Frequently Asked Questions This set of documents answers many of the questions and problems. For general information about Secure Site IDs, see About Secure Server IDs.

General Questions What are VeriSign Global Secure Site IDs? What is the difference between a standard VeriSign Secure Site ID and a VeriSign Global Secure Site ID? What is "strong encryption"? Why do I need a Global Secure Site ID? How do Global Secure Site IDs protect international transactions? What Web server software is necessary for Global Secure Site IDs? What if visitors to my site are not using a compatible Web browser? Must Global Secure Site ID applicants escrow copies of their private keys? How long will it take for VeriSign to issue the Global Secure Site ID after all evidence has been submitted? What is Server Gated Cryptography (SGC)? What is the relationship between SGC and this program? What if I already have a VeriSign Secure Server ID? Can I upgrade? Qualifications for Global Server ID What categories of customers may obtain a Global Secure Site ID for their sites? Are there any countries in which Global Secure Site IDs may not be used? Are there any restrictions on the kinds of transactions my organization can engage in using Global Secure Site IDs? Documentation needed for Enrolling for a Global Server ID What forms must a foreign organization submit to VeriSign to get a Global Server ID? What forms must a U.S. company submit to VeriSign to obtain a Global Secure Site ID? Must Global Secure Site ID applicants submit information to any U.S. government agencies?

What are VeriSign Global Secure Site IDs? Global Secure Site IDs are a form of Digital ID, the electronic counterpart to driver licenses, passports, and business licenses. You can present a Digital ID electronically to prove your identity or your right to access information or services online. By using a VeriSign Global Secure Site ID, you are enabling your site to conduct authenticated, strongly encrypted on-line commerce. Users visiting your site will be able to submit credit card numbers or other personal information to your site, with assurance that they are really doing business with you (and not an impostor) and that the information which they are sending to you can not be intercepted or decrypted by anyone other than the intended recipient. Technically, Digital IDs, also known as digital certificates, bind an identity to a pair of electronic keys that can be used to encrypt and sign digital information. A Digital ID makes it possible to verify someone's claim that they have the right to use a given key, helping to prevent people from using phony keys to impersonate other users. Used in conjunction with encryption, Digital IDs provide a complete security solution, assuring the identity of one or all parties involved in a transaction. A Digital ID is issued by a trusted third party called a Certification Authority (CA)-in this case, VeriSign. A CA acts somewhat like a Passport Office. CAs must take steps to establish the identity of the people or organizations to whom they issue Digital IDs. Once they have established an organization's identity, they issue a certificate that contains that organization's public key.

  return to the top

What is the difference between a standard VeriSign Secure Site ID and a VeriSign Global Secure Site ID? The primary difference between the two types of Server IDs is the strength of the SSL session that each enable. Global Secure Site IDs Using VeriSign Global Secure Site IDs (formerly called Global Server IDs), companies located anywhere in the world can communicate with 128-bit SSL encryption with their customers, provided that their customers have a Netscape client enabled with Step-UP technology (this includes Netscape Navigator version 4.0 and later) or a client application that's been enabled with Server Gated Cryptography extensions. Microsoft Internet Explorer 4.0 or later Microsoft Internet Explorer 3.02 with a special patch or later Microsoft Money 98 Intuit Quicken Secure Site IDs Using VeriSign Secure Site IDs (formerly called Server IDs), U.S.-based companies with servers located in the U.S. can communicate at 128 bits within the U.S. and at 40 bits outside the U.S. Non-U.S.-based servers can communicate at 40 bits with their clients. Note that 128-bit communications require 128-bit capable software at both the server and the client.

