Re: why are CAs charging so much for certs anyway? (Re: End of the line for Ireland's dotcom star)

2003-09-25 Thread Damian Gerow
On Wed, 24 Sep 2003 15:33:56 -0700, thus spake Adam Back
: You'd have thought there would be plenty of scope for certs to be sold
: for a couple of $ / year.  Eg. by one of the registrars bundling a
: cert with your domain registration.  I mean if someone can provide DNS
: service for $10 or less / year (and lower for some tlds) which
: requires servers to answer queries etc., surely they can send a you a
: few more bits (all they have to do is make sure they send the cert to
: the person who they register the domain for).

Perceived worth.  CD's are cheaper to manufacture than cassette tapes,
but you'll pay more, because 'the audio quality is better'.  Welcome to

: From what I heard Mark Shuttleworth (of Thawte) got his cert in the
: browser DBs for free just for the asking by being in the right place
: at the right time.  So once you have that charging  $100 for a few
: seconds of CPU time to sign a cert is a license to print money.
: With all the .com crashes you'd think the price of a root cert ought
: to be pretty low by now.

Adding on to the lists below...

There's a fair bit more work than just randomly signing a certificate. 
At the very least, the issuing CA has to (/should) verify that the
contact requesting the certificate is a valid contact for the hostname
being requested, and that the domain is even /allowed/ to have
certificates (I'm thinking cryptography export laws, but I may be

That being said, gives them away for free. 
They're currently pushing to have their root certificate included within
Mozilla; I'm not sure if it will ever happen within IE (but they provide
it for the end user to download).

I have heard good things about their service, and I personally use them
to generate my certificates (the price is right).  Dunno about the
supposed security of their signed certificates vs. those signed by

Description: PGP signature

Re: fyi: bear/enforcer open-source TCPA project

2003-09-11 Thread Damian Gerow
Thus spake Rich Salz ([EMAIL PROTECTED]) [11/09/03 08:51]:
  You propose to put a key into a physical device and give it
  to the public, and expect that they will never recover
  the key from it?  Seems unwise.
 You think the public can crack FIPS devices?  This is mass-market, not
 govt-level attackers.

And 'the public' doesn't include people like government level attackers?
People like cryptography experts?  People who like to play with things like

'The public' only includes the sheeple, and nobody else?

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]