Ian G wrote: > In the below, John posted a handy dandy table of cert prices, and > Nelson postulated that we need to separate high assurance from low > assurance. Leaving aside the technical question of how the user > gets to see that for now, note how godaddy charges $90 for their > high assurance and Verisign charges $349 for their low assurance. > > Does anyone have a view on what "low" and "high" means in this > context? Indeed, what does "assurance" mean?
>From an issuance policy perspective one definition of assurance classes could be: 0 No assurance. An enrollment was received and a certificate issued (a few million Netscape In Box Direct certificates were issued this way) 1 Low assurance. An enrollment was received and an email containing a secret was sent to the enrollee specified address who then presented the secret to the enrollment site which then issued the certificate. 2 Medium assurance. An enrollment was received wiht a set of identifiying information which validated using third party mechanisms (commercial identity databases, credit agencies, phone books) in addition to an email round trip with a secret as in class 1. 3 High assurance. An enrollment was received along with multiple points of contact and legal documentation. Government and commercial databases where used to verify the information submitted. Out of band methods were used to contact the purported enrollees legal right to represent them. Out of band methods were used to advise the purported enrolling entity that an enrollment was made on their behalf. Multiple operations staff had to independantly review collected infomration and approve the enrollment. The domain-control-certificates are equivalent to a class 1 as described above. VeriSign's $349 certificates are class 3. A separate but equally important issue is whether a CA enables revocation checking. As you might imagine even a high assurance certificate can be mis-issued and so the revocation concept of PKI is important. So if a CA does not offer revocation checking services (e.g. by providing CDPs and crl responders, or ocsp AIAs adn ocsp responders) that would substantially diminish the value of any authentication they perform. > John Gilmore wrote: > > For the privilege of being able to communicate securely using SSL and a > > popular web browser, you can pay anything from $10 to $1500. Clif > > Cox researched cert prices from various vendors: This is most unfortunate. I would like to see software providers like MoFo, Opera, Microsoft and others improve the situation. Thought it's worth noting that you can issue your own certificates and many browsers will allow you to override the lack of a known trust anchor and accept the certificate permanently - that doesn't make it better though as it adds to the problem of taxing users' focus and patience such that they learn they should [not really!] click OK automatically when you get a pop-up [presumably this is why sometimes the OK and CANCEL buttons are reversed - so you don't automatically approve formatting your harddrive when you click the wrong menu option]. _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security