This is page 2 of:
Target.com Blocked, SSL Certs Blamed
First, customers have a portal where they can control their account. Logging into that portal would display various alert messages, he said. (Although true, a retailer would likely have no reason to log in unless it had already remembered about the renewal need.)
Second, Callan said, E-mail notices are sent 90 days before expiration and then again at 30 days before expiration, and those E-mails become “increasingly frequent as we approach expiration date.”
Third, Verisign assigns major accounts “designated salespeople who are supposed to watch these accounts” for these types of expirations. At $400 per year per server per renewal for the typical account, Callan said, the sales force has an incentive to prevent an expiration problem.
Under the “interesting but not too helpful trivia” category, Callan added that the alerts are actually a function of the site visitor’s machine, comparing its date/time stamp with when the certificate broadcasts it is to expire. In other words, a visitor running into such a discouraging message could make it go away by turning his calendar back to an earlier month and trying again. Alternatively, consumers could see tons of these messages by simply setting their calendars to the year 2020.
Even though Verizon didn’t comment for this story, it’s likely that most certificate vendors follow similar procedures. E-mail messages, though, are easy to ignore, especially when they are sent frequently. Imagine an E-Commerce staffer who is overseeing dozens of sites. There needs to be a more rigorous way to avoid these expirations, perhaps incorporating phone calls and in-person visits for major accounts.
Ultimately, though, if someone on the E-Commerce team doesn’t spend the 10 minutes to renew–and do so in the very short window when it needs to happen–the site is going to get blocked. Well, “blocked” may be an overstatement, because customers clearly could ignore the warning and proceed. But it’s certainly going to discourage quite a lot of prospects.
-Marc
July 22nd, 2010 at 4:02 pm
Which is why you want a PKI/Cert management group that “owns” all certs, and not leave it in the hands of various developers and business units. This helps keep an institutional memory and implement a central work flow to kick-off the internal renewal process.
July 28th, 2010 at 4:52 pm
One simple best-practice for this type of thing is for eCommerce organizations to create general mail-boxes where these types of alerts and messages can go to, with multiple resources assigned to receive and monitor them. For example: alert@retailer.com. Then there needs to be some processes in place to ensure that access to those mailboxes are transitioned along with a catalog of the certificates, subscriptions, and contracts the business is working with, including what they are for. Having joint NOC and business management monitoring of these mailboxes can help avoid the problem of a person leaving or changing roles and the ball being dropped. The certificate vendors can also mature their processes to stop requiring an individual at the client to “own” the responsibility and be the contact for the certificate, which also contributes to the problem. And finally, there is likely occasions where people get these alerts and either think they are spam or don’t really understand them, thereby not addressing them when they should. Education can help alleviate that, but many eCommerce organizations have grown and evolved a lot over the last few years with little time spent on maturing these aspects given other priorities.