Well, the more root CAs are trusted in general, the easier the attack becomes, and the more difficult it might become to detect.
Cost verse benefit situation, economic benefits that Ian loves to throw about... :)
Ok we increase the number of CA's, increasing the number of companies in the market place and increased competition in a commodity market usually ends up with prices decreasing...
The situation is very similar to DNS, obviously the more registrars the more likelihood of a DNS hijacking, but I'm pretty sure it's decreased in recent years, and so has the price, from $70 for 2 yrs, to $6 or $7 per year...
On one side the fence we have Verisign and Thawte at $900 and $200 respectively... Other end of the scale we have down to about $40 per year... Considering the crypto strengths are more or less the same at the end of the day all it comes down to is a marketing exercise...
Back to Ian's comments on market value... if all you risk is $50 a year in credit card fees, $40 is well worth the money, $900 isn't... Purely common-sense, dollars and cents evaluation of the situation... On the other hand how could you justify $40/year to protect usernames and password hitting a pop3 server, answer most don't/can't so the end result is that passwords are sniffed and tried against a bank account where ssl didn't stop anything... as we all should be very aware people do share password with multiple accounts as bad as the practise is I doubt you'd ever stop it, crypto cards with pin numbers is about as good as it'll get. But even this comes back to a dollars and cents equation, if you spend $100,000,000 on cards and devices to protect $1000 of losses a year from this threat it's not money well spent...
In the above example a simple yet effective self signed certificate to protect pop3 (at no cost to anyone) would have prevented $1000's in losses...
-- Best regards, Duane
http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
