Eric Rescorla wrote: ... > > The other thing to be aware of is that ecommerce itself > > is being stinted badly by the server and browser limits. > > There's little doubt that because servers and browsers > > made poorly contrived decisions on certificates, they > > increased the overall risks to the net by reducing the > > deployment, and probably reduced the revenue flow for > > certificate providers by a factor of 2-5. > I doubt that. Do you have any data to support this claim?
Sure. SSH. It's about take up models. HTTPS' model of take-up is almost deliberately designed to reduce take-up. It uses a double interlocking enforcement on purchase of a certificate. Because both the browser and server insist on the cert being correct and CA-signed and present, it places a barrier of size X in front of users. Instead, if there were two barriers, each of half-X, being the setup of the SSL server (a properly set up browser would have no barrier to using crypto), and the upgrade to a CA-signed cert, then many more users would clear the hurdles, one after the other. How high can you jump? When I was young we used to do this high jump thing, where we'd get up to 5 feet or so. I could never do 6 feet. I couldn't even do 4 feet these days, but, I could do any number of 3 feet jumps. I could probably even do a few 3 feet jumps these days. (In that youth, we called them by feet. These days, a one metre jump looks more imposing...) I'm curious. You really think that in order to sell certificates, the best thing is to make them hard to use? Is this a "quality" argument? iang --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]