(sorry if this ends up on the list twice -- i think the un-edited version may have been stopped by the guards)
Sorry if the following sounds a little defensive....but I feel the need to defend our product offering. I have not seen wholesale pricing on the GeoTrust e-business ID that is less than what we are offering on a per certificate basis. Until about a month ago I stated that if a certificate issue took longer than 24 hours, let me/Entrust know because something must be holding it up and we could easily investigate. Changes in the back-end resulted in a temporary slowdown. We should now be back to previous turn-around times and shortly they are to be much improved. The added product you mention "True-site" is, in my opinion, currently valueless. It is even another level of abstraction from the lock on the browser (which we have already acknowledged that few people click-on or even understand in full). This is not to say that it will not become valuable in the future but it will require wide adoption (classic network effect) and an end-user marketing/educational campaign. In other words, by using the True-site product presently you are adding more value to GeoTrust than they are adding for your web-site....this is not a slag, it is just my present perception of the world...If 'True-site' catches on that value prop could change. In fact, maybe they will be successful in setting themselves up as the Better Business Bureau of the Internet and then the value of the True Site product would truly be $79 or more. At present however it is not. Lastly...and this criticism did p**s me off... in your first e-mail you suggested we hide the price because we are embarrased by it -- "Sorry but $99 as the wholesale price of a cert is not a good deal. Which is probably why you hide the price till the very bottom of the reseller agreement" and then in your next e-mail you praised GeoTrust for not publishing their prices -- "Plus my clients do not know how much I paid for the cert with GeoTrust while with Tucows everybody knows the reseller paid $99." The reason the price is not evident is so that only resellers or the most curious of curious end-users would find it. We actually debated this quite a bit and decided that by just putting it in the reseller agreement we would capture the appropriate balance between being open and yet protecting our resellers retail pricing practices.... i don't mind the warranted criticisms but b**chin' at me for being outside and then b**chin' at me for bein' in just burns my butt...(i mean that in the good natured spirit of debate -- but i am a little distressed). Regards Darryl Green [EMAIL PROTECTED] Tucows Inc. Phone:(416)538-5461 Fax: (416)-531-5584 96 Mowat Avenue Toronto Ontario M6K 3M1 > -----Original Message----- > From: ezgoing8 [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, December 19, 2001 7:38 PM > To: Darryl Green; [EMAIL PROTECTED] > Subject: Re: Digital Certificates > > > I'm not talking about the QuickSSL. > > I am talking about the GeoTrust eBusiness ID. While the retail price of > this is $175, the reseller price is less than the $99 that you > ask from your > resellers. Plus eBusiness ID gives the cert plus the TrueSite identify > emblem, as you are aware. > > Much better product and mark up than you offer. As a reseller I can sell > eBusiness ID and more than double my money if I sell for the posted retail > price or I can offer it for less than the posted price and still make more > money than what I can from your cert. Plus my clients do not > know how much > I paid for the cert with GeoTrust while with Tucows everybody knows the > reseller paid $99. > > Plus I can get the eBusiness ID within 24 hours and it only requires the > same level of proof that Thawtes requires. None of this nonsense about > sworn statements that I am an employee, etc. > > > The comparable certificate offering from Geo-Trust (full authentication > and > > 98% browser recognition) is their e-business id which they > retail for $175 > > (packaged with another one of their services). > > > > That's why i said "for those applications that require full > identification > > we now > > have the cheapest solution on the market"...and i stand behind it... > > I wouldn't stand too far behind your statement, as it is false, > as I am sure > you are aware. I am sure that you could get the package for the resellers > for even less than we pay, given the difference in volume. And > we pay less > than the $99 that you require for your cert, so it's obvious you > are not the > cheapest solution on the market for your resellers or for that > matter, even > for your reseller clients, as I can sell the eBusiness ID for > less than $99 > the resellers pay for your cert and still make a profit if I was that > foolish. > > And as you point out, you get two products for less than the price you are > asking for just the cert. > > > ----- Original Message ----- > From: "Darryl Green" <[EMAIL PROTECTED]> > To: "ezgoing8" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> > Sent: Wednesday, December 19, 2001 1:21 PM > Subject: RE: Digital Certificates > > > > Not true.... > > > > 1) The GeoTrust quickSSL offering does lesser identity verification. In > > fact, from there own Certificate