$90 for high assurance _versus_ $349 for low assurance

Peter Gutmann pgut001 at cs.auckland.ac.nz
Tue Mar 15 02:46:15 EST 2005


Ian G <iang at systemics.com> writes:

>In the below, John posted a handy dandy table of cert prices, and Nelson
>postulated that we need to separate high assurance from low assurance.
>Leaving aside the technical question of how the user gets to see that for
>now, note how godaddy charges $90 for their high assurance and Verisign
>charges $349 for their low assurance.
>
>Does anyone have a view on what "low" and "high" means in this context?

Given the universal implicit cross-certification model used in browsers,
mailers, etc etc, the only things that "Low" and "High" apply to are price,
not assurance.

(UIXC means that all certs are implicitly trusted equally, which is the same
as having all CAs cross-certify all other CAs.  The effect of either
implicitly or explicitly doing this is that all CAs are only as secure as the
least secure CA, and the only certificate that it makes any sense to buy is
the cheapest one).

>Indeed, what does "assurance" mean?

You are assured that your credit card will be charged before the certificate
is issued.

Peter.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list