If an eight-year-old were to look at the whole thing and write your
reply, then yes .. what you've written would probably be accurate - just
missing other fun phrases like "dooty-head", "cooties", etc.
D&B aren't a bunch of rank amateurs when it comes to checking the
legitmacy of a business. As for "who decided that X was really
trustable", it was people who are
a) most likely on the net wayyy before you. (pre-web)
a) probably more knowledgable than you (have you tried out-marketing MS
recently?[1]),
b) definitely uninterested in asking you,
c) backed with more corporate $$$ than you, more-than-likely
and
d) well, you're stuck with it. they're doing a passable job and you
can't change it anyway. (despite all the whining I've heard about
verisign, I've yet to experience even one delay in getting a cert using
their online toolset - however I won't discount these other stories, so
verisign gets nothing above "passable")
You can either dance with an elephant or get run over by him. Your
choice, choose wisely.
Yes, I hate it that VeriSign bought Thawte. It sucks. It ruins
competition. I've dealt with both and I preferred Thawte, despite their
*massive* client cert expiration fustercluck with IE two years ago. Oh
well, the bus is leaving the station and I still have to get on to
another town. If you're walking, I'll see you there after awhile.
regards,
--dsp
NOTES
[1] I don't purchase their software, I don't like their tactics, and
I'll subvert them any chance I get, but you'll *never*, *ever* see
anyone with two brain cells try to out-market them, including me.
They've got metric f**ktons of $$$ and have an utter mastery of
marketing tactics. You go around something like that, not head-to-head.
Michael wrote:
>
> So the main protection is that company x charges a fee large enough to
> company y in order to prove company y is a real company and not highschool
> students trying to rip off users. of course there is no proof that being
> able to afford a certificate really makes you anymore qualified than small
> business z and who decided company x was really trustable. all xompany x
> has proven is that they grasp the concept of this security model well
> enough to pretty much blackmail company x, company z, etc into paying
> out the arse for their 30 seconds of work.
>
> Maybe is a bit cynical but is that the gist of how it works?
>
> *^*^*^*
> Have the courage to take your own thoughts seriously, for they will shape
> you. -- Albert Einstein
>
> On Wed, 6 Dec 2000, Dave Paris wrote:
>
> > While I can appreciate the "why do we have to pay these mooks?!"
> > attitude, the reasoning is rather more straightforward.
> >
> > It seems those making the silly** (imho) arguments have forgotten the
> > entire reason for a "trusted third party" (in this case, the CA). User
> > U heads over to site S and wishes to conduct a transaction, except U has
> > never dealt with S, nor does U have the time to do background checks on
> > S to significantly reduce the risk that S may actually be a fraudulent
> > front end for a questionable organization. Note that I'm not saying
> > this completely mitigates the risk, as it certainly does not. However
> > it does go quite some ways to reducing the risk.
> >
> > This same notion is at the heart of many types of cryptographic
> > protocols and key escrow (ick) systems.
> >
> > I do completely agree that much over $50 for a certificate is a bit
> > bonkers (please, someone tell me that 90% of the process isn't
> > completely automated .. I really need to laugh). However, until a
> > majority of cert purchasers really understand *how* and *what* trusted
> > third parties work, the current price is liable to be with us.
[...]
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]