SSL Vendor X, I love thee not
Rule #1 in this girl’s Guide to the Internet is: Never post your home address. Whether you are a 14-year-old in a chat room or a 30-something girl geek registering a domain, it makes sense to keep that information private.
In keeping with that rule, I use my work address when registering my own domains. Other people I know use post office boxes. I do not consider such a thing as bizarre or unexpected behaviour. As long as I can receive postal mail at the specified address, I do believe that I have satisfied the original registration requirement.
Unfortunately, at least one SSL vendor does not agree. I attempted to get a certificate for my domain yesterday, and ran into a wee little roadblock. Sadly, there is no trust relationship between the company that I registered my domain with, and the company I attempted to get a certificate from. The only method that the SSL vendor has instituted to ensure that I own my domain is to demand an exact match of address information between a submitted copy of a real-world credential and the WHOIS database entry for my domain:
Dear Pamela Dingle, Thanks for writing to us. We like to inform you that, according to validation we follow the below process: 1. Inorder to activate your account, we need any of the supporting documents exactly to match with the account details. 2. And for issuing certificate, we need the account details to match with whois. Alternatively, you can change your account details for which you can provide the documents. We look forward to your response.
As it is highly unlikely that I will be able to produce a copy of an “official” document containing my work address, the only alternative that the SSL company is willing to entertain is for me to update my WHOIS information with my home address, so that it matches my drivers license. I consider that unacceptable, and I think it is a perfect example of users being railroaded into placing more information than they want into the public domain. Yes, I could temporarily change my information to my home address to get the cert and change it back. Yes, I could probably get my company to request the certificate, because we’re a small company and because I have a nice boss. That isn’t the point.
The point is that most people will do what the vendor asks, because they are being held hostage. They want SSL. They are told they have no other options. It is easier to accomodate under duress, than to stand up and say no.
I think that there are other options. The goal shouldn’t be to prove where I live, but to prove that I have control over the domain. I could, for example, change my WHOIS data to say “SSL VENDOR X SUX”. Besides making me feel better, I think it would prove some measure of control over my domain, but just in case, I could set it to a mutually agreed upon string. That would be a lot tougher to spoof than oh, say a photoshopped drivers license, yes? Ideally, wouldn’t it be great if the SSL company could receive an assertion from the company I registered my domain with, attesting to the fact that I own the domain? I’d like to see that happen.
Until then, SSL Vendor X can stuff it, and I will try and find a vendor who will take my money and treat information I wish not to disclose with a little more respect. Wish me luck.