I agree - if your bargain basement $15 site CA gets hacked and delisted, just buy another cert from the next in line for $20 and install it on your server. Problem solved. Your only cost is replacing your cert between when the problem is announced and hopefully before the delisting kicks in. I bet people are thinking this is a rare enough event even yet to not worry about risk if tiny chance of a few mins of blacklisting.
Anyone with a sizeable business and any moderate number of employees and few a certs wont worry about $15 vs $100 that the larger CAs may charge anyway and may opt for the marginal professionalism feel from a more well known CA at the cost. Either way you're still at the same risk of MITM whichever CA you use as was said. btw Massive kudos to the comodo hacker if his 'sploits are accurately bragged, favor he did the SSL/PKI community indeed. There were multiple files posted as trophies so I presume people have verified. Adam On Thu, Sep 08, 2011 at 08:16:07PM +0200, Ralph Holz wrote:
However, what I meant is that the blog entry ignores the fact that as long as there is a weakest link in the root store, protection of your domain certification is exactly as strong as that weakest link. Sure, you can go to VeriSign to get a certificate, but it won't help you if DigiNotar is hacked afterwards and certificates for your domain issued. I am no good at predicting customer behaviour, but why should customers opt for the more expensive solution then?
_______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
