What would you be looking for in the checking of these companies?
Internet trading - both domestic and internationally - is still seen by the
public at large (Don't you just love 'em) as being *Very Difficult* because
of this idea of Trust and the perceived lack (Currently) of any
comprehensive validated framework for this.
The company that I work for is putting together the next big thing for
International Trade incorporating a trust service (Patent applied for)
alongside the trading process that we are putting together. The whole ethos
of our trading exchange is that trust is not something that can be granted
by one person or entity and that then everyone then follows blindly into
trusting a company. Trust is personal feeling that is built up through
experience and feedback, and is not something that can be forced upon you.
Therefore we give system of endorsements against data fields that we have
collected, what we refer to as the FOCUS profile.
When I was looking for the best way to secure the transactions on the server
I decided that it was best to go for a cert provided Thawte to keep our
corporate image good. I didn't want the company to go for a self signed
certificate because it basically looks bad to go into a secured site and
find that it is not "Trustworthy".
Having a CA validated cert on your HTTPS connection does not give Trust. It
only gives the user the knowledge that the CA has confidence that you meet
their criteria for gaining their endorsement, which is granted in the
signing of your generated cert. This implies that you are trustworthy, but
only if the user agrees with the criteria that the CA sets and has a degree
of trust (Personally) in the CA. This goes the same for any third party,
both technologically based and business based.
IMHO A Third Party should have no ongoing commercial interest in giving out
their endorsement, except to cover their costs and to make a profit (If they
are a profit making entity). A Trusted Third Party is an entity that you
have a trust in because of their criteria (See above).
In answer to the original question: Why pay for the cert?
It is not a question that the IT department should decide on. It is a
corporate branding issue and therefore should be the domain of the Marketing
people (I use the word people loosely <GRIN>).
Rob Halls
Networks Administrator
extu Limited
www.extu.com
NB
Please do not flame me. I only put on the stuff on about our site to
clarify the Trust issue brought up by R. DuFresne (Below)
If you do look at our site (Shameless plug) please remember that it is in
Pilot phase and a great deal still needs to be done to get the rest of the
functionality onboard.
RJH
-----Original Message-----
From: R. DuFresne [mailto:[EMAIL PROTECTED]]
Sent: Thursday, December 07, 2000 6:22 AM
To: [EMAIL PROTECTED]
Subject: Re: Why pay a CA?
I'd like to know, what is actually checked to make sure a biz on the net
is legit? Are folks looking at bank accounts? Are they looking at credit
history? What is D&B actually checking? Cause I know for a fact a few,
at least of the folks doing biz out here are doing it out of a basement or
kids old bedroom that has a fax, a pc, and a phone, and many of em are
starting with near about zilch to begin with for cashflow.
Thanks,
Ron DuFresne
On Thu, 7 Dec 2000, Dave Paris wrote:
> If an eight-year-old were to look at the whole thing and write your
> reply, then yes .. what you've written would probably be accurate - just
> missing other fun phrases like "dooty-head", "cooties", etc.
>
> D&B aren't a bunch of rank amateurs when it comes to checking the
> legitmacy of a business. As for "who decided that X was really
> trustable", it was people who are
>
> a) most likely on the net wayyy before you. (pre-web)
> a) probably more knowledgable than you (have you tried out-marketing MS
> recently?[1]),
> b) definitely uninterested in asking you,
> c) backed with more corporate $$$ than you, more-than-likely
> and
> d) well, you're stuck with it. they're doing a passable job and you
> can't change it anyway. (despite all the whining I've heard about
> verisign, I've yet to experience even one delay in getting a cert using
> their online toolset - however I won't discount these other stories, so
> verisign gets nothing above "passable")
>
> You can either dance with an elephant or get run over by him. Your
> choice, choose wisely.
>
> Yes, I hate it that VeriSign bought Thawte. It sucks. It ruins
> competition. I've dealt with both and I preferred Thawte, despite their
> *massive* client cert expiration fustercluck with IE two years ago. Oh
> well, the bus is leaving the station and I still have to get on to
> another town. If you're walking, I'll see you there after awhile.
>
> regards,
> --dsp
>
> NOTES
> [1] I don't purchase their software, I don't like their tactics, and
> I'll subvert them any chance I get, but you'll *never*, *ever* see
> anyone with two brain cells try to out-market them, including me.
> They've got metric f**ktons of $$$ and have an utter mastery of
> marketing tactics. You go around something like that, not head-to-head.
>
>
> Michael wrote:
> >
> > So the main protection is that company x charges a fee large enough to
> > company y in order to prove company y is a real company and not
highschool
> > students trying to rip off users. of course there is no proof that being
> > able to afford a certificate really makes you anymore qualified than
small
> > business z and who decided company x was really trustable. all xompany x
> > has proven is that they grasp the concept of this security model well
> > enough to pretty much blackmail company x, company z, etc into paying
> > out the arse for their 30 seconds of work.
> >
> > Maybe is a bit cynical but is that the gist of how it works?
> >
> > *^*^*^*
> > Have the courage to take your own thoughts seriously, for they will
shape
> > you. -- Albert Einstein
> >
> > On Wed, 6 Dec 2000, Dave Paris wrote:
> >
> > > While I can appreciate the "why do we have to pay these mooks?!"
> > > attitude, the reasoning is rather more straightforward.
> > >
> > > It seems those making the silly** (imho) arguments have forgotten the
> > > entire reason for a "trusted third party" (in this case, the CA).
User
> > > U heads over to site S and wishes to conduct a transaction, except U
has
> > > never dealt with S, nor does U have the time to do background checks
on
> > > S to significantly reduce the risk that S may actually be a fraudulent
> > > front end for a questionable organization. Note that I'm not saying
> > > this completely mitigates the risk, as it certainly does not. However
> > > it does go quite some ways to reducing the risk.
> > >
> > > This same notion is at the heart of many types of cryptographic
> > > protocols and key escrow (ick) systems.
> > >
> > > I do completely agree that much over $50 for a certificate is a bit
> > > bonkers (please, someone tell me that 90% of the process isn't
> > > completely automated .. I really need to laugh). However, until a
> > > majority of cert purchasers really understand *how* and *what* trusted
> > > third parties work, the current price is liable to be with us.
> [...]
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
>
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior consultant: darkstar.sysinfo.com
http://darkstar.sysinfo.com
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
-- Johnny Hart
testing, only testing, and damn good at it too!
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
