Can SSLMate require less personal information?

[konklone]

Right now, SSLMate requires a first name, last name, country, and phone number:

I'm inspired to file this by this post lamenting the deprecation of HTTP, and pointing out the information you are required to give:

The service in the screenshot is StartSSL, and it's more invasive than what SSLMate requires.

Nonetheless, is it possible for SSLMate to require less information? And/or, in the case of field validation by your upstream CAs, is it possible for SSLMate to fill in dummy information without breaching your upstream CA's requirements?

[AGWA]

There are, unfortunately, reasons to collect this information. Although SSLMate's primary upstream CA, Comodo, does not require any personal information, SSLMate's other upstream CA, RapidSSL, requires name, phone number, and country, and they require it to be accurate. Several other CAs I investigated also require this information. If SSLMate didn't ask for it, we couldn't fail orders over to RapidSSL, or switch to a different CA in the future without breaking auto-renewal under existing accounts.

The other reason to ask for this information is that it helps prevent credit card fraud, which SSLMate is on the hook for.

That said, I support collecting as little personal information as possible, and your query has made me do a lot of thinking about ways to avoid collecting this information. I think what we can do is make this information optional if you're willing to disable auto-renew. That way, someone who just wants to get in and get out with an SSL cert can do so while providing very little personal information. But if someone wants auto-renew, I need to make sure that SSLMate can deliver, and unfortunately that means asking for this info. (Trying to get people to provide the info later on is a process that many would be certain to ignore until one of their certs expires, which is exactly the scenario SSLMate is trying to prevent.)

As for the credit card fraud, I'm willing to take a chance, though if the fraud becomes a big problem I will need to make the information required again.

[konklone]

I appreciate the research and thought that went into this answer. Thanks, @AGWA.

As for the credit card fraud, I'm willing to take a chance, though if the fraud becomes a big problem I will need to make the information required again.

I wish I knew more about the mechanics of credit card fraud, and how payment processing systems work. Perhaps you could mitigate this by imposing a daily limit of $X on accounts which have not provided personal information. Coinbase does something similar.

A more serious investment would be a bitcoin payment option, which would also mitigate credit card fraud concerns and allow for more fully anonymous acquisition of domain-validated HTTPS certificates. That's definitely a non-trivial task. It's perhaps made easier if you go with Coinbase, but as linked above they require a phone number and bank account to do anything.

It's challenging to support perfect anonymity while balancing business interests and engineering capacity. Thanks again for being open to striking that balance and creating more options for people.

[pedromorgan]

This information should go both

• in the manual
• and alonside in the "form"

Much like some blog entrues ..