-------- Original Message -------- Subject: Re: $90 for high assurance _versus_ $349 for low assurance Date: 13 Mar 2005 22:33:56 -0000 From: John Levine <[EMAIL PROTECTED]> Organization: I.E.C.C., Trumansburg NY USA To: cryptography@metzdowd.com CC: [EMAIL PROTECTED]
Does anyone have a view on what "low" and "high" means in this context? Indeed, what does "assurance" mean?
Just last week I was trying to figure out what the difference was between a StarterSSL certificate for $35 (lists at $49 but you might as well sign up for the no-commitment reseller price) and a QuickSSL cert for $169. If you look at the bits in the cert, they're nearly identical, both signed by Geotrust's root.
As far as the verification they do, QuickSSL sends an e-mail to the domain's contact address (WHOIS or one of the standard domain addresses like webmaster), and if someone clicks through the URL, it's verified. StarterSSL even though it costs less has a previous telephone step where you give them a phone number, they call you, and you have to punch in a code they show you and then record your name. Score so far: QuickSSL 0.0000001, StarterSSL 0.00000015.
Both have various documents available with impressive certifications from well-paid accountants, none of which mean anything I can tell. Under some circumstances they might pay back some amount to someone defrauded by a spoofed cert, but if anyone's figured out how to take advantage of this, I'd be amazed.
Comodo, who sell an inferior variety of cert with a chained signature (inferior because less software supports it, not because it's any less secure) is slightly more demanding, although I stumped then with abuse.net which isn't incorporated, isn't a DBA, and isn't anything else other than me. I invented some abuse.net stationery and faxed them a letter assuring that I was in fact me, which satisfied them.
Back when I had a cert from Thawte, they wanted DUNS numbers which I didn't have, not being incorporated nor doing enough business to get a business credit rating, so they were satisfied with a fax of my county business license, a document which, if I didn't have one, costs $25 to get a real one, or maybe 15 minutes in Photoshop to make a fake one good enough to fool a fax machine.
I gather that the fancier certs do more intrusive checking, but I never heard of any that did anything that might make any actual difference, like getting business documents and then checking with the purported issuer to see if they were real or, perish forbid, visiting the nominal location of the business to see if anything is there.
So the short answer to what's the difference between a ten dollar cert and a $350 cert is: $340.
Next question?
Regards, John Levine, [EMAIL PROTECTED], Primary Perpetrator of "The Internet for Dummies", Information Superhighwayman wanna-be, http://www.johnlevine.com, Mayor "I shook hands with Senators Dole and Inouye," said Tom, disarmingly.
-------- Original Message -------- Subject: Re: $90 for high assurance _versus_ $349 for low assurance Date: Sun, 13 Mar 2005 19:15:13 -0500 From: R.A. Hettinga <[EMAIL PROTECTED]> To: Ian G <[EMAIL PROTECTED]>, cryptography@metzdowd.com CC: John Gilmore <[EMAIL PROTECTED]>, mozilla-security@mozilla.org References: <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
At 9:24 PM +0000 3/11/05, Ian G wrote: >Does anyone have a view on what "low" and "high" means in this >context? Indeed, what does "assurance" mean?
:-)
By what market price, of course.
Verisign is more well known to the average schmuck than godaddy is, and, apparently, the average schmuck forks over the ducats accordingly.
The fact that they're currently fungible commodities, ungraded ones at that, only makes the pricing outcome more, um, interesting, if, for the moment, okay, not predictable, :-), but, what, apprehendable by common sense, at least in 20-20 ex post facto hindsight?
Cheers, RAH
-- ----------------- R. A. Hettinga <mailto: [EMAIL PROTECTED]> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security