It looks to me as though everyone is upset about having to pay ridiculously
high prices for signed server certificates, and rightfully so it's border
line extortion. The logical thing to do, would seem to me to be, start an
association or coalition of online e-commerce users against the
monopolization of one of the key factors that affects how we get our bread &
butter. Now I would agree $325 (or whatever verisign charges) isn't
necessarily anything to go riot about, however, It's bound to get worse
before it get's better.
>From: Randy Lee <[EMAIL PROTECTED]>
>Reply-To: [EMAIL PROTECTED]
>To: [EMAIL PROTECTED]
>Subject: Re: Why pay a CA?
>Date: Thu, 07 Dec 2000 07:20:55 -0600
>
>They basically don't chekc a whole lot. Anyone with some incorporation
>papers, letter head and a phone can basically get this. D&B isn't any
>better at it; you just need to be there for a little longer time than
>this week. Creating a false front would be significantly easier than say
>getting a false SS number or that sort of credentials.
>
> >From an actual security opint of view, the information that is given
>them for this sort of thing proves nothing except that you are willing
>to go further to get what you want (but not much further).
>
>No, the thing of this is that they have good marketing. Thawte gives
>exactly the same level of security (from S. Africa, no less!) at half
>the price, but they don't have the market recognition and therefore
>don't give people Warm Fuzzies who note who the cert is from. Marketing
>is everything in this country to the Unwashed Masses. Just look at Bud
>Lite.
>
>rjl
>
>"R. DuFresne" wrote:
> >
> > I'd like to know, what is actually checked to make sure a biz on the net
> > is legit? Are folks looking at bank accounts? Are they looking at
>credit
> > history? What is D&B actually checking? Cause I know for a fact a few,
> > at least of the folks doing biz out here are doing it out of a basement
>or
> > kids old bedroom that has a fax, a pc, and a phone, and many of em are
> > starting with near about zilch to begin with for cashflow.
> >
> > Thanks,
> >
> > Ron DuFresne
> >
> > On Thu, 7 Dec 2000, Dave Paris wrote:
> >
> > > If an eight-year-old were to look at the whole thing and write your
> > > reply, then yes .. what you've written would probably be accurate -
>just
> > > missing other fun phrases like "dooty-head", "cooties", etc.
> > >
> > > D&B aren't a bunch of rank amateurs when it comes to checking the
> > > legitmacy of a business. As for "who decided that X was really
> > > trustable", it was people who are
> > >
> > > a) most likely on the net wayyy before you. (pre-web)
> > > a) probably more knowledgable than you (have you tried out-marketing
>MS
> > > recently?[1]),
> > > b) definitely uninterested in asking you,
> > > c) backed with more corporate $$$ than you, more-than-likely
> > > and
> > > d) well, you're stuck with it. they're doing a passable job and you
> > > can't change it anyway. (despite all the whining I've heard about
> > > verisign, I've yet to experience even one delay in getting a cert
>using
> > > their online toolset - however I won't discount these other stories,
>so
> > > verisign gets nothing above "passable")
> > >
> > > You can either dance with an elephant or get run over by him. Your
> > > choice, choose wisely.
> > >
> > > Yes, I hate it that VeriSign bought Thawte. It sucks. It ruins
> > > competition. I've dealt with both and I preferred Thawte, despite
>their
> > > *massive* client cert expiration fustercluck with IE two years ago. Oh
> > > well, the bus is leaving the station and I still have to get on to
> > > another town. If you're walking, I'll see you there after awhile.
> > >
> > > regards,
> > > --dsp
> > >
> > > NOTES
> > > [1] I don't purchase their software, I don't like their tactics, and
> > > I'll subvert them any chance I get, but you'll *never*, *ever* see
> > > anyone with two brain cells try to out-market them, including me.
> > > They've got metric f**ktons of $$$ and have an utter mastery of
> > > marketing tactics. You go around something like that, not
>head-to-head.
> > >
> > >
> > > Michael wrote:
> > > >
> > > > So the main protection is that company x charges a fee large enough
>to
> > > > company y in order to prove company y is a real company and not
>highschool
> > > > students trying to rip off users. of course there is no proof that
>being
> > > > able to afford a certificate really makes you anymore qualified than
>small
> > > > business z and who decided company x was really trustable. all
>xompany x
> > > > has proven is that they grasp the concept of this security model
>well
> > > > enough to pretty much blackmail company x, company z, etc into
>paying
> > > > out the arse for their 30 seconds of work.
> > > >
> > > > Maybe is a bit cynical but is that the gist of how it works?
> > > >
> > > > *^*^*^*
> > > > Have the courage to take your own thoughts seriously, for they will
>shape
> > > > you. -- Albert Einstein
> > > >
> > > > On Wed, 6 Dec 2000, Dave Paris wrote:
> > > >
> > > > > While I can appreciate the "why do we have to pay these mooks?!"
> > > > > attitude, the reasoning is rather more straightforward.
> > > > >
> > > > > It seems those making the silly** (imho) arguments have forgotten
>the
> > > > > entire reason for a "trusted third party" (in this case, the CA).
>User
> > > > > U heads over to site S and wishes to conduct a transaction, except
>U has
> > > > > never dealt with S, nor does U have the time to do background
>checks on
> > > > > S to significantly reduce the risk that S may actually be a
>fraudulent
> > > > > front end for a questionable organization. Note that I'm not
>saying
> > > > > this completely mitigates the risk, as it certainly does not.
>However
> > > > > it does go quite some ways to reducing the risk.
> > > > >
> > > > > This same notion is at the heart of many types of cryptographic
> > > > > protocols and key escrow (ick) systems.
> > > > >
> > > > > I do completely agree that much over $50 for a certificate is a
>bit
> > > > > bonkers (please, someone tell me that 90% of the process isn't
> > > > > completely automated .. I really need to laugh). However, until a
> > > > > majority of cert purchasers really understand *how* and *what*
>trusted
> > > > > third parties work, the current price is liable to be with us.
> > > [...]
> > > ______________________________________________________________________
> > > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> > > User Support Mailing List [EMAIL PROTECTED]
> > > Automated List Manager [EMAIL PROTECTED]
> > >
> >
> > --
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > admin & senior consultant: darkstar.sysinfo.com
> > http://darkstar.sysinfo.com
> >
> > "Cutting the space budget really restores my faith in humanity. It
> > eliminates dreams, goals, and ideals and lets us get straight to the
> > business of hate, debauchery, and self-annihilation."
> > -- Johnny Hart
> >
> > testing, only testing, and damn good at it too!
> >
> > ______________________________________________________________________
> > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> > User Support Mailing List [EMAIL PROTECTED]
> > Automated List Manager [EMAIL PROTECTED]
><< randy.vcf >>
><< smime.p7s >>
_____________________________________________________________________________________
Get more from the Web. FREE MSN Explorer download : http://explorer.msn.com
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
