If an eight-year-old were to look at the whole thing and write your
reply, then yes .. what you've written would probably be accurate - just
missing other fun phrases like "dooty-head", "cooties", etc.  

D&B aren't a bunch of rank amateurs when it comes to checking the
legitmacy of a business.  As for "who decided that X was really
trustable", it was people who are 

a) most likely on the net wayyy before you. (pre-web)
a) probably more knowledgable than you (have you tried out-marketing MS
recently?[1]),
b) definitely uninterested in asking you, 
c) backed with more corporate $$$ than you, more-than-likely 
and 
d) well, you're stuck with it. they're doing a passable job and you
can't change it anyway. (despite all the whining  I've heard about
verisign, I've yet to experience even one delay in getting a cert using
their online toolset - however I won't discount these other stories, so
verisign gets nothing above "passable")

You can either dance with an elephant or get run over by him.  Your
choice, choose wisely.

Yes, I hate it that VeriSign bought Thawte.  It sucks.  It ruins
competition.  I've dealt with both and I preferred Thawte, despite their
*massive* client cert expiration fustercluck with IE two years ago. Oh
well, the bus is leaving the station and I still have to get on to
another town.  If you're walking, I'll see you there after awhile.

regards,
--dsp

NOTES
[1] I don't purchase their software, I don't like their tactics, and
I'll subvert them any chance I get, but you'll *never*, *ever* see
anyone with two brain cells try to out-market them, including me. 
They've got metric f**ktons of $$$ and have an utter mastery of
marketing tactics.  You go around something like that, not head-to-head.


Michael wrote:
> 
> So the main protection is that company x charges a fee large enough to
> company y in order to prove company y is a real company and not highschool
> students trying to rip off users. of course there is no proof that being
> able to afford a certificate really makes you anymore qualified than small
> business z and who decided company x was really trustable. all xompany x
> has proven is that they grasp the concept of this security model well
> enough to pretty much blackmail company x, company z, etc into paying
> out the arse for their 30 seconds of work.
> 
> Maybe is a bit cynical but is that the gist of how it works?
> 
> *^*^*^*
> Have the courage to take your own thoughts seriously, for they will shape
> you. -- Albert Einstein
> 
> On Wed, 6 Dec 2000, Dave Paris wrote:
> 
> > While I can appreciate the "why do we have to pay these mooks?!"
> > attitude, the reasoning is rather more straightforward.
> >
> > It seems those making the silly** (imho) arguments have forgotten the
> > entire reason for a "trusted third party" (in this case, the CA).  User
> > U heads over to site S and wishes to conduct a transaction, except U has
> > never dealt with S, nor does U have the time to do background checks on
> > S to significantly reduce the risk that S may actually be a fraudulent
> > front end for a questionable organization.  Note that I'm not saying
> > this completely mitigates the risk, as it certainly does not.  However
> > it does go quite some ways to reducing the risk.
> >
> > This same notion is at the heart of many types of cryptographic
> > protocols and key escrow (ick) systems.
> >
> > I do completely agree that much over $50 for a certificate is a bit
> > bonkers (please, someone tell me that 90% of the process isn't
> > completely automated .. I really need to laugh).  However, until a
> > majority of cert purchasers really understand *how* and *what* trusted
> > third parties work, the current price is liable to be with us.
[...]
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]

Reply via email to