I looked closely into purchasing a cert from Thawte and it is still
something WE'll have to do. What strikes me though is that it seems to me
that there is no real value in such a thing.
I can for instance incorporate a company and shell out about $200 and get
my cert. After that everyone trusts me. Total cost is oh about $500 or
so if I do the incorportion myself. This is pretty trivial actually.
I could be in jail for FRAUD and still get a cert.
So it seems to me that while the cert may certify that said organization
is who they say they are - nobody seems to ask if who they say they are
has any relevance to anything.
I fact - I'll bet I can go down to our local government offices in Canada
and register Ajax Web Contractors and then send a cert request on to
Thawte and since Ajax now exists and is legitamately registered as say a
"sole proprietorship" - the cert will be issued.
Last time I registered a "sole proprietorship" it cost me $5.00 and I
don't recall them asking for ID.
The problem of course is that a chain is only as strong as its weakest
link and the threads that bind cert security together appear really
tenuous to me.
=================
That having been said - we have a very practical problem on our hands.
Microsoft saw fit to include a very LIMITED number of cert issuing
authorities in IE and the majority of people use IE. IMHO there IS no
security in a windows system anyway and precious little in the fact that
somebody issued said cert to said fly-by-night ecommerce organization.
Still - people want to see the little key-lock on and certain commercial
interests know this and are busy purchasing the key players in the
interest of milking cyberspace - with I might add - little consern as to
the INTENT of a certification process.
I therefore see no moral reasons why we just don't go into IE and patch a
few files to introduce a few new players.
I suspect there will be a moral outcry over such a suggestion but the
other alternative seems to be for each of us who has an e-commerce
interest - to quietly hand over to some wealthy American interests a
ransom for the priviledge of doing e-commerce.
Or to put it another way - I do business and I deal with my bank for
instance. I trust my bank... and I would be quite happy if my bank
issued a cert for me to use that authenticates that my company is a good
corporate citizen and in good standing with the bank at least. A cert
from my bank would mean something. A cert from Thawte does not and
neither does a cert from Verisign. Since my bank for instance would be
considered probably by the vast majority of customers to be a far more
reliable measure of e-commerce trustworthiness, why should my bank be
forced into the situation of having to fork over hundred's of thousands or
even millions for literally NOTHING... if it wants to issue a cert?
This is a ransom fee and little more.
=================
I think it is quite germain to us who develope the keys that enable
internet commerce and security to look at the broader issue of who
controls and profits from the technology we develop.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
