>John, thanks for this fascinating report!
>Conclusion? `Not all CAs/certs are created equal`... therefore we
>should NOT automatically trust the contents of every certificate
>whose CA appears in the `root CA` list of the browser.
Although some certs make more intrusive checks, it all strikes me
John, thanks for this fascinating report!
Conclusion? `Not all CAs/certs are created equal`... therefore we should
NOT automatically trust the contents of every certificate whose CA
appears in the `root CA` list of the browser. Instead, browsers should
allow users to select which CAs they trust
On Tue, Mar 15, 2005 at 11:04:59AM -0500, Victor Duchovni wrote:
> On Wed, Mar 16, 2005 at 02:23:49AM +1300, Peter Gutmann wrote:
> > Certainly with UIXC it's not worth anything.
>
> What is UIXC?
lemme guess: universal & indiscriminate cross certification
oh wait, peter did define it: "implicit
On Wed, Mar 16, 2005 at 02:23:49AM +1300, Peter Gutmann wrote:
> Certainly with UIXC it's not worth anything.
>
What is UIXC?
--
/"\ ASCII RIBBON NOTICE: If received in error,
\ / CAMPAIGN Victor Duchovni please destroy and notify
X AGAINST IT Security, sen
Ian G <[EMAIL PROTECTED]> writes:
>Or is this merely a distinction in adspace only? Just a way to separate more
>dollars from Alice?
It's a distinction in adspace only, in the same way that you're expected to
think that a $200 DVD play from Sony Corp is better than a $40 player from Foo
Yuk Corp
Ian G <[EMAIL PROTECTED]> writes:
>In the below, John posted a handy dandy table of cert prices, and Nelson
>postulated that we need to separate high assurance from low assurance.
>Leaving aside the technical question of how the user gets to see that for
>now, note how godaddy charges $90 for thei
>Does anyone have a view on what "low" and "high" means in this
>context? Indeed, what does "assurance" mean?
Just last week I was trying to figure out what the difference was
between a StarterSSL certificate for $35 (lists at $49 but you might
as well sign up for the no-commitment reseller price
At 9:24 PM + 3/11/05, Ian G wrote:
>Does anyone have a view on what "low" and "high" means in this
>context? Indeed, what does "assurance" mean?
:-)
By what market price, of course.
Verisign is more well known to the average schmuck than godaddy is, and,
apparently, the average schmuck fork
In the below, John posted a handy dandy table of cert prices, and
Nelson postulated that we need to separate high assurance from low
assurance. Leaving aside the technical question of how the user
gets to see that for now, note how godaddy charges $90 for their
high assurance and Verisign charges