Hi !
I agree with your answer, but the main problem is users are not informed
about what is the "lock symbol", they think the "transaction" is secured and
not the "client/server transaction" is secured. The big problem in France is
the translation of the 'Do you trust this site' dialog. The english
translation of the french sentence is something like "Do not trust the
certificat editor or - more like perhaps - the cerficat editor is unknown"
(IE5).
So it's very difficult to ask to the credit card number if the user can not
trust to (because IE 5 told that) the "certificat editor".
So we have no choice we have to buy a "trusted" certificat ... A very good
market for certificats salers .... isn't it ?
What is very funny is people think that credit card number are
crypted/secured because of the lock symbol but often the credit card number
is sent to a cgi that send it to a "normal" mailbox and/or bcc/forward to
several mailboxes/users over the net !!!
So what it would usefull for final users is no a "trusted" cerficat but a
"trusted" e-commerce system.
(excuse me for my bad english ...)
-----Message d'origine-----
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]De la part de Leland V. Lammert
Envoye : mardi 2 janvier 2001 17:56
A : [EMAIL PROTECTED]
Objet : RE: Certs: where to get them?
At 10:28 PM 12/30/00 -0800, you wrote:
>The only difference between purchasing a certificate and issuing your own
>certificate is that when I come across your web site and I see your "snake
>oil" certificate, how do I know you're not some 'fly by night' web site
>trying to steal my credit card number of use any 'confidential' information
>I submit to you for your own personal gain?
Hi Ray,
I had to respond to this one - what, for heavans sake, would prevent me
from opening a sham corporation, purchasing a cert, and making away with
YOUR credit card number? NOTHING! Having a certificate from a commercial
authority does nothing except prevent the user from seeing the 'Do you
trust this site'? dialog.
The ONLY way to trust the person to whom you are giving your credit card is
to trust the business being represented. Do you give your credit card
number to porn sites?? What makes them any better than one of your 'snake
oil' sites? The fact that they purchased their certificated from a
commercial company says NOTHING about the business they are representing.
>Second, the 'snake oil'
>certificate doesn't accurately identify your company name. Therefore, where
>will I go for information on your company? There won't be any "snake oil"
>company listed with any US online database of Incorporated Companies, there
>won't be any "snake oil" company listed with any state's "Better Business
>Bureau".
Nope. When you create a certificate, you supply the organization name *and*
location (city/state or eq). If you do not provide a one, that's your
choice, but if you complete the cert properly, the company name and
location is incluced. Yes, purchasing a commercial cert would *require* a
ON (I have not tried to create a cert with a blank name, but I *think* you
can), .. but to what advantage? What user cares? What user even LOOKS at
the organization name?
The bottom line is a commercial cert only prevents the use from getting the
'Do you trust this site' dialog, .. if does nothing to validate the
business represented. The user, and *only* the user, is responsible for
that validation and trust.
Certainly, a naive user might trust a site more if it does not put up the
'Do you trust this site' dialog, .. but is that trust properly placed? If a
user gives his/her credit card number to any site on the internet just
because the lock symbol is present on their browser he/she has a much
BIGGER problem dealing with ecommerce in general than one a certificate is
capable of solving!
I, for one, *use* 'snake oil' certificates because I wish to *remind* the
user that they must trust the issuer of the certificate (displayed in the
dialog box), .. paying $125 (or even $400) a year is not the proper way to
earn that trust.
I guess that makes 6 cents!
Lee
============================================
Leland V. Lammert [EMAIL PROTECTED]
Chief Scientist Omnitec Corporation
Network/Internet Consultants www.omnitec.net
============================================
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
