From owner-freebsd-hackers Mon Feb 10 17:31: 5 2003 Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A17C437B405 for ; Mon, 10 Feb 2003 17:31:03 -0800 (PST) Received: from stork.mail.pas.earthlink.net (stork.mail.pas.earthlink.net [207.217.120.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id E64E043FE1 for ; Mon, 10 Feb 2003 17:31:02 -0800 (PST) (envelope-from tlambert2@mindspring.com) Received: from pool0213.cvx22-bradley.dialup.earthlink.net ([209.179.198.213] helo=mindspring.com) by stork.mail.pas.earthlink.net with asmtp (SSLv3:RC4-MD5:128) (Exim 3.33 #1) id 18iPGB-0005lu-00; Mon, 10 Feb 2003 17:30:56 -0800 Message-ID: <3E4851FD.9B5F2943@mindspring.com> Date: Mon, 10 Feb 2003 17:29:33 -0800 From: Terry Lambert X-Mailer: Mozilla 4.79 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: clemens fischer Cc: Josef Karthauser , freebsd-hackers@FreeBSD.ORG Subject: Re: Anyone where to get a signed SSL certificate cheap? References: <20030205181724.GB87471@genius.tao.org.uk> <3E416AFA.85AF4F28@mindspring.com> <4r7cw75q.fsf@ID-23066.news.dfncis.de> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-ELNK-Trace: b1a02af9316fbb217a47c185c03b154d40683398e744b8a481dbf857cd71f230fc9cabe963e95402548b785378294e88350badd9bab72f9c350badd9bab72f9c Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG clemens fischer wrote: > Terry Lambert : > > Note that many people have older browsers: the older the browser, > > the smaller the number of signing authorities they will recognize > > by default. Keep this in mind when picking browsers to examine. > > > > As a general comment, VeriSign does this as well, and tends to get > > the signing authority to either raise their price, or, if they will > > not, buys them, and raises their price. Certificate signing is fast > > becoming a monopoly. > > these seem to be two reasons for making up ones own root-CA. if > people are likely to have to import it anyway, why not give them your > own one? People will not "import it anyway". They will google for another website that sells the same thing, and go there instead. They're (effectively) told by the browser that "I think someone is maybe trying to hack you!". > also, this monopoly isn't based on something the monopolies > really have to themselves. "The ability to sell certificates which are recognized by the browser, without it telling them ``This merchant is trying to hack you''"? > the only true reason to buy a certificate might be the $$ needed to > insure or guarantee them before a court of law in case of liability. No, the reason to by a cert is to avoid a scary popup message or series of popup messages, which negatively influence a user's buy decision. For the most part, that the reason for using SSL at all, since it is statistically very unlikely that a "bad guy" is listening to your transaction at the exact time you submit a request. In fact, it's *so* unlikely, that you are more likely to have your credit card number stolen and used by a service person at your local restaurant... but they don't have big, scary popups that happen as you are entering the restaurant. -- Terry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message