> After the Verisign acquisition of Thawte, there remain few signing =
> authorities who will perform services for a reasonable fee.
>
> Maybe the OpenSSL group should launch a new not-for-profit application =
> verification and certificate signing service? We'd be happy to donate =
> lines and equipment.
That's also my inital impulse, but it's such a tricky business. For a
certificate to be meaningful, the CA should be a well-established,
well-recognized, audited, solid enterprise. I suspect it could be done
for a far more reasonable fee than even Thawte was charging, but not
by an ad-hoc group of loosely-associated contributors. On the other
hand, considering how Linux is being developed, maybe that's wrong.
This whole matter is filled with irony, not the least of which is that
obtaining a certificate from Verisign, in my view, does very little to
confirm the trustworthiness of the holder, but it makes such a world of
difference to clients who see the little key in the corner of their
browser window. I find it aggravating, as I suppose do others on this
list.
I predict that the public will gradually gain the sophistication to
understand these matters better, and the established CA's will see their
strangleholds slip away. But this will be a long time coming, so
I'm not selling my Verisign stock yet!
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]