Symantec SSL Authentication Procedures: Short-Term Pain for Long-Term Gain
Stefano Rebulla, Senior Account Manager – Continental Europe
On a regular basis questions arise such as: “Why are your authentication procedures so complicated? Why is it so difficult to get my certificate or account vetted?”
These are questions that I’ve heard quite a few times, having been in a sales role at Symantec for several years. I would like to share a few insights based on my experiences.
First, however, before I start, full disclosure : As a salesperson, I want to close deals as quickly as possible and sometimes the vetting process of a customer creates a delay I am not happy about. However, there are very good reasons why it has been defined this way, one of which is to prioritize your security and that of the entities doing business with you (be it people or other companies) above all else – even my own sales interests! Instead, view these procedures as “thorough” and “safe”, not as “complicated”.
Symantec maintains a strict role separation between the sales, the authentication, and support teams – which means that there is a dedicated expert team carrying out the authentication procedures. When evaluating a Certificate Authority, you should consider these questions: Would you prefer working with a jack-of-all-trades, or a professional who is most skilled about a specific job at hand? Who can guarantee that authentication has been processed to the highest standards, if the person performing it has an obvious conflict of interest? Given several real-world examples where not following the laid down rules and procedures has allowed intruders to cause great damage, how happy would you or your manager be if your company were to appear in the news in relation to a security incident?
What you might not realise is that Symantec employs authentication teams around the world, who are highly trained in trade processes and rules, as well as local legislation, which allows us to do business literally anywhere; only when their requirements have been satisfied will a certificate or account be released. We keep a full audit trail of all operations, which allows us to reconstruct what was done in a specific case – even years later.
We are the only CA publicly confirming compliance with the many rules, regulations and best practices as outlined by the CA/B Forum, NIST, WebTrust audits and our own many years of experience. Of course, this does not mean that we stand still: we also know that by listening to our customers and adapting to a changing business world, our processes evolve and improve.
Now back to my original point: we may indeed ask you to complete what might appear to be an obscure-looking form, or to contact your domain registrar or phone company to correct an entry in a public database. Or you may need to coordinate a few people in your organisation to be available for a verification call. But after this comparably short trouble, you can display the most trusted seal on the Internet, positively impact your business and ROI, and rely on your records being straight… because we took the time to ensure they are. This is why Symantec is the most trusted CA in the world, and why our Norton Secured seal is so trusted and well known.
One final note: if you require multiple SSL certificates throughout the year or if your company has several organizations needing SSL (and they should), take a look at our Managed PKI for SSL offering, wherein we pre-validate your organization. When the authentication is tied to your organization, and not connected to a specific certificate, certificates can often be issued instantly, saving you time and money. For more information on MPKI for SSL visit: http://www.symantec.com/verisign/ssl-certificates/managed-pki-ssl?fid=ssl-certificates