They basically don't chekc a whole lot. Anyone with some incorporation
papers, letter head and a phone can basically get this. D&B isn't any
better at it; you just need to be there for a little longer time than
this week. Creating a false front would be significantly easier than say
getting a false SS number or that sort of credentials.
>From an actual security opint of view, the information that is given
them for this sort of thing proves nothing except that you are willing
to go further to get what you want (but not much further).
No, the thing of this is that they have good marketing. Thawte gives
exactly the same level of security (from S. Africa, no less!) at half
the price, but they don't have the market recognition and therefore
don't give people Warm Fuzzies who note who the cert is from. Marketing
is everything in this country to the Unwashed Masses. Just look at Bud
Lite.
rjl
"R. DuFresne" wrote:
>
> I'd like to know, what is actually checked to make sure a biz on the net
> is legit? Are folks looking at bank accounts? Are they looking at credit
> history? What is D&B actually checking? Cause I know for a fact a few,
> at least of the folks doing biz out here are doing it out of a basement or
> kids old bedroom that has a fax, a pc, and a phone, and many of em are
> starting with near about zilch to begin with for cashflow.
>
> Thanks,
>
> Ron DuFresne
>
> On Thu, 7 Dec 2000, Dave Paris wrote:
>
> > If an eight-year-old were to look at the whole thing and write your
> > reply, then yes .. what you've written would probably be accurate - just
> > missing other fun phrases like "dooty-head", "cooties", etc.
> >
> > D&B aren't a bunch of rank amateurs when it comes to checking the
> > legitmacy of a business. As for "who decided that X was really
> > trustable", it was people who are
> >
> > a) most likely on the net wayyy before you. (pre-web)
> > a) probably more knowledgable than you (have you tried out-marketing MS
> > recently?[1]),
> > b) definitely uninterested in asking you,
> > c) backed with more corporate $$$ than you, more-than-likely
> > and
> > d) well, you're stuck with it. they're doing a passable job and you
> > can't change it anyway. (despite all the whining I've heard about
> > verisign, I've yet to experience even one delay in getting a cert using
> > their online toolset - however I won't discount these other stories, so
> > verisign gets nothing above "passable")
> >
> > You can either dance with an elephant or get run over by him. Your
> > choice, choose wisely.
> >
> > Yes, I hate it that VeriSign bought Thawte. It sucks. It ruins
> > competition. I've dealt with both and I preferred Thawte, despite their
> > *massive* client cert expiration fustercluck with IE two years ago. Oh
> > well, the bus is leaving the station and I still have to get on to
> > another town. If you're walking, I'll see you there after awhile.
> >
> > regards,
> > --dsp
> >
> > NOTES
> > [1] I don't purchase their software, I don't like their tactics, and
> > I'll subvert them any chance I get, but you'll *never*, *ever* see
> > anyone with two brain cells try to out-market them, including me.
> > They've got metric f**ktons of $$$ and have an utter mastery of
> > marketing tactics. You go around something like that, not head-to-head.
> >
> >
> > Michael wrote:
> > >
> > > So the main protection is that company x charges a fee large enough to
> > > company y in order to prove company y is a real company and not highschool
> > > students trying to rip off users. of course there is no proof that being
> > > able to afford a certificate really makes you anymore qualified than small
> > > business z and who decided company x was really trustable. all xompany x
> > > has proven is that they grasp the concept of this security model well
> > > enough to pretty much blackmail company x, company z, etc into paying
> > > out the arse for their 30 seconds of work.
> > >
> > > Maybe is a bit cynical but is that the gist of how it works?
> > >
> > > *^*^*^*
> > > Have the courage to take your own thoughts seriously, for they will shape
> > > you. -- Albert Einstein
> > >
> > > On Wed, 6 Dec 2000, Dave Paris wrote:
> > >
> > > > While I can appreciate the "why do we have to pay these mooks?!"
> > > > attitude, the reasoning is rather more straightforward.
> > > >
> > > > It seems those making the silly** (imho) arguments have forgotten the
> > > > entire reason for a "trusted third party" (in this case, the CA). User
> > > > U heads over to site S and wishes to conduct a transaction, except U has
> > > > never dealt with S, nor does U have the time to do background checks on
> > > > S to significantly reduce the risk that S may actually be a fraudulent
> > > > front end for a questionable organization. Note that I'm not saying
> > > > this completely mitigates the risk, as it certainly does not. However
> > > > it does go quite some ways to reducing the risk.
> > > >
> > > > This same notion is at the heart of many types of cryptographic
> > > > protocols and key escrow (ick) systems.
> > > >
> > > > I do completely agree that much over $50 for a certificate is a bit
> > > > bonkers (please, someone tell me that 90% of the process isn't
> > > > completely automated .. I really need to laugh). However, until a
> > > > majority of cert purchasers really understand *how* and *what* trusted
> > > > third parties work, the current price is liable to be with us.
> > [...]
> > ______________________________________________________________________
> > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> > User Support Mailing List [EMAIL PROTECTED]
> > Automated List Manager [EMAIL PROTECTED]
> >
>
> --
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> admin & senior consultant: darkstar.sysinfo.com
> http://darkstar.sysinfo.com
>
> "Cutting the space budget really restores my faith in humanity. It
> eliminates dreams, goals, and ideals and lets us get straight to the
> business of hate, debauchery, and self-annihilation."
> -- Johnny Hart
>
> testing, only testing, and damn good at it too!
>
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
begin:vcard
n:Lee;Randy
tel;fax:(715) 949-1933
tel;work:(715) 949-1933
x-mozilla-html:FALSE
url:http://www.CommunicatorToGo.com
org:OneDisc.com
adr:;;4886 Hwy 61 N;St. Paul;MN;55110;USA
version:2.1
email;internet:[EMAIL PROTECTED]
x-mozilla-cpt:;-29856
fn:Randy Lee
end:vcard
S/MIME Cryptographic Signature
