developed by
Netscape Communications Corporation. The SSL security protocol provides data
encryption, server authentication, message integrity, and optional client
authentication for a TCP/IP connection. Because SSL is built into all major
browsers and Web servers, simply installing a digital certificate turns on
their SSL capabilities.
SSL
comes in two strengths, 40-bit and 128-bit, which refer to the length of the
"session key" generated by every encrypted transaction. The longer
the key, the more difficult it is to break the encryption code. Most browsers
support 40-bit SSL sessions, and the latest browsers enable users to encrypt
transactions in 128-bit sessions - trillions of times stronger than 40-bit
sessions.
Secure
Site Pro and Commerce Site Pro solutions include 128-bit SSL Global Server IDs,
which enable 128-bit SSL encryption - the world's strongest - with both
domestic and export versions of Microsoft® and Netscape® browsers. (Most people
in the U.S. use export-version browsers).
Secure
Site and Commerce Site solutions include 40-bit SSL Secure Server IDs, which
enable industry-standard 40-bit SSL when communicating with export-version
Netscape and Microsoft Internet Explorer browsers, and 128-bit SSL encryption
when communicating with domestic-version Microsoft and Netscape browsers.
Another
key difference between 128-bit SSL Global Server IDs and 40-bit SSL Secure
Server IDs is the number of server platforms that support them. Global Server
IDs are supported by many major platforms, while Secure Server IDs are
supported by a much longer, more comprehensive list of platforms.
--------------------------------
Q. What is the difference between Secure Site
Services and Commerce Site Services?
The
main difference between the two groups of Site Services is the inclusion of
Payment Services.
Commerce
Site Services, exclusively from VeriSign, are complete, integrated solutions
that are ideal for e-merchants and online stores.
Commerce
Site includes a 40-bit SSL (Secure Server) ID and VeriSign Payflow Pro online
payment management service, plus an array of additional value-added services.
Commerce
Site Pro includes a 128-bit SSL (Global Server) ID, VeriSign Payflow Pro, and
value-added services.
Secure
Site Services are best for intranets, extranets, and Web sites that require the
leading SSL certificates and Web site services.
Secure
Site includes a 40-bit SSL (Secure Server) ID, plus additional value-added
services.
Secure
Site Pro includes a 128-bit SSL (Global Server) ID and value-added services.
VeriSign
Payflow Pro, included with Commerce Site and Commerce Site Pro, takes the
headache out of payment processing with services designed especially to help
Web merchants securely accept and process credit card, debit card, purchase
card, and electronic check payments. Payflow Pro is the most robust, versatile
solution for online payment processing-ideal for large-scale e-commerce
merchants that require peak performance and complete customizability.
Payflow
Pro enables payment processing through a small SSL TCP/IP-enabled client that
controls communications between merchants' applications and the Payflow
platform. Designed for scalability and reliability, Payflow Pro creates a
dedicated SSL TCP/IP level communication thread for each transaction between
the client and the server. Payflow Pro is downloadable as a Software
Development Kit (SDK) or comes pre-integrated with most shopping carts and
e-commerce platforms. Up to 5,000 transactions per month are included.
--------------------------------
Q.
Why do I need a 128-bit SSL Global Server ID?
As
an e-commerce business, you must deliver the highest levels of trust and
security so your customers can be certain that your site is real, and that the
information they send you via their Web browsers stays private.
To
deliver the world's highest level of trust, SafeScrypt authenticates your
organization, enabling end users to verify your site and communicate via
state-of-the-art SSL or WTLS encryption. This protects confidential information
- such as credit card numbers, online forms, and financial data - from
interception and hacking. VeriSign is also one of the world's only providers of
128-bit, strong-encryption certificates. And with payment management services,
you can easily set up your site's back end to handle e-commerce transactions.
With our Secure Site Pro and Commerce Site Pro solutions, you can be confident
that your customers are enjoying the same level of trust and security used by
all of the Top 40 sites and Fortune 500 companies worldwide.
--------------------------------
Q.
How can I put a VeriSign logo on my site to tell my customers the site uses a
128-bit SSL Global Server ID?
