$90 for high assurance _versus_ $349 for low assurance

Amir Herzberg herzbea at macs.biu.ac.il
Wed Mar 16 05:18:15 EST 2005 

John, thanks for this fascinating report!

Conclusion? `Not all CAs/certs are created equal`... therefore we should 
NOT automatically trust the contents of every certificate whose CA 
appears in the `root CA` list of the browser. Instead, browsers should 
allow users to select which CAs they trust sufficiently to identify 
sites, and to _know_ which CA is identifying the (protected) site they use.

This is easy to do, and of course you can add this to your 
Mozilla/FireFox browser by installing our TrustBar (from 
http://TrustBar.mozdev.org).

Best, Amir Herzberg

John Levine wrote:
>>Does anyone have a view on what "low" and "high" means in this
>>context?  Indeed, what does "assurance" mean?
> 
> 
> Just last week I was trying to figure out what the difference was
> between a StarterSSL certificate for $35 (lists at $49 but you might
> as well sign up for the no-commitment reseller price) and a QuickSSL
> cert for $169.  If you look at the bits in the cert, they're nearly
> identical, both signed by Geotrust's root.
> 
> As far as the verification they do, QuickSSL sends an e-mail to the
> domain's contact address (WHOIS or one of the standard domain
> addresses like webmaster), and if someone clicks through the URL, it's
> verified.  StarterSSL even though it costs less has a previous
> telephone step where you give them a phone number, they call you, and
> you have to punch in a code they show you and then record your name.
> Score so far: QuickSSL 0.0000001, StarterSSL 0.00000015.
> 
> Both have various documents available with impressive certifications
> from well-paid accountants, none of which mean anything I can tell.
> Under some circumstances they might pay back some amount to someone
> defrauded by a spoofed cert, but if anyone's figured out how to take
> advantage of this, I'd be amazed.
> 
> Comodo, who sell an inferior variety of cert with a chained signature
> (inferior because less software supports it, not because it's any less
> secure) is slightly more demanding, although I stumped then with
> abuse.net which isn't incorporated, isn't a DBA, and isn't anything
> else other than me.  I invented some abuse.net stationery and faxed
> them a letter assuring that I was in fact me, which satisfied them.
> 
> Back when I had a cert from Thawte, they wanted DUNS numbers which I
> didn't have, not being incorporated nor doing enough business to get a
> business credit rating, so they were satisfied with a fax of my county
> business license, a document which, if I didn't have one, costs $25 to
> get a real one, or maybe 15 minutes in Photoshop to make a fake one
> good enough to fool a fax machine.  
> 
> I gather that the fancier certs do more intrusive checking, but I
> never heard of any that did anything that might make any actual
> difference, like getting business documents and then checking with the
> purported issuer to see if they were real or, perish forbid, visiting
> the nominal location of the business to see if anything is there.
> 
> So the short answer to what's the difference between a ten dollar cert
> and a $350 cert is:   $340.
> 
> Next question?
> 
> Regards,
> John Levine, johnl at iecc.com, Primary Perpetrator of "The Internet for Dummies",
> Information Superhighwayman wanna-be, http://www.johnlevine.com, Mayor
> "I shook hands with Senators Dole and Inouye," said Tom, disarmingly.
> 
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
> 
> .
> 

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list