On 6 Dec 2000, Owen Boyle wrote:
> Michael wrote:
> > Is there any reason to pay for Verisigned keys or does setting up our
> > companies own CA work equally well?
>
> Technically, a self-signed certificate will work perfectly well.
> However, the browser will "inform" the user that it doesn't recognise
> the authority that signed this certificate. If you use Verisign etc..
> the browser will already recognise them as a Certificate Authority and
> accept the certificate without a squeak.
>
> It depends what you want to use SSL for. If you want strangers to send
> you their private details, you'd be better off with a commercial
> certificate since they won't be frightened by the "warnings". However,
> if you are using SSL for a specific closed group of users, then use your
> own certificate and inform them about it...
All true... but the primary motivation (IMO) for using a cert is if you
are doing business with the general public (i.e. strangers). Customers
who see warning messages emitted by their browser when they encounter a
cert that's not signed by one of the browser-recognized CAs tend to get
"cold feet". Therefore online merchants rush to pay Verisign and their
ilk a fee for a cert that buys them some "warm and fuzzies".
A cynic might argue that CAs represent the sleaziest sort of pandering;
that it is designed to exploit the ignorance of the average consumer
who believes that because his browser doesn't tattle on an "official"
cert that he's dealing with a reliable party. He might also suggest
that the entire CA industry is the result of a collusion of greed that
is a result of RSA's partial ownership of Netscape.
Good thing I'm not a cynic :)
Best Regards,
James Moore
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