The
VeriSign Secure Site Seal, included with every Site Trust solution, is designed
for you to display on your site as a symbol of security and trust, encouraging
customers to confidently provide you with credit card numbers and other
sensitive information. When you purchase a Secure Site or Commerce Site
solution, the Secure Site Seal is sent automatically to the technical contact
you provide as part of the enrollment process, 24 hours after your ID is
issued.
When
you post the Seal on your home page, security/privacy policy page, or
transaction pages, you connect it to your Server ID. When visitors click on the
Seal, they instantly link to a dynamic pop-up screen of information about your
Server ID, assuring them that transactions with your site are encrypted by SSL,
and allowing them to verify your site's identity and check your ID status in
real time.
--------------------------------
Q. Can I try 128-bit SSL Global Server IDs
before purchasing?
Although
the 128-bit Global Server ID included with Secure Site Pro and Commerce Site
Pro Services is not available in a trial version, you can test SSL on your Web
server by trying a 40-bit Secure Server ID, free, for 14 days.
--------------------------------
--------------------------------------------------------------------------------
How
VeriSign 128-bit SSL Global Server IDs Work
--------------------------------------------------------------------------------
Q.
What is "strong encryption"?
"Strong
encryption" refers to the technology that the 128-bit SSL Global Server
IDs included with Secure Site Pro and Commerce Site Pro solutions use to secure
online communications. Global Server IDs enable the negotiation of SSL or TLS
sessions using "strong" 128-bit RC2 or RC4 encryption.
SSL
is the industry-standard method developed by Netscape Communications
Corporation for protecting Web communications. The SSL security protocol
provides data encryption, server authentication, message integrity, and
optional client authentication for a TCP/IP connection. SSL comes in two
strengths, 40-bit and 128-bit, which refer to the length of the "session
key" generated by every encrypted transaction. The longer the key, the
more difficult it is to break the encryption code. Any software with encryption
features having key lengths over 40 bits is considered strong encryption by the
U.S. Government for export purposes.
Most
browsers support 40-bit SSL sessions, and the latest browsers enable users to
encrypt transactions in 128-bit sessions. 128-bit encrypted messages are
309,485,009,821,345,068,724,781,056 times harder to break than 40-bit messages.
Thus, it would take the same technology used to crack the RSA 40-bit message 1
trillion x 1 trillion years to crack a 128-bit message. That's several trillion
times longer than the age of the Earth.
--------------------------------
Q.
How do 128-bit SSL Global Server IDs protect transactions?
128-bit
SSL Server IDs are virtually unforgeable: the cryptographic keys contained
within them are almost unbreakable. SafeScrypt sells Global Server IDs only to
legitimate businesses that are capable of authenticating their identity to SafeScrypt
and of meeting meet the necessary U.S. government qualifications. SafeScrypt's
thorough authentication procedures help to ensure that 128-bit SSL Global
Server IDs cannot be obtained under false pretenses. And SafeScrypt's lifecycle
services for monitoring the status of Server IDs help you ensure that you keep
your Server ID - and your site's security - up to date.
--------------------------------
Q.
What Web server software works with 128-bit SSL Global Server IDs?
The
server on which the 128-bit SSL Global Secure Site ID can run server software
from any non-U.S. software vendor, or software from a U.S. software vendor
properly classified by the U.S. Department of Commerce, including:
BEA
WebLogic
C2Net
Apache Stronghold
Compaq/tandem
iTP Webserver
Covalent
Hewlett
Packard Virtual Vault (with Netscape Enterprise)
IBM
http Server/Webphone 1.3.3.1 and 1.3.6
Lotus
Domino 4.6.2 and later
Microsoft
IIS 3.0 and later
Nanoteq
Netseq server
Netscape
Suite Spot servers, 3.0 or later, including Netscape Enterprise 3.0+ and
Netscape Proxy Server 3.0 or later, 2.0
O'Reilly
WebSite Pro 2.5 and up
Tandem
Zeus
--------------------------------
Q.
