Complaints imperil Net watchdog

By Simson L. Garfinkel

Special to the Mercury News

W HEN VeriSign, a small Silicon Valley start-up, positioned itself as the cyberspace equivalent of the Department of Motor Vehicles, it quickly learned that on-line motorists expect their licenses and plates to arrive in timely manner.

Service complaints are mounting against the Mountain View-based company, which all but holds the keys to security on today's Internet. It issues digital identification cards, called certificates, which allow people and companies to identify who they are.

The complaints -- which come from a small minority of customers, VeriSign says -- are the latest reminder of growing pains on the still-nascent Net. Like the millions of America Online subscribers who went without service for 19 hours Wednesday, VeriSign's customers are experiencing, first-hand, the fragility of a digital world where a single company can exert enormous control over others.

``There are a lot more weak links in our infrastructure than we are aware of,'' said Peter G. Neumann, principal scientist at Menlo Park-based SRI International and a specialist on the risks of complex systems. Many companies, he says, don't realize ``how critically everybody else is depending on them'' and how loss of service ``can cause enormous problems for many people.''

More than two dozen companies contacted by the Mercury News found VeriSign to be one of those weak but critical links in recent months, reporting significant problems with VeriSign's customer service.

In two cases, customers say VeriSign sent the digital certificate meant for one company to another. (This didn't jeopardize anyone's security, however.) In two other cases, VeriSign allegedly lost the company's original paperwork, preventing a new renewal certificate from being issued. Many customers report that telephone calls, faxes and e-mail messages to VeriSign have gone unanswered.

``I'm sort of saddened that people have to go through this,'' said Christopher Reavis, an information architect at Silicon Graphics Inc., a computer company also based in Mountain View.

Reavis said he needed a certificate to turn on the high-security features of his Web server, but none of the ones VeriSign sent him worked. After months of back-and-forth discussions, hard-disk reformats, software reinstallations and more, he said, he finally got his server running properly.

``It was painful,'' Reavis said. ``There is only one place that you can go to, and that one place is treating you like junk.''

Stratton Sclavos, VeriSign's president, acknowledges that his company has had some customer-support difficulties but says that problems are usually the result of errors on the part of the customers themselves. Sclavos said that he wasn't familiar with the details of the Silicon Graphics case in particular.

``I can only tell you that we have done over 10,000 [certificates] now,'' he said. ``We have many satisfied customers.''

`Commerce certificates'

Formed in March 1995 by RSA Data Security, VISA International, Mitsubishi and Fischer International, VeriSign markets ``commerce certificates'' that are supposed to assure the authenticity of the company that holds them. The company also hopes to sell personal certificates, which will identify individuals using ``browser'' programs such as Netscape's Navigator and Microsoft's Internet Explorer.

In addition to paying the $295 fee for a new commerce certificate, or the $75 fee for a renewal, companies must submit to a background check in which their documents are validated. Sclavos says that this process naturally takes longer with small firms -- some of which might not even be incorporated.

The problems go beyond that, some customers complain.

``I never received any response to e-mails sent to the . . . e-mail address advertised on the Web site,'' said Jim Lippard, Web administrator at Primenet, a company in Phoenix that hosts other companies' Web sites.

Lippard says he tried to get his certificate renewed three months in advance of its expiration, but the renewal didn't actually arrive until the day before the site certificate expired.

`It went on and on'

An Internet mailing list for users of the Apache SSL secure Web server exploded earlier this month with complaints against VeriSign.

``It took us two months to get our certificate,'' wrote Mark Lottor, an engineer at Menlo Park-based Network Wizards, which designs Web sites. ``I had to call them every week. First they had to locate our check. Then they needed more info. Then they lost our fax. It went on and on.''

Lottor wrote that he ``would not recommend VeriSign if I had a choice.''

Using the old system

Sclavos says that VeriSign has improved its systems, changing a process that was largely manual to one that is now almost completely automated. Many of the customers with problems had submitted their request for VeriSign certificates using the company's old, manual system, rather than the new automated system that is accessed through the Internet's World Wide Web.

Nick Bauman, who works at Graphics 440 in Minneapolis, has obtained three certificates from VeriSign. The first was requested in writing and took four weeks.

``The second and third . . . were all done on-line and they came in one week apiece,'' he said. ``I think the people who have had the most problems with VeriSign are those who don't read the fine print and aren't as concerned about dotting the i's and crossing the t's. On the whole, I think they aren't as bad as the (e-mail) list seems to indicate they are.''

Another problem, Sclavos said, is the nature of the Internet itself. Sometimes, when VeriSign has received e-mail from a customer, the return address has been bad, preventing VeriSign from respond to the message -- but leaving the customer convinced that he or she was being ignored.

Company is troubleshooting

VeriSign is now trying to prevent problems before they occur, he said -- for example, contacting customers whose certificates are about to expire, rather than waiting for them to find out the hard way.

``We are targeting some fairly major changes at the end of the month, a lot more automation in our issuing process, as well as our customer care system,'' he said, adding that one of the biggest problems has been certificate demand that outstripped all of expectations.

``We are really scaling up to meet the demand,'' he said. ``You'll see within the next 60 days some fairly dramatic improvement to the whole turnaround-time issue, as well as the customer care issue. . . . We are also spending a lot of time with the server vendors, trying to get them to work with us.''

Sameer Parekh, president of Community ConneXion, a supplier of secure Web servers, said VeriSign has worked hard with his company. ``They're the best public Internet-wide CA (certification authority) out there,'' Parekh said.

Competition arrives

VeriSign's monopoly on certificates is fast eroding. Version 3.0 of Netscape Navigator can also accept certificates from GTE, which plans to go into competition with VeriSign later this year.

Navigator can also add new master certificates. "``It's more open,"'' said SGI's Reavis.``Netscape doesn't want to be so closely bound with VeriSign, (although Netscape) won't say that.''

Increasingly, some companies are even taking matters into their own hands. Some Web servers are coming with software that allows companies to create and sign their own certificates. These so-called self-signed certificates don't really identify a company -- a self-signed certificate is essentially a promise by the company that it is who it says it is.

Nevertheless, such a certificate allows the company to use the cryptographic features of its Web server -- at least, as long as customers are using the latest version 2.0 or higher of Netscape Navigator.

VeriSign, meanwhile, is not on the best-friends list of some of its customers.

``They were new and they were starting, but I don't see that as an excuse,'' Reavis said. ``If we put a new product out there and didn't have a support model for it, I would expect us to get burned hard, and to pay for that. I wouldn't want that to happen, but that's what I would expect.''


| Mercury Center Home | Index | Feedback | NewsLibrary |
©1996 Mercury Center. The information you receive on-line from Mercury Center is protected by the copyright laws of the United States. The copyright laws prohibit any copying, redistributing, retransmitting, or repurposing of any copyright-protected material.