I just have to add my two cents here :)
Users DO NOT care about "verifying identity" because they know what most of us also know -- the "verification" process is bogus. What they DO care about is that some third-party can't easily snoop at their financial or other data being submitted -- and hosting customers care about not having some ugly window pop-up appear when a non-root-certified certificate is used. Things like the "man in the middle" attack scenario are simply not on users' radar (nor really, should they be -- they are extremely rare). We've not offered the Tucows sponsored certs because of the horror stories appearing on the various posts on these lists (the multiple levels of "verification", the delays in issuing, etc.) -- certs need to be as easy to sell as domains, and until they are, there's not a chance that they'll be all that lucrative a business. I remember sometime back that there was some discussion about Tucows itself simply becoming an issuing CA -- and I would completely support that and want to sell such a product provided that (in typical Tucows fashion :) ), they cut through the BS in the CA business currently, and simply serve as an authenticating root for what amounts to anonymous certs. Even if it means the cert displays a bold message of "This certificate certifies that your connection is 128bits SSL-encrypted SECURE, although we make no representation regarding the identity or any other part of the transaction you are about to engage in.". I might also add, by doing that, we could all easily undercut the market -- even assuming infrastructure and software engineering costs, I doubt that Tucows would have trouble making a mountain of cash selling the certs to us at around $10 - $15 each, and we could easily resell for $20 to $30 each..... completely collapsing the price for competitors like Verisign. And in fact, such a price collapse would effectively force the issue, because at even $40 or $50 retail, there's no way that anyone could go through the Rube Goldberg-like certificate-issuing process currently practised by existing (most of them anyway) CAs. A self-fulfilling price war :) Certs CAN be a good business for us, but not as currently offered via OpenSRS. But change the economics and you have a heck of an interesting opportunity :) > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of William X Walsh > Sent: Tuesday, December 04, 2001 5:13 PM > To: Darryl Green > Cc: [EMAIL PROTECTED] > Subject: Re: GeoTrust/QuickSSL and the meaning of Certs > > > Tuesday, Tuesday, December 04, 2001, 1:29:24 PM, Darryl Green wrote: > > > I don't want to generate a huge discussion about the validity > of the browser > > recognition claims but I do find the 90%+ a little difficult to > swallow. I > > would however like to know if that's important to you or not. > > No, it's really not. > > > 2) More importantly I would like to discuss the meaning of SSL: > > QuickSSL certificates do not verify identity. The fine print on > the QuickSSL > > certificate acknowledges that this is the case (Organizational Unit not > > Validated -- or some such language appears) > > Sure they do, they verify it to the same standard that DOMAIN > REGISTRARS like Tucows do for transfers of domains. If this standard > is ok for domain transfers, then it should be ok for SSL Certs. Once > the domain has changed hands in a transfer, getting a cert for it > would be easy. There is no inherent benefit of the other CA's > practices in this regard over Geotrust's. > > > been speaking with a member of the WebTrust standards making > body. He (and > > assures me others on the body) are very disturbed by the > QuickSSL offering > > and (I quote) will work 'quickly and forcefully' to stop it. > This will be > > accomplished by insertion of minimum verification requirements in the > > WebTrust Standard. > > I bet they are. This presents a serious threat to the "old style" way > of doing things, and threatens to turn the entire SSL Cert market on > its head. I bet they want to stop it. > > I say screw 'em. > > > Their concern (and my concern too) is that the industry has > been working to > > explain the meaning of web certificates and that little lock in > the browser > > to the public. > > They are trying to make it mean more than what the concerns take it to > mean, and that is plain BS. > > > A big portion of that message is that end-user identity is > > established. QuickSSL is offering a new type of lock that does > not certify > > identity. > > Bullocks. The identity is verified to the same standard required by > domain registrars. > > > -- > Best regards, > William X Walsh <[EMAIL PROTECTED]> > -- > Webcertificates.info > SSL Certificates for resellers from $49ea > >
