Nelson B wrote:
Ian Grigg wrote:
Duane wrote:
Nelson Bolyard wrote:
Let us suppose for this discussion that, within the next 90 days,
cacert.org gets into the trusted certs list, and consequently,
(If I understand what cacert.org is offering) you can then get a
legitimate SSL server cert from a trusted CA for free.
Why then would you continue to want or need to issue your own
server certs?
Cost. The CACerts that are above and are free
are only costless in terms of dollars sent to
Duane. There is still the cost of setting up
the server.
Which is DWARFED by the cost of setting up the clients!
I think you are referring here to the user's cost
of accepting a new self-signed cert when it first
appears, and requiring the user to click through
the wizard to accept it. (Alternatively, you may
be referring to the cost of adding the root into
the clients.)
In general, I've seen new certs for SSL servers
run from several days of emails and waiting around
(Verisign renewal) down to 30 mins (a GeoTrust cert
done immediately after a prior one, sold by a good
friend, with hard net payment, and coordinated on
the phone as well as email...).
In managerial terms, it's quite a nuisance, and if
I was paying city dollars, I'd insist on GeoTrust
for quickness alone, as at standard programming
costs, 30 mins is about $50. Several days can be
up to thousands of dollars in internal costs, not
to mention issues like how hard the due diligence
is (collecting up paper work etc).
From a techie point of view, adding the cert into
the right file seems trivial. But, with CACert, if
the cost in dollars goes to zero, we still have to
find and smooth up to 3 other trusted players.
So, we can I hope agree that there are *some* costs
associated with getting a CA-signed cert, even a
CACert one. For this, if each user has to go through
10-60 seconds of pain to accept a self-signed cert,
I can see that self-signed certs are definately going
to be valuable up to (e.g.) 100 or so users.
Only if you are like a serious merchant with dozens
of clients a day, and taking hundreds of thousands
of dollars would you be financially interested in
getting a CA-signed cert, just to save your users
from the time wasted in clicking through the wizard.
What the server should do is start
up and generate its own self-signed cert on
install time, so it's up and running straight
away. That's free to the server operator, or,
it's indistinguishable in cost to the installation
of SSL server in the first place.
You set up the server once. If you set it up with a cert
that is already recognized by the client, the client setup cost
to use that server is zero. If you set the server up with a
self-signed cert, every client must be setup to use it.
That absolutely dwarfs the few extra seconds required at the
time the server is setup.
Sometimes only, depending on how many clients and how
long each of those costs are. There is still a big gap
in there where self-signed certs are more efficient
than a zero-dollar third party cert.
I'm not sure it is easy to graft WoT onto
SSL. For a start, x.509 doesn't support
multiple sigs on the certs.
I *think* Duane's model is that he will issue a cert when some
number of PGP signatures have appeared on a PGP key on some PGP
server. Duane please correct that if that statement is mistaken.
Got it, thanks. I can see how this works. I'm not
so sure it will cause a flood of certs though, as
getting three people to sign your application isn't
so easy. The PGP WoT is powerful in concept, but the
reality hasn't really sizzled in terms of numbers,
IMHO (and, I'm a great supporter of it all). Still,
a great choice, methinks.
iang
_______________________________________________
mozilla-crypto mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-crypto