  return to the top

What is "strong encryption"? Server IDs enable secure online communications through Secure Sockets Layer (SSL) technology. Global Secure Site IDs enable the negotiation of SSL or TLS sessions using strong 128-bit RC2 or RC4 encryption. Encryption is a method of scrambling messages so they cannot be read without decryption keys. The length of the key used to encrypt messages is a good indication of the amount of effort needed to decrypt that message. Any software with encryption features having key lengths over 40 bits is considered strong encryption by the U.S. Government for export purposes. Until recently, U.S. export laws made it virtually impossible for a browser and a server to communicate using key lengths longer than 40 bits unless both the server and browser were located within the U.S. Many feel that 40-bit encryption is too weak given the computing power available today. In a January 1999 experiment sponsored by RSA Data Security, a message that was 40 bit-encrypted was decrypted by a University of California graduate student in under 8 hours. However, by increasing the length of the key by one bit, the amount of effort required to crack the code doubles. VeriSign Global Secure Site IDs enable certain types of browsers, available almost everywhere in the world, to initiate 128-bit sessions with the server. 128-bit encrypted messages are 309,485,009,821,345,068,724,781,056 times harder to break than 40-bit messages. Thus, it would take the same technology used to crack the RSA 40-bit message 1 trillion x 1 trillion years to crack a 128-bit message. That's several trillion times longer than the age of the Earth. Until recently, export versions of Web browsers (they're also commonly used within the U.S.) encrypted data only in 40-bit sessions. Now, the latest export and domestic versions of Netscape and Microsoft Internet Explorer browsers can encrypt transactions with your site using strong encryption in 128 bit sessions.

  return to the top

Why do I need a Global Secure Site ID? A Global Secure Site ID provides you and your customers with 128-bit SSL or TLS encryption security-a much greater degree of security in transactions than would be possible with 40-bit capable browsers. Global Secure Site IDs can both protect the security of your transactions, as well as encourage a much broader group of customers around the world to use your services. Even if you don't have customers outside the U.S., the Global Secure Site ID allows customers in the U.S. who may not be using the North America-only 128-bit versions of Microsoft Internet Explorer or Netscape Navigator to connect using 128-bit security. U.S. companies may use Global Secure Site IDs to: Communicate using strong encryption with customers, suppliers, or employees inside the U.S. who are not using the North America-only 128-bit versions of the Microsoft Internet Explorer or Netscape Navigator. Since U.S. export laws make distribution of 128-bit browsers more difficult for vendors and users, over half of U.S. consumers are believed to be using 40-bit capable browsers Communicate using strong encryption with employees or subsidiaries outside the U.S. or Canada. Communicate using strong encryption with partners or customers outside the U.S. or Canada.

  return to the top

How do Global Secure Site IDs protect international transactions? VeriSign, with its well-established technology, infrastructure and practices, provides a very high degree of assurance that: Global Secure Site IDs are virtually unforgeable and the cryptographic keys contained within them are almost unbreakable. Global Secure Site IDs will only be granted to legitimate businesses that meet the necessary U.S. government qualifications. Global Secure Site IDs can not be obtained under false pretenses . The lifecycle services offered by VeriSign will ensure the integrity of the program.

  return to the top

What Web server software is necessary for Global Secure Site IDs? The server on which the Global Secure Site ID is located must be running one of the following: Secure confidential information (e.g. customer information, credit card numbers) sent to merchants by their customers Compaq/Tandem iTP Webserver Hewlett Packard Virtual Vault (with Netscape Enterprise) Lotus Domino 4.6.2+ (Please note that GO does not yet support Global Secure Site IDs) Microsoft IIS 3.0+ Nanoteq NetSeq server One of the Netscape Suite Spot Server, 3.0+ or later (e.g. Netscape Enterprise 3.0+, Netscape Proxy 3.0+, 2.01c, etc.) Customers or users connecting to the Web server should have a compatible client application: Microsoft Internet Explorer 4.0 or later Microsoft Internet Explorer 3.02 with a special patch or later Netscape Navigator 4.0 or later Microsoft Money 98 Intuit Quicken

  return to the top

What if visitors to my site are not using a compatible Web browser? They will need to upgrade. Both Microsoft and Netscape make their latest browser versions available free on their Web sites.

