Re: $90 for high assurance _versus_ $349 for low assurance

2005-03-20 Thread Ng Pheng Siong
On Tue, Mar 15, 2005 at 11:04:59AM -0500, Victor Duchovni wrote: On Wed, Mar 16, 2005 at 02:23:49AM +1300, Peter Gutmann wrote: Certainly with UIXC it's not worth anything. What is UIXC? lemme guess: universal indiscriminate cross certification oh wait, peter did define it: implicit not

Re: $90 for high assurance _versus_ $349 for low assurance

2005-03-20 Thread Amir Herzberg
John, thanks for this fascinating report! Conclusion? `Not all CAs/certs are created equal`... therefore we should NOT automatically trust the contents of every certificate whose CA appears in the `root CA` list of the browser. Instead, browsers should allow users to select which CAs they trust

Re: $90 for high assurance _versus_ $349 for low assurance

2005-03-15 Thread R.A. Hettinga
At 9:24 PM + 3/11/05, Ian G wrote: Does anyone have a view on what low and high means in this context? Indeed, what does assurance mean? :-) By what market price, of course. Verisign is more well known to the average schmuck than godaddy is, and, apparently, the average schmuck forks over

Re: $90 for high assurance _versus_ $349 for low assurance

2005-03-15 Thread John Levine
Does anyone have a view on what low and high means in this context? Indeed, what does assurance mean? Just last week I was trying to figure out what the difference was between a StarterSSL certificate for $35 (lists at $49 but you might as well sign up for the no-commitment reseller price) and a

Re: $90 for high assurance _versus_ $349 for low assurance

2005-03-15 Thread Victor Duchovni
On Wed, Mar 16, 2005 at 02:23:49AM +1300, Peter Gutmann wrote: Certainly with UIXC it's not worth anything. What is UIXC? -- /\ ASCII RIBBON NOTICE: If received in error, \ / CAMPAIGN Victor Duchovni please destroy and notify X AGAINST IT Security,

$90 for high assurance _versus_ $349 for low assurance

2005-03-13 Thread Ian G
In the below, John posted a handy dandy table of cert prices, and Nelson postulated that we need to separate high assurance from low assurance. Leaving aside the technical question of how the user gets to see that for now, note how godaddy charges $90 for their high assurance and Verisign charges