At 10:28 PM 12/30/00 -0800, you wrote:
>The only difference between purchasing a certificate and issuing your own
>certificate is that when I come across your web site and I see your "snake
>oil" certificate, how do I know you're not some 'fly by night' web site
>trying to steal my credit card number of use any 'confidential' information
>I submit to you for your own personal gain?
Hi Ray,
I had to respond to this one - what, for heavans sake, would prevent me
from opening a sham corporation, purchasing a cert, and making away with
YOUR credit card number? NOTHING! Having a certificate from a commercial
authority does nothing except prevent the user from seeing the 'Do you
trust this site'? dialog.
The ONLY way to trust the person to whom you are giving your credit card is
to trust the business being represented. Do you give your credit card
number to porn sites?? What makes them any better than one of your 'snake
oil' sites? The fact that they purchased their certificated from a
commercial company says NOTHING about the business they are representing.
>Second, the 'snake oil'
>certificate doesn't accurately identify your company name. Therefore, where
>will I go for information on your company? There won't be any "snake oil"
>company listed with any US online database of Incorporated Companies, there
>won't be any "snake oil" company listed with any state's "Better Business
>Bureau".
Nope. When you create a certificate, you supply the organization name *and*
location (city/state or eq). If you do not provide a one, that's your
choice, but if you complete the cert properly, the company name and
location is incluced. Yes, purchasing a commercial cert would *require* a
ON (I have not tried to create a cert with a blank name, but I *think* you
can), .. but to what advantage? What user cares? What user even LOOKS at
the organization name?
The bottom line is a commercial cert only prevents the use from getting the
'Do you trust this site' dialog, .. if does nothing to validate the
business represented. The user, and *only* the user, is responsible for
that validation and trust.
Certainly, a naive user might trust a site more if it does not put up the
'Do you trust this site' dialog, .. but is that trust properly placed? If a
user gives his/her credit card number to any site on the internet just
because the lock symbol is present on their browser he/she has a much
BIGGER problem dealing with ecommerce in general than one a certificate is
capable of solving!
I, for one, *use* 'snake oil' certificates because I wish to *remind* the
user that they must trust the issuer of the certificate (displayed in the
dialog box), .. paying $125 (or even $400) a year is not the proper way to
earn that trust.
I guess that makes 6 cents!
Lee
============================================
Leland V. Lammert [EMAIL PROTECTED]
Chief Scientist Omnitec Corporation
Network/Internet Consultants www.omnitec.net
============================================
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]