  return to the top

Must Global Secure Site ID applicants escrow copies of their private keys? The U.S. Government determines the categories of companies that can implement this powerful technology outside the U.S. and across U.S. borders. The U.S. Government then approves specific organizations (such as VeriSign) to sell this technology to other entities who fit the definitions of the approved categories. Presently, the categories are defined as the following (for complete and exact definitions, please carefully review the Global Secure Site ID Subscriber Agreement): Banks and Financial Institutions, including holding companies; community, regional and money center financial institutions; savings associations; trust companies; and regulated savings banks. Insurance Companies, defined as companies whose primary and predominant business activity is the writing of insurance or the reinsurance of risks. Health and Medical Organizations, the primary purpose of which is the lawful provision of "health or medical services," not including biochemical or pharmaceutical manufacturers and military government entities. On-line Merchants, defined as entities regularly engaged in the lawful commerce that uses means of electronic communications (that is, the Internet) to conduct commercial transactions. Global Secure Site IDs may not be sold to foreign on-line merchants that sell items or service controlled by the U.S. munitions list, nor may exports be made to foreign government entities. US Subsidiaries, defined as a foreign company in which a U.S. entity beneficially owns or controls 25 percent or more of the voting securities; or which is operated by a U.S. entity under an exclusive management contract; or in which a majority of its Board members are also members of the comparable governing body of the U.S. entity; or in which the U.S. entity has the authority to appoint the majority of the Board members; or in which the U.S. entity has the authority to appoint the chief operating officer. VeriSign also offers Global Secure Site IDs to U.S. companies which operate their Web servers in the U.S. such that they do not require an export license from the BXA. You must be incorporated in the U.S. as a business, university, or government agency, and you must agree to operate the server with the Global Secure Site ID in the U.S. such that all encrypted communications take place within the U.S. VeriSign may also sell Global Secure Site IDs to companies which don't fall into one of the above categories, but have received a specific approval from the BXA (an export license or other export approval).

  return to the top

How long will it take for VeriSign to issue the Global Secure Site ID after all evidence has been submitted? It will take five to seven working days (for an accurate filing).

  return to the top

What is Server Gated Cryptography (SGC)? What is the relationship between SGC and this program? Server Gated Cryptography (SGC) is Microsoft's name for the entire set of technologies which enable strong encryption when an appropriately configured server encounters an appropriately configured client. Part of the SGC technology involves the use of special digital certificates by Microsoft IIS servers. VeriSign's Global Server IDs for Microsoft fulfill the role of the SGC special digital certificates.

  return to the top

What if I already have a VeriSign Secure Server ID? Can I upgrade? Global Secure Site IDs enable SSL. Therefore, you may replace your existing VeriSign Secure Server ID with a Global Secure Site ID. Because older browsers are not compatible with Global Secure Site IDs and SGC technology, many of our customers choose to maintain two sets of pages: one secured with a regular Secure Site ID, and one secured with a Global Secure Site ID. Due to technical reasons, VeriSign does not currently offer a discount to customers upgrading from Server IDs to Global Secure Site IDs.

  return to the top

Qualifications for Global Server ID

What categories of customers may obtain a Global Secure Site ID for their sites? The U.S. Government determines the categories of companies that can implement this powerful technology outside the U.S. and across U.S. borders. The U.S. Government then approves specific organizations (such as VeriSign) to sell this technology to other entities who fit the definitions of the approved categories. Presently, the categories are defined as the following (for complete and exact definitions, please carefully review the Global Secure Site ID Subscriber Agreement): Server IDs are used to: Banks and Financial Institutions, including holding companies; community, regional and money center financial institutions; savings associations; trust companies; and regulated savings banks. Insurance Companies, defined as companies whose primary and predominant business activity is the writing of insurance or the reinsurance of risks. Health and Medical Organizations, the primary purpose of which is the lawful provision of "health or medical services," not including biochemical or pharmaceutical manufacturers and military government entities. On-line Merchants, defined as entities regularly engaged in the lawful commerce that uses means of electronic communications (that is, the Internet) to conduct commercial transactions. Global Secure Site IDs may not be sold to foreign on-line merchants that sell items or service controlled by the U.S. munitions list, nor may exports be made to foreign government entities. US Subsidiaries, defined as a foreign company in which a U.S. entity beneficially owns or controls 25 percent or more of the voting securities; or which is operated by a U.S. entity under an exclusive management contract; or in which a majority of its Board members are also members of the comparable governing body of the U.S. entity; or in which the U.S. entity has the authority to appoint the majority of the Board members; or in which the U.S. entity has the authority to appoint the chief operating officer. VeriSign also offers Global Secure Site IDs to U.S. companies which operate their Web servers in the U.S. such that they do not require an export license from the BXA. You must be incorporated in the U.S. as a business, university, or government agency, and you must agree to operate the server with the Global Secure Site ID in the U.S. such that all encrypted communications take place within the U.S. VeriSign may also sell Global Secure Site IDs to companies which don't fall into one of the above categories, but have received a specific approval from the BXA (an export license or other export approval).

