On Fri, February 3, 2006 9:54 am, Kevin McBride wrote: > All in all, be cautious in selecting a certification authority to > issue > you a certificate. Remember that it's sometimes better paying more > for > a certificate from a truly trustworthy CA. And in the real world, where browsers just blindly chase down CAs and the basic Security Model is "you pay us $200, and we make sure you are who you say you are, and then we trust you" what real difference does it make? There are certainly a zillion sites *I* do not trust that have high-priced CA-certified SSL certs... And Joe Sixpack and Betty Buick just look for the little lock symbol to be closed, and guage trustworthiness only on there being no popups warning them it's not secure, and that the site "looks" professional, and a "brand-name" on the logo/domain. So, why exactly would I pay for a $200 background check on myself, when I already trust myself? Why not pay $70 for an SSL with no background check on myself, so long as it makes Joe Sixpack and Betty Buick happy, if it's got 99% ubiquity? I'm often curious why exactly people think the SSL / CA system is so great, when it seems a whole lot like the Emporer's Clothes to me, or some kind of weird Ponzi scheme to line the pockets of a handful of companies, with very very very little added-value to the end user. YMMV IANAL -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
