>We have made a number of modifications to the Web Certificate >registration process in the last while which should streamline >identity verification and certificate issuance (this is not the >end of our efforts so keep the feedback coming).
With that in mind I'd just like to say that while I'm trying really hard to exclusively use, sell and recommend Entrust certs to our customers I'm finding it difficult given the current situation. I really do hope the improvement process is ongoing and meaningful. Emailed support requests to Entrust go unanswered. Period. I had a question regarding a customer who wants a cert to use for his mail server doing TLS. I asked Entrust whether there was anything special or different that needed to be done when generating a key or CSR for such a cert (just checking to be sure), and whether the chain signing issue with Entrust certs would be an issue with customer mail clients when using an Entrust cert under a mail server rather than a web server. Silence of two months despite an autoresponder from Entrust saying they received the support request. (I'm still looking for the answer for that second question, BTW...) I ended up recommending a Thawte cert to the customer. Granted the chain-certificate thing is not that big a deal to put into a web server, but likewise it's just one more thing sysadmins have to deal with. And it makes the certs seem "second-class" to some customers. I always hate explaining why they need another cert (free and simple as it is) just so their purchased cert is recognized and then I have to talk to their hosting company to get them to install the chain-cert .... Until the certs are recognized without a separate chain-cert it's going to be difficult to get them considered on the same level as a Thawte or Verisign cert. The main thing is that if price and functionality are the same (eg, currently Thawte and Entrust are the same price), customers are going to buy the certificates that are easier to obtain, install and manage. Entrust loses on all three of those. There are more hoops to jump through to get the cert (although that's supposedly corrected in this round of improvements). My experience has been they take much longer to receive even when there are no gotchas with the CSR, company names, documents, contacts or anything. Installation requires an extra step for the chain cert (again, no biggy, but it's an issue). I haven't had one come up for renewal yet so we'll see how the new procedure makes it simpler. I believe a new CSR is a good thing for a renewal but, again, it's more work for the sysadmin. It should be an option, not a requirement IMHO. Customers and sysadmins are going to take the path of least cost and least effort if all other factors are equal. It's pretty sad when many of us have to recommend Thawte certs over the ones we are selling just to give our customers the service they require and keep them as customers. If the best thing we can say about our certs is "We're not Verisign." then we don't have much of a selling point... Just my .02. Todd