  return to the top

Are there any countries in which Global Secure Site IDs may not be used? With respect to all entities other than U.S. Subsidiaries, organizations may not use Global Secure Site IDs in the following countries: the Russian Federation, Mexico, Afghanistan, Columbia, Nigeria, North Korean, Thailand, the Cayman Islands, the People's Republic of China, the Dominican Republic, Pakistan, Panama, Paraguay, Romania, Venezuela, Chile, Taiwan, Syria, Iran, Iraq, Sudan, Libya, and Cuba. U.S. subsidiaries may not use Global Secure Site IDs in India, Pakistan, Cuba, Iran, Iraq, Libya, North Korea, Sudan, or Syria. If you do not meet these geographic requirements, you may still be eligible to obtain an export license from the BXA.

  return to the top

Are there any restrictions on the kinds of transactions my organization can engage in using Global Secure Site IDs? Yes. According to the Global Secure Site ID Subscriber Agreement: If you are a Bank, Financial Institution or Banking and Financial Service System, you shall implement or utilize your Global Secure Site ID only to secure financial transaction/communications. No client-to-client usage is authorized. If you are a Health and Medical Organization, you shall implement or utilize your Global Secure Site ID only to secure health/medical information. No client-to-client usage is authorized. If you are an Online Merchant, you shall implement or utilize your Global Secure Site ID only for the purchase or sale of goods and software and provision of services connected with the purchase or sale of goods and software, including interactions between purchasers and sellers necessary for ordering, payment, and delivery of goods and software. No customer-to-customer communications or transactions are allowed. If you are a U.S. Subsidiary organization, you may use the Global Secure Site ID only to secure company proprietary information. For U.S. companies, by signing the Global Secure Site ID Subscriber Agreement, your company or organization assumes responsibility for ensuring that your activities are in compliance with U.S. export laws. Please consult with an appropriate legal or export counsel if you believe your company's intended use of the Global Secure Site ID may not be in compliance with U.S. export regulations. The following examples offer some general usage guidelines for your Global Secure Site ID. However, your organization is responsible for ensuring that your use of a Global Secure Site ID is in compliance with the U.S. export laws. Communication with browsers within the U.S. or Canada: Without the need for further action, you may use the Global Secure Site ID to communicate using 128-bit encryption with any domestic or export version browser in the United States. Communication with employees and subsidiaries outside the U.S. and Canada: You may use the Global Secure Site ID to communicate with employees or majority-owned subsidiaries outside the U.S. Either you must apply for a specific export approval from BXA or you must qualify for this use of Global Secure Site IDs under the terms of an Encryption Licensing Arrangement issued to your company, your server software company, or VeriSign by the BXA. Communication with partners or customers outside the United States and Canada: Global Secure Site IDs provide an excellent technical solution for strongly encrypted global extranets or for communication with specific customers outside the United States. However, you will need to obtain an Encryption Licensing Arrangement from the Bureau of Export Administration to engage in this sort of activity, or you must qualify for this use of Global Secure Site IDs under the terms of an export license issued to your company, Microsoft, or VeriSign. The licensing agreement will most likely require that you maintain some form of client restricted access to the system (e.g. through the use of passwords or client certificates.) Please note that VeriSign provides the above guidelines as a service to our customers. They should not be considered as legal advice.

