So the main protection is that company x charges a fee large enough to
company y in order to prove company y is a real company and not highschool
students trying to rip off users. of course there is no proof that being
able to afford a certificate really makes you anymore qualified than small
business z and who decided company x was really trustable. all xompany x
has proven is that they grasp the concept of this security model well
enough to pretty much blackmail company x, company z, etc into paying
out the arse for their 30 seconds of work.
Maybe is a bit cynical but is that the gist of how it works?
*^*^*^*
Have the courage to take your own thoughts seriously, for they will shape
you. -- Albert Einstein
On Wed, 6 Dec 2000, Dave Paris wrote:
> While I can appreciate the "why do we have to pay these mooks?!"
> attitude, the reasoning is rather more straightforward.
>
> It seems those making the silly** (imho) arguments have forgotten the
> entire reason for a "trusted third party" (in this case, the CA). User
> U heads over to site S and wishes to conduct a transaction, except U has
> never dealt with S, nor does U have the time to do background checks on
> S to significantly reduce the risk that S may actually be a fraudulent
> front end for a questionable organization. Note that I'm not saying
> this completely mitigates the risk, as it certainly does not. However
> it does go quite some ways to reducing the risk.
>
> This same notion is at the heart of many types of cryptographic
> protocols and key escrow (ick) systems.
>
> I do completely agree that much over $50 for a certificate is a bit
> bonkers (please, someone tell me that 90% of the process isn't
> completely automated .. I really need to laugh). However, until a
> majority of cert purchasers really understand *how* and *what* trusted
> third parties work, the current price is liable to be with us.
>
> regards,
> --dsp
>
> Notes:
> ** James "I'm not a cynic" Moore's line:
> "A cynic might argue that CAs represent the sleaziest sort of
> pandering; that it is designed to exploit the ignorance of the average
> consumer..."
>
> [ok, so what do you think would happen to a large, publicly traded
> company if they failed to maintain their position as a trusted third
> party? Can you say "class action lawsuits for very big $$$"? (along
> with a few other minor ditties)]
>
> ** Lanny "we'll show 'em!" Baron's eloquent rambling:
> "Well the one reason we don't use a CA that m$ wants or netscape wants,
> is to show potential purchasers of our systems that the system is quite
> capable of running https as well as Apache for web hosting or for
> Intranet and Extranet."
>
> [great business plan, way to win the confidence of a potential client.
> "please give us your money *and* we'll shove our viewpoint down your
> throat." sign me right up, I'll take two to go.]
>
> ..and..
> "The problem remains that, people unfamiliar with Unix or CA's or
> Mod-SSL would most likely be scared to input their credit cards or other
> personal/financial data."
>
> [whatever you're smoking, please share so the rest of us enjoy as well.
> That sentence registers in negative integers on the makes_senseometer.
> How many Amazon.com users care if that site runs off Unix or a banana
> running Apache, IIS, or a tricycle for a HTTPd? They don't care, they
> shouldn't need to care, and they have no problems parting with $$$ (now,
> as for Amazon turning a profit .. well, that's not the user's problem
> :)]
>
>
> > On 6 Dec 2000, Owen Boyle wrote:
> >
> > > Michael wrote:
> > > > Is there any reason to pay for Verisigned keys or does setting up our
> > > > companies own CA work equally well?
> > >
> > > Technically, a self-signed certificate will work perfectly well.
> > > However, the browser will "inform" the user that it doesn't recognise
> > > the authority that signed this certificate. If you use Verisign etc..
> > > the browser will already recognise them as a Certificate Authority and
> > > accept the certificate without a squeak.
> > >
> > > It depends what you want to use SSL for. If you want strangers to send
> > > you their private details, you'd be better off with a commercial
> > > certificate since they won't be frightened by the "warnings". However,
> > > if you are using SSL for a specific closed group of users, then use your
> > > own certificate and inform them about it...
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
>
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
