Ian Grigg <[EMAIL PROTECTED]> writes: > "Perry E. Metzger" wrote: > > The cost of MITM protection is, in practice, zero. > > Not true! The cost is from 10 million dollars to > 100 million dollars per annum. Those certs cost > money, Perry!
They cost nothing at all. I use certs every day that I've created in my own CA to provide MITM protection, and I paid no one for them. It isn't even hard to do. Repeat after me: TLS is not only for protecting HTTP, and should not be mistaken for https:. TLS is not X.509, and should not be mistaken for X.509. TLS is also not "buy a cert from Verisign", and should not be mistaken for "buy a cert from Verisign". TLS is just a pretty straightforward well analyzed protocol for protecting a channel -- full stop. It can be used in a wide variety of ways, for a wide variety of apps. It happens to allow you to use X.509 certs, but if you really hate X.509, define an extension to use SPKI or SSH style certs. TLS will accommodate such a thing easily. Indeed, I would encourage you to do such a thing. Perry --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]