I'm familiar w/ D&B. I usda work w/ them often for verifying business
loans etc. I'm not clueless in business just because I think a company is
taking advantage of their lil cartel. Even if they do use D&B to verify
companies before issuing certificates it sure as hell doesn't cost
anywhere near $350. Also that leaves me wondering about new businesses
that aren't yet firm enough to be known by the likes of D&B. I saw a lot
of businesses starting up trying to buy computers from me that couldn't
because they didn't exist to D&B.
I've been online since 1990. Not as long as some but longer than
most. I'll admit my knowledge of SSL is probably not as much as yours but
I probably know far more about other technical areas that I'm more
specialized in.
The people that ask me pay me so I want to know exactly the benefits to
paying $350 for a task that seems quite unimpressive to me.
I can do anything I feel like. The world is easier to change than you give
it create for. The Net is young and easy to influence.
We've bought certificates from Verisign before but given we're increasing
the servers we need certificates for it's important to find out as muhc as
I can. Prehaps I put it into to simple or cynical of words for you but
that is often the easiest way to get direct answers.
*shrugs* Hope that clarifies my eight-year-old behavior enough for
everyone. I shall strive to avoid flamewars now. Anyone who'd like to
flame please send it directly to me. :)
*^*^*^*
Have the courage to take your own thoughts seriously, for they will shape
you. -- Albert Einstein
On Thu, 7 Dec 2000, Dave Paris wrote:
> If an eight-year-old were to look at the whole thing and write your
> reply, then yes .. what you've written would probably be accurate - just
> missing other fun phrases like "dooty-head", "cooties", etc.
>
> D&B aren't a bunch of rank amateurs when it comes to checking the
> legitmacy of a business. As for "who decided that X was really
> trustable", it was people who are
>
> a) most likely on the net wayyy before you. (pre-web)
> a) probably more knowledgable than you (have you tried out-marketing MS
> recently?[1]),
> b) definitely uninterested in asking you,
> c) backed with more corporate $$$ than you, more-than-likely
> and
> d) well, you're stuck with it. they're doing a passable job and you
> can't change it anyway. (despite all the whining I've heard about
> verisign, I've yet to experience even one delay in getting a cert using
> their online toolset - however I won't discount these other stories, so
> verisign gets nothing above "passable")
>
> You can either dance with an elephant or get run over by him. Your
> choice, choose wisely.
>
> Yes, I hate it that VeriSign bought Thawte. It sucks. It ruins
> competition. I've dealt with both and I preferred Thawte, despite their
> *massive* client cert expiration fustercluck with IE two years ago. Oh
> well, the bus is leaving the station and I still have to get on to
> another town. If you're walking, I'll see you there after awhile.
>
> regards,
> --dsp
>
> NOTES
> [1] I don't purchase their software, I don't like their tactics, and
> I'll subvert them any chance I get, but you'll *never*, *ever* see
> anyone with two brain cells try to out-market them, including me.
> They've got metric f**ktons of $$$ and have an utter mastery of
> marketing tactics. You go around something like that, not head-to-head.
>
>
> Michael wrote:
> >
> > So the main protection is that company x charges a fee large enough to
> > company y in order to prove company y is a real company and not highschool
> > students trying to rip off users. of course there is no proof that being
> > able to afford a certificate really makes you anymore qualified than small
> > business z and who decided company x was really trustable. all xompany x
> > has proven is that they grasp the concept of this security model well
> > enough to pretty much blackmail company x, company z, etc into paying
> > out the arse for their 30 seconds of work.
> >
> > Maybe is a bit cynical but is that the gist of how it works?
> >
> > *^*^*^*
> > Have the courage to take your own thoughts seriously, for they will shape
> > you. -- Albert Einstein
> >
> > On Wed, 6 Dec 2000, Dave Paris wrote:
> >
> > > While I can appreciate the "why do we have to pay these mooks?!"
> > > attitude, the reasoning is rather more straightforward.
> > >
> > > It seems those making the silly** (imho) arguments have forgotten the
> > > entire reason for a "trusted third party" (in this case, the CA). User
> > > U heads over to site S and wishes to conduct a transaction, except U has
> > > never dealt with S, nor does U have the time to do background checks on
> > > S to significantly reduce the risk that S may actually be a fraudulent
> > > front end for a questionable organization. Note that I'm not saying
> > > this completely mitigates the risk, as it certainly does not. However
> > > it does go quite some ways to reducing the risk.
> > >
> > > This same notion is at the heart of many types of cryptographic
> > > protocols and key escrow (ick) systems.
> > >
> > > I do completely agree that much over $50 for a certificate is a bit
> > > bonkers (please, someone tell me that 90% of the process isn't
> > > completely automated .. I really need to laugh). However, until a
> > > majority of cert purchasers really understand *how* and *what* trusted
> > > third parties work, the current price is liable to be with us.
> [...]
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
>
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
