why are CAs charging so much for certs anyway? (Re: End of the line for Ireland's dotcom star)
Damian Gerow
dgerow at afflictions.org
Thu Sep 25 01:16:28 EDT 2003
On Wed, 24 Sep 2003 15:33:56 -0700, thus spake Adam Back
<adam at cypherspace.org>:
: You'd have thought there would be plenty of scope for certs to be sold
: for a couple of $ / year. Eg. by one of the registrars bundling a
: cert with your domain registration. I mean if someone can provide DNS
: service for $10 or less / year (and lower for some tlds) which
: requires servers to answer queries etc., surely they can send a you a
: few more bits (all they have to do is make sure they send the cert to
: the person who they register the domain for).
Perceived worth. CD's are cheaper to manufacture than cassette tapes,
but you'll pay more, because 'the audio quality is better'. Welcome to
Capitalism.
: From what I heard Mark Shuttleworth (of Thawte) got his cert in the
: browser DBs for free just for the asking by being in the right place
: at the right time. So once you have that charging > $100 for a few
: seconds of CPU time to sign a cert is a license to print money.
:
: With all the .com crashes you'd think the price of a root cert ought
: to be pretty low by now.
Adding on to the lists below...
There's a fair bit more work than just randomly signing a certificate.
At the very least, the issuing CA has to (/should) verify that the
contact requesting the certificate is a valid contact for the hostname
being requested, and that the domain is even /allowed/ to have
certificates (I'm thinking cryptography export laws, but I may be
wrong).
That being said, <http://www.openca.org/> gives them away for free.
They're currently pushing to have their root certificate included within
Mozilla; I'm not sure if it will ever happen within IE (but they provide
it for the end user to download).
I have heard good things about their service, and I personally use them
to generate my certificates (the price is right). Dunno about the
supposed security of their signed certificates vs. those signed by
Verisign/Geotrust/FreeSSL/whomever.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20030925/14ee008c/attachment.pgp>
More information about the cryptography
mailing list