What Web browsers are compatible with 128-bit SSL Global Server IDs?
Customers
or users connecting to the Web server should have a compatible client
application to take advantage of the security facilitated by 128-bit SSL Global
Server IDs:
Microsoft
Internet Explorer 4.0 or later
Microsoft
Internet Explorer 3.02 (Windows NT 4.0+ only) with a special patch or later
Netscape
Navigator 4.06 or later
Microsoft
Money 98
Intuit
Quicken
--------------------------------
Q.
What if visitors to my site are not using a compatible Web browser?
They
will need to upgrade. Both Microsoft and Netscape make their latest browser
versions available free on their Web sites.
--------------------------------
Q.
What is Server Gated Cryptography (SGC)? What is the relationship between SGC
and this program?
Server
Gated Cryptography (SGC) is Microsoft's name for the entire set of technologies
that enable strong encryption when an appropriately configured server
encounters an appropriately configured client. Part of the SGC technology
involves the use of special digital certificates by Microsoft IIS servers.
VeriSign's 128-bit SSL Global Server IDs for Microsoft fulfill the role of the
SGC special digital certificates.
--------------------------------
--------------------------------------------------------------------------------
How
to Qualify to Purchase 128-bit SSL Global Server IDs with Secure Site Pro or
Commerce Site Pro
--------------------------------------------------------------------------------
The
U.S. Government determines the categories of companies that can implement the
powerful encryption technology included with Global Site solutions outside the
U.S. and across U.S. borders. However, new regulations issued by the U.S.
Department of Commerce's Bureau of Export Administration (BXA) make 128-bit SSL
Global Server IDs included with Secure Site Pro or Commerce Site Pro solutions
available to a wider group of customers than ever before. (See the following
question and answer to determine if your organization qualifies to purchase.)
--------------------------------
Q.
What categories of customers may obtain a 128-bit SSL Global Server ID for
their sites?
New
regulations issued by the U.S. Department of Commerce's Bureau of Export
Administration (BXA) allow any company or organization around the world to
purchase a Global Server ID, with the following exceptions:
Persons
listed on the U.S. Government's Denied Person's List
Customers
located in the following countries:
Afghanistan
(Taliban-controlled areas)
Cuba
Iran
Iraq
Libya
North
Korea
Sudan
Syria
--------------------------------
Q.
Are there any countries in which 128-bit SSL Global Server IDs may not be used?
Yes:
according to U.S. government regulations, customers in the following countries
are not eligible to purchase 128-bit SSL Global Server IDs:
Afghanistan
(Taliban-controlled areas)
Cuba
Iran
Iraq
Libya
North
Korea
Sudan
Syria
--------------------------------
--------------------------------------------------------------------------------
How
to Enroll for and Purchase 128-bit SSL Global Server IDs with Secure Site Pro
or Commerce Site Pro
--------------------------------------------------------------------------------
Q.
What information must a foreign organization submit to SafeScrypt to get a
128-bit SSL Global Server ID?
The
institution must first register a domain name with InterNIC or appropriate
domain registry. An example domain name would be samplebank.co.uk.
The
institution must then generate a Certificate Signing Request using their Web
Server software (Note: please complete steps 1 and 2 of the enrollment process
before generating your CSR). Instructions for generating a CSR are provided in
the SafeScrypt enrollment pages.
The
institution must then submit its CSR, along with other information, to SafeScrypt
as part of the 128-bit SSL Global Server ID enrollment process.
As
part of the enrollment process, the institution will be asked to provide
information that establishes its corporate identity and that establishes that
the institution is not a Government End User based on the U.S. Commerce
Department definition. For most institutions, the easiest way to do this is to
provide VeriSign with a Dun & Bradstreet D-U-N-S number. Almost all
institutions, foreign and domestic, have a DUNS number. By visiting
www.dnb.com, you can look up your DUNS number. VeriSign's enrollment page, step
2, provide links for looking up DUNS numbers and obtaining free DUNS numbers.
If
the organization does not have a valid Dun & Bradstreet DUNS number, you
will be asked to submit documents demonstrating that the organization has been
legally authorized by your state, provincial, or national government to
transact business under the organization name appearing in the ID request.
