On Wed, Jul 22, 2009 at 02:43:10PM +0200, Boyle Owen wrote: > It's worth remembering what a certificate is for; it is a document, > undersigned by a third-party, that confirms that you are who you say you > are. The third-party certificate signing authority is putting their > reputation on the line and has a moral (even a legal) obligation to be > certain you are bona fide. Hear, hear. It's about time there was some general awareness of what a certificate *means*. > A certificate is not some random obstacle that makes SSL websites pesky > to set up - it is an essential security feature that protects web-users > from fraud. So, of course it should cost you (as e-commerce operator) > money and effort. I want to second this, with a caveat. I don't see that a certificate "should" cost any particular sum. I do see that one reason for a good-quality certificate to cost so much is that it costs the issuer nearly that much to investigate your claim of identity. Some certificates don't cost very much because the assurance they actually represent is not worth very much. And a few of your customers *do* read cert. issuers' Certification Practice Statements. That said, the most expensive gold-plated cert. you can buy may not be worth much more, in your application, than one you could get for half as much. If it were my business I'd go for the midrange with a company I already know something about. You might want to talk to your lawyer about your duty of care in protecting your customers' transactions, too. He may have specific advice on what you need to look for to get a reasonable balance between cost and protection. -- Mark H. Wood, Lead System Programmer mwood@xxxxxxxxx Friends don't let friends publish revisable-form documents.
Attachment:
pgpAyD16Xq3cG.pgp
Description: PGP signature
|