> Just this morning a sales rep from an Entrust partner which I won't name
> almost convinced me that Thawte's SSL certs @U$125 were *only* 40 bit!
Imagine
> explaining this to someone that is new to the Internet as a whole (yes,
lots
> of companies still are).
Well, I may have misunderstood your point here, but they _are_ only 40
bit if you are using an export browser (afaik, all versions of IE shipped
with Windows are export-grade. You need to upgrade them to be domestic-grade
and many people dont do this). Of course if you have a domestic browser you
can run 128 bit encryption with a '40 bit' cert. The more expensive 'Super'
or 'Global' SGC certs allow newer export-grade browsers to use 128-bit
encryption as well as domestic versions. I have personally had a lot of
problems with these since older browsers often die when using them. You may
have meant that, but I just wanted to make sure. : - )
> Bottom line I think to make Tucows an option for RSPs this should be
clear. I
> even had a situation where a customer checked a certificate on the WWW
(not
> his), it was Equifax's . And guess what, he only sees a tree with Equifax
CA
> under Thawte's.
>
> And to those saying Entrust and Equifax are not Thawte vendors, please
visit:
> http://www.thawte.com/certs/chained/vendors.html
>
> With the prices they get:
> http://www.thawte.com/certs/chained/pricing.html
>
> ... it's easy to see how the can build a business around it (and I
celebrate
> that), however I was under the impression that this meant all certs came
from
> 1 place.
I think that a lot of people have this misconception. I am no expert,
but it seems that many people think that security certificates are analagous
to domain names in the way that they are sold and handled. For example: I
register a domain name through a Tucows RSP, who then registers it through
OpenSRS, who then registers it through NSI. In this way, everyone, right up
to NSI, is aware of who I am and that I have purchased a domain name.
This, again, afaik, is not the way security certificates work. If I buy
a certificate from Entrust, they sign it with their CA certificate to make
it valid. Their CA certificate has been signed by Thawte so that older
browsers (which dont have Entrust's CA cert built into them) will recognize
it. For this 'service', Entrust pays Thawte a per-cert/per-year fee (much
like a software royalty). I do not believe that when I buy a certificate
from Entrust, that Entrust then has to go to Thawte and say "Can I have a
certificate for Matt?". If that were the case, you would not see Entrust's
CA cert anywhere in the cert chain.
Thawte negotiated with the software developers making early browser
versions to have their CA cert embedded. Thawte is only able to make a
business out of signing other companies CA certs because of this early
negotiation. If you or I had been around years ago when SSL was catching on
and paid Netscape and MS a bunch of money to include our certificate in
their software, we too could do the same thing since our CA cert would be
included in all of the popular browsers from the ground up.
As time goes on and people are using IE v9 and Netscape v8 and no one
uses any of the older browsers, Entrust wont need to pay Thawte when they
issue certs because their CA cert will be recognized by the browsers by
default.
If Im wrong in my thinking here, I would love to be corrected. So dont
be shy about doing so. : - )
- Matt
