While I can appreciate the "why do we have to pay these mooks?!"
attitude, the reasoning is rather more straightforward.
It seems those making the silly** (imho) arguments have forgotten the
entire reason for a "trusted third party" (in this case, the CA). User
U heads over to site S and wishes to conduct a transaction, except U has
never dealt with S, nor does U have the time to do background checks on
S to significantly reduce the risk that S may actually be a fraudulent
front end for a questionable organization. Note that I'm not saying
this completely mitigates the risk, as it certainly does not. However
it does go quite some ways to reducing the risk.
This same notion is at the heart of many types of cryptographic
protocols and key escrow (ick) systems.
I do completely agree that much over $50 for a certificate is a bit
bonkers (please, someone tell me that 90% of the process isn't
completely automated .. I really need to laugh). However, until a
majority of cert purchasers really understand *how* and *what* trusted
third parties work, the current price is liable to be with us.
regards,
--dsp
Notes:
** James "I'm not a cynic" Moore's line:
"A cynic might argue that CAs represent the sleaziest sort of
pandering; that it is designed to exploit the ignorance of the average
consumer..."
[ok, so what do you think would happen to a large, publicly traded
company if they failed to maintain their position as a trusted third
party? Can you say "class action lawsuits for very big $$$"? (along
with a few other minor ditties)]
** Lanny "we'll show 'em!" Baron's eloquent rambling:
"Well the one reason we don't use a CA that m$ wants or netscape wants,
is to show potential purchasers of our systems that the system is quite
capable of running https as well as Apache for web hosting or for
Intranet and Extranet."
[great business plan, way to win the confidence of a potential client.
"please give us your money *and* we'll shove our viewpoint down your
throat." sign me right up, I'll take two to go.]
..and..
"The problem remains that, people unfamiliar with Unix or CA's or
Mod-SSL would most likely be scared to input their credit cards or other
personal/financial data."
[whatever you're smoking, please share so the rest of us enjoy as well.
That sentence registers in negative integers on the makes_senseometer.
How many Amazon.com users care if that site runs off Unix or a banana
running Apache, IIS, or a tricycle for a HTTPd? They don't care, they
shouldn't need to care, and they have no problems parting with $$$ (now,
as for Amazon turning a profit .. well, that's not the user's problem
:)]
> On 6 Dec 2000, Owen Boyle wrote:
>
> > Michael wrote:
> > > Is there any reason to pay for Verisigned keys or does setting up our
> > > companies own CA work equally well?
> >
> > Technically, a self-signed certificate will work perfectly well.
> > However, the browser will "inform" the user that it doesn't recognise
> > the authority that signed this certificate. If you use Verisign etc..
> > the browser will already recognise them as a Certificate Authority and
> > accept the certificate without a squeak.
> >
> > It depends what you want to use SSL for. If you want strangers to send
> > you their private details, you'd be better off with a commercial
> > certificate since they won't be frightened by the "warnings". However,
> > if you are using SSL for a specific closed group of users, then use your
> > own certificate and inform them about it...
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