Practice Statement it reads that the > > Organizational Unit is not Validated. Given that the > verification process > on > > the traditional certificate makes up the bulk of the cost > (faxes back and > > forth -- making sure that the Incorporation Documents and the > whois record > > match -- very labour intensive) this gives these certifcates an inherent > > cost advantage. The price to be paid for that efficiency is > less certainty > > around identity (If I have phony whois info with an anonymous e-mail > address > > I can get a certificate for that domain, if there is then any > trouble with > > the information collected using that certificate at that > domain, there is > > not necessarily any easy way to track down my identity -- Conversely, if > > full authentication is done I would have to send in my incorporation > > documents or a copy of my passport, thereby resulting in > greater certainty > > about my identity if something untoward should be done with the data > > collected at my site). > > > > This lessened-certainty is sacrilege among the big security > players in the > > industry. Hard to say how much of this is righteous indignation and how > much > > of this is blatant self-interest. In any event it has become clear to me > > that some of our resellers are not fussed by this lessened > > certainty/security certificate. It is up to you to decide for your > > applications whether you and your customers are willing to accept this > > lowered level of authentication. > > > > 2) The quickSSL certificate has a claimed 90% browser > recognition, i think > > it is lower but, in any event, is not 99% browser recognition. > > > > The comparable certificate offering from Geo-Trust (full authentication > and > > 98% browser recognition) is their e-business id which they > retail for $175 > > (packaged with another one of their services). > > > > That's why i said "for those applications that require full > identification > > we now > > have the cheapest solution on the market"...and i stand behind it... > > > > Regards > > Darryl Green > > [EMAIL PROTECTED] > > Tucows Inc. > > Phone:(416)538-5461 > > Fax: (416)-531-5584 > > 96 Mowat Avenue > > Toronto Ontario > > M6K 3M1 > > > > > > > > > > > > > > > > > -----Original Message----- > > > From: ezgoing8 [mailto:[EMAIL PROTECTED]] > > > Sent: Wednesday, December 19, 2001 5:13 PM > > > To: Darryl Green; [EMAIL PROTECTED] > > > Subject: Re: Digital Certificates > > > > > > > > > While I would not challenge most of what you say, the simple truth is > that > > > you do not have the cheapest solution on the market for your > > > resellers. End > > > users, maybe. Resellers, no. > > > > > > Just sign on as a Geotrust reseller and you are provided lower prices > that > > > what Tucows offers, with less hassle in securing the cert. That > includes > > > the full cert, not just the quick cert. > > > > > > Sorry but $99 as the wholesale price of a cert is not a good deal. > Which > > > is probably why you hide the price till the very bottom of > the reseller > > > agreement. > > > > > > > > > > > > > > > ----- Original Message ----- > > > From: "Darryl Green" <[EMAIL PROTECTED]> > > > To: <[EMAIL PROTECTED]> > > > Sent: Wednesday, December 19, 2001 10:47 AM > > > Subject: FW: Digital Certificates > > > > > > > > > > Point taken.... > > > > > > > > I am working on a "Real" answer.. This is one of the reasons I > > > have been a > > > > little quieter on the list these days. > > > > > > > > It became clear from our discussions a couple of weeks ago that, at > > > best -- > > > > the 'identity' component of the certificate is not as > critical to you > as > > > the > > > > incumbent market leading Certificate Authorities would have us > > > believe and > > > > at worst, the whole idea of web certificates is an inadequate > > > solution to > > > > the problem they are intended to solve (namely non-repudiation of > > > commercial > > > > transactions). > > > > > > > > I was particularly moved by the observation that it is really > > > the merchant > > > > that is taking the risk of repudiation -- this is true. For credit > card > > > > transactions the provider of the payment gateway/merchant account is > > > trusted > > > > third party enough for the purposes of non-repudiation -- > leaving the > > > value > > > > of a web-certificate only in the encryption component. Personal > identity > > > > that would benefit the merchant is accomplished through personal > > > > certificates and e-commerce merchants have thus-far chosen to accept > the > > > > risk of not requiring them and/or verifying identity in off-line > methods > > > > (only shipping to the same address as listed on the credit card, > phoning > > > the > > > > listed phone number on the credit card etc.). > > > > > > > > However, without the identity component the end-user is not > protected > > > > against fraudulent collection of information from an > imposter (I have > > > posted > > > > an article from today's Wall Street Journal below -- it shows a > > > situation > > > in > > > > which a fraud would have been prevented if users demanded a properly > > > > authenticated certificate -- ultimately that may have been what > > > tipped the > > > > users off in the first place -- spelling errors and healthy > scepticism > > > were > > > > noted in the article). This is of greater concern for some > applications > > > > than others. The message I clearly received from our discussion is > that > > > you > > > > do not feel you need full identity verification for all > > > applications. Just > > > > as long as the browser error message is avoided. > > > > > > > > As stated before, I am working on a "Real" answer to your > > > concerns. In the > > > > mean-time, for those applications that require full > > > identification we now > > > > have the cheapest solution on the market and you should find the > > > > verification process running smoothly. If you don't you can let me > know > > > > immediately and we will get it sorted out. Given some of > the troubles > in > > > the > > > > last month we are on high alert right now to ensure that > > > verification runs > > > > as smoothly and smoother than it did previously. > > > > > > > > Regards > > > > Darryl Green > > > > [EMAIL PROTECTED] > > > > Tucows Inc. > > > > Phone:(416)538-5461 > > > > Fax: (416)-531-5584 > > > > 96 Mowat Avenue > > > > Toronto Ontario > > > > M6K 3M1 > > > > > > > > > > > > > > > > 'Spoofer' Tries Unsuccessfully to Snag > > > > Credit-Card Numbers of PayPal Users > > > > By STEPHANIE MILES and STACY FORSTER > > > > THE WALL STREET JOURNAL ONLINE > > > > > > > > Ben Cichanowicz received an e-mail Monday evening purporting to be > from > > > > online payment service PayPal Inc. The note promised a $5 credit to > his > > > > account if he visited Paypal-Secure.com and updated his account > > > information, > > > > including his credit-card number. "All you have to do to > claim your $5 > > > gift > > > > from is update your information on our secure Pay Pal site," the > e-mail > > > > claimed. > > > > While the e-mail had a PayPal return address, the Web site didn't > quite > > > look > > > > right. Mr. Cichanowicz, a systems administrator in Lexington, > > > Ky., quickly > > > > suspected fraud. He and his wife were tipped off by several spelling > > > errors, > > > > as well as by the fact that the site was missing security > > > information, he > > > > said. "This was the first thing that caught our attention," he said. > > > > Indeed, PayPal-Secure.com was a "spoof" site -- a > fraudulent Web page > > > > designed to trick PayPal users into giving up their credit-card and > > > personal > > > > information. Mr. Cichanowicz, along with other recipients of the > e-mail, > > > > alerted PayPal about the existence of the site. PayPal then asked > > > > DigitalSpace.net, the company hosting the site, to shut > down the site, > > > which > > > > it did. DigitalSpace said it is company policy to shut down > sites when > > > > alerted of possible fraud. > > > > The PayPal-Secure incident is a twist on an old con. For > years, giant > > > > America Online has warned users not to give out passwords > or personal > > > > information, and online investors know to carefully check their news > > > sources > > > > after fake articles buffeted stocks in several incidents. > > > > This isn't the first time PayPal (www.paypal.com), of Palo Alto, > Calif., > > > has > > > > been targeted by a spoof site. Last year, a site called > > > PayPai.com was set > > > > up with the intent of stealing user names and passwords > from users who > > > typed > > > > the Web address by mistake. > > > > With spoofers, companies "can't control that they're under attack," > said > > > > Avivah Litan, vice president of financial services for technology > > > consulting > > > > and research firm Gartner Inc. "There's nothing you can do > > > about it except > > > > educate consumers." > > > > "There's all types of scams and fraud that people try to pull in the > > > online > > > > world -- just as they do in the offline world," said Vince Solitto, > > > > spokesman for PayPal. PayPal was alerted by a "few" customers about > the > > > > site, Mr. Solitto said, declining to specify how many people > > > contacted the > > > > company or received the e-mail message. He speculated that the > > > PayPal-Secure > > > > entity probably sent out e-mail messages haphazardly to millions of > > > people, > > > > hoping to hit some PayPal users. He added that there had been no > > > indication > > > > that the PayPal network had been hacked or broken into. > > > > > > > > Image of "spoof" PayPal site > > > > According to domain-name registration records at VeriSign Inc., the > > > > PayPal-Secure.com address is registered to an entity called > > > PayPalSecure. > > > > The record lists a phony phone number and address for the > > > company. PayPal > > > > said it could subpoena the account information for the site from > > > > DigitalSpace.net, but that information would most likely be > > > faked as well. > > > > "One of the problems with the Net is that it's easy to dummy > > > something up > > > to > > > > look like a legitimate entity, and you might have to click > > > through further > > > > to ensure that it is the place that you think you are > visiting," said > > > Susan > > > > Grant, director of the Internet Fraud Watch for the > National Consumers > > > > League. These types of scams make it harder for legitimate companies > to > > > gain > > > > users' confidence, she added. > > > > PayPal does warn its customers about fraud and says it is vigilant > about > > > > protecting its users. The company says its customers are safe > > > because they > > > > are reimbursed -- either by PayPal or by their credit-card company, > > > > depending on the situation -- for any fraudulent charges to > > > their account. > > > > Online Service PayPal Sets Range for Its Proposed IPO (Dec. 14) > > > > The PayPal-Secure scam played on PayPal's earlier viral marketing > > > campaign, > > > > which helped to fuel its exponential growth. The company, which > launched > > > in > > > > October 1999, had 10.6 million accounts as of Sept. 30, 2001, and > > > processes > > > > an average of 171,000 payments per day totaling $8.5 > million in daily > > > > volume, according to the company. During its early days, PayPal > > > would give > > > > $10 to any user who signed up a friend, and gave the friend > $10, too. > > > > PayPal still provides some bonuses, but the requirements for > > > receiving one > > > > have become much stricter. Now, according to the PayPal Web site, > > > customers > > > > must verify their account with a credit card, deposit $250 and > > > sign up for > > > a > > > > money-market account to receive the new account bonus. > > > > The attack comes at an inopportune time for PayPal, which last week > set > > > the > > > > range for its proposed initial public offering. The company > is already > > > under > > > > scrutiny from investors nervous about its exposure to liability from > > > > credit-card fraud, in part because PayPal promises to reimburse any > > > customer > > > > whose credit card or account is fraudulently used. PayPal is used > > > primarily > > > > by users of eBay Inc. and other auctions to process payments for > online > > > > transactions. > > > > In the past, customers have complained to the Better Business Bureau > and > > > > Federal Trade Commission about PayPal's fraud protections. Over the > last > > > > year, however, the company has aggressively worked to combat > credit-card > > > > fraud at the site. "They have very good fraud protection," said > > > Gartner's > > > > Ms. Litan. PayPal's fraud rates are better than average, with > > > about 0.87 % > > > > of its sales lost to fraud, according to its SEC filing. > > > > Neither PayPal nor Digital Space said they notified law enforcement > > > > authorities after PayPal-Secure.com was taken offline. "We certainly > > > > wouldn't bother the FBI about it," said Mr. Solitto, who called the > > > "spoof" > > > > category of fraud "not particularly novel or sophisticated." > > > > PayPal said it hasn't received any reports from customers who were > > > actually > > > > tricked into entering their personal information. Mr. > > > Cichanowicz, for his > > > > part, said he didn't give up any account information, but is still > > > disturbed > > > > that he was targeted for fraud. "This is a terrible time for > > > unsuspecting > > > > people to be had by this, especially so close to the holidays," he > said. > > > > > > > > > > > > -----Original Message----- > > > > From: [EMAIL PROTECTED] > > > > [mailto:[EMAIL PROTECTED]]On Behalf Of Mike Allen > > > > Sent: Wednesday, December 19, 2001 11:14 AM > > > > To: Matthew Feinberg > > > > Cc: [EMAIL PROTECTED] > > > > Subject: Re: Digital Certificates > > > > > > > > > > > > That's why I am REALLY considering, and more than likely > > > signing up today. > > > > It has been a week with no "Real" answers from OpenSRS. Just a > statement > > > > saying they are working with EnTrust with a new procedure.. > > > > > > > > Mike Allen, 4CheapDomains.Net > > > > [EMAIL PROTECTED] > > > > http://www.4CheapDomains.Net > > > > (812) 275-8425 - Office > > > > (815) 364-1278 - Fax > > > > ----- Original Message ----- > > > > From: Matthew Feinberg > > > > To: 'Mike Allen' ; [EMAIL PROTECTED] > > > > Sent: Wednesday, December 19, 2001 10:55 AM > > > > Subject: RE: Digital Certificates > > > > > > > > > > > > I have already switched over to Entrust and it it going well. > > > > I could no longer spend 5 to 8 hours of time on SSL Cert issue > > > per Cert to > > > > only make $25. > > > > > > > > Entrust, never once delivered a certificate without us chasing them > > > around. > > > > 1 customer took 4 weeks to get the Cert... Terrible! > > > > > > > > Matthew > > > > -----Original Message----- > > > > From: [EMAIL PROTECTED] > > > > [mailto:[EMAIL PROTECTED]]On Behalf Of Mike Allen > > > > Sent: Tuesday, December 18, 2001 4:06 PM > > > > To: [EMAIL PROTECTED] > > > > Subject: Digital Certificates > > > > > > > > > > > > Hi Guys... About this digital certificate thing and our current > > > problems... > > > > If open SRS is going to fix things, it better be fast. GeoTrust just > > > > contacted me and they are making us a very sweet offer for > re-selling. > > > > Chuck, you may even want to re-consider the prices for these > > > certificates > > > > and maybe offer also the QuickSSL with a GOOD price... > > > > > > > > Mike Allen, 4CheapDomains.Net > > > > [EMAIL PROTECTED] > > > > http://www.4CheapDomains.Net > > > > (812) 275-8425 - Office > > > > (815) 364-1278 - Fax > > > > > > > > > > > > > > > > > >