IMPORTANT NOTE: Documents submitted in lieu of a D&B number must be
translated into English: this will enable VeriSign to process your enrollment
and purchase as quickly and efficiently as possible.
As
part of the enrollment process, the institution will be asked to agree to the SafeScrypt
Global Server ID Subscriber Agreement. Among other things, this agreement is
declaration that you meet the U.S. Commerce Department definitions of a
permitted institution, and that you will not use the Web server software or the
Server ID for illegal purposes.
SafeScrypt
will then perform its standard background check to determine that the
institution meets issuance requirements. SafeScrypt will then issue the Global
Server ID.
--------------------------------
Q. What information must a U.S. company submit
to VeriSign to obtain a 128-bit SSL Global Server ID?
The
company must first register a domain name with the InterNIC or appropriate
domain registration agency. An example domain name would be verisign.com.
The
company must then generate a Certificate Signing Request using their Web server
software (Note: please complete steps 1 and 2 of enrollment before generating
your CSR.) Instructions for generating a CSR are provided in the VeriSign
enrollment pages.
The
company will submit its CSR, along with other information, to VeriSign as part
of the Global Server ID enrollment process.
As
part of the enrollment process, the company will be asked to provide
information that establishes its corporate identity and that establishes that
the company, organization, university, or government institution was formed
within the United States. For most U.S. organizations, the easiest way to do
this is to provide VeriSign with your Dun & Bradstreet D-U-N-S number.
Almost all U.S. companies, universities, and government agencies have a DUNS
number. During enrollment, VeriSign will provide you with an opportunity to
look up your DUNS number or register for one for free. If you do not have a
DUNS number, and do not wish to obtain a DUNS number, you will be asked to
submit documents, such as a business license, articles of incorporation, or SEC
filings, that establish your corporate identity.
As
part of the enrollment process, you will be asked to agree to the VeriSign
Global Server ID Subscriber Agreement. Among other things, this agreement is a
declaration that you acknowledge that the use of the Global Server ID is an
export-regulated activity, and that you are responsible for using the Global
Server ID in a manner consistent with applicable U.S. export regulations .
VeriSign
will then perform its standard background checks to determine that the U.S.
company meets issuance requirements. VeriSign will then issue the Global Server
ID. No special actions are necessary for any U.S. company to obtain the
necessary server software (see above for a list of acceptable types of server
software). Your end-users can freely download the export versions of the Microsoft
and Netscape browsers, as well as any necessary patches, from the appropriate
Microsoft and Netscape Web sites.
--------------------------------
Q.
Must 128-bit SSL Global Site solution customers submit information to any U.S.
government agencies?
No.
You simply need to complete the appropriate paperwork with SafeScrypt. VeriSign
and its server partners periodically report to BXA on the distribution of
Global Server IDs under export licenses.
--------------------------------
Q.
How long will it take for SafeScrypt to issue the Global Server ID included
with Secure Site Pro or Commerce Site Pro after all the necessary information
has been submitted?
If
you submit all the necessary information, your enrollment will take five to
seven working days for customers outside the U.S. and Canada, or two days for
U.S. and Canadian customers. This time is necessary for SafeScrypt to verify
the information you submit, which in turn allows you to assure your customers
that your identity has been thoroughly authenticated.
--------------------------------
Q.
What if I already have a VeriSign 40-bit SSL Secure Server ID (included with
Secure Site and Commerce Site Services)? Can I upgrade to a Secure Site Pro or
Commerce Site Pro Service with a 128-bit SSL Global Server ID?
Global
Server IDs enable SSL. Therefore, you may replace your existing VeriSign Secure
Server ID with a Global Server ID. Because older browsers are not compatible
with Global Secure Site IDs and SGC technology, many of our customers choose to
maintain two sets of pages: one secured with a regular Secure Site ID, and one
secured with a Global Server ID. (VeriSign does not currently offer a discount
to customers upgrading from Secure Server IDs to Global Server IDs.
--------------------------------