  return to the top

Documentation needed for Enrolling for a Global Server ID

What forms must a foreign organization submit to VeriSign to get a Global Server ID? The institution must first register a domain name with InterNIC or appropriate domain registry. An example domain name would be samplebank.co.uk. The institution must then generate a Certificate Signing Request using their Web Server software (Note: please complete steps 1 and 2 of the enrollment process before generating your CSR). Instructions for generating a CSR are provided in the VeriSign enrollment pages. The institution must then submit its CSR, along with other information, to VeriSign as part of the Global Secure Site ID enrollment process. As part of the enrollment process, the institution will be asked to provide information that establishes its corporate identity and that establishes that the institution meets the U.S. Commerce Department definitions of those categories of businesses allowed to obtain a Global Secure Site ID (see the section on categories above). For most institutions, the easiest way to do this is to provide VeriSign with a Dun & Bradstreet D-U-N-S number. Almost all institutions, foreign and domestic, have a DUNS number. By visiting www.dnb.com, you can look up your DUNS number. VeriSign's enrollment page, step 2, provide links for looking up DUNS numbers and obtaining free DUNS numbers. If the organization does not have a valid Dun & Bradstreet DUNS number, you will be asked to submit documents demonstrating that the organization has been legally authorized by your state, provincial, or national government to transact business under the organization name appearing in the ID request. For banks, financial institutions, insurance companies, or health and medical organizations, these documents must also show that the institution is chartered to conduct business under the appropriate category. For U.S. subsidiaries, these documents must demonstrate that the organization conforms to the BXA's definition of a U.S. Subsidiary (see Section 3.7 of the VeriSign Global Secure Site ID Subscriber Agreement). As part of the enrollment process, the institution will be asked to agree to the VeriSign Global Secure Site ID Subscriber Agreement. Among other things, this agreement is declaration that you meet the U.S. Commerce Department definitions of a permitted institution, and that you will not use the Web server software or the Global Secure Site ID for illegal purposes. Secure information sent over corporate intranets VeriSign will then perform its standard background checks to determine that the institution meets issuance requirements. VeriSign will then issue the Global Secure Site ID.

  return to the top

What forms must a U.S. company submit to VeriSign to obtain a Global Secure Site ID? The company must first register a domain name with the InterNIC or appropriate domain registration agency. An example domain name would be verisign.com. The company must then generate a Certificate Signing Request using their Web server software (Note: please complete steps 1 and 2 of enrollment before generating your CSR.) Instructions for generating a CSR are provided in the VeriSign enrollment pages. The company will submit its CSR, along with other information, to VeriSign as part of the Global Secure Site ID enrollment process. As part of the enrollment process, the company will be asked to provide information that establishes its corporate identity and that establishes that the company, organization, university, or government institution was formed within the United States. For most U.S. organizations, the easiest way to do this is to provide VeriSign with your Dun & Bradstreet D-U-N-S number. Almost all U.S. companies, universities, and government agencies have a DUNS number. During enrollment, VeriSign will provide you with an opportunity to look up your DUNS number or register for one for free. If you do not have a DUNS number, and do not wish to obtain a DUNS number, you will be asked to submit documents, such as a business license, articles of incorporation, or SEC filings, that establish your corporate identity. As part of the enrollment process, you will be asked to agree to the VeriSign Global Secure Site ID Subscriber Agreement. Among other things, this agreement is a declaration that you acknowledge that the use of the Global Secure Site ID is an export-regulated activity, and that you are responsible for using the Global Secure Site ID in a manner consistent with applicable U.S. export regulations VeriSign will then perform its standard background checks to determine that the U.S. company meets issuance requirements. VeriSign will then issue the Global Secure Site ID. No special actions are necessary for any U.S. company to obtain the necessary server software (see above for a list of acceptable types of server software). Your end-users can freely download the export versions of the Microsoft and Netscape browsers, as well as any necessary patches, from the appropriate Microsoft and Netscape Web sites.

  return to the top

Must Global Secure Site ID applicants submit information to any U.S. government agencies? No. You simply need to complete the appropriate paperwork with VeriSign. VeriSign and its server partners periodically report to BXA on the distribution of Global Secure Site IDs under export licenses.

  return to the top

Copyright © 1999, VeriSign, Inc. All Rights Reserved