Jacob Coby wrote:
> > On the other hand, surely there is someone who isn't
> > committing highway robbery to provide certificates.
>
> It's a chicken and the egg sort of problem. You have to use a CA that is in
> your users' browsers to avoid warnings from popping up, and all of the CA
> certs that come with browsers charge outrageous fees. There are a couple of
> places that can sign certificates on the cheap, but you have to import their
> certificate into your browser.
The (US) Federal Govt needs a method of authentication that will survive a
nuclear war and the method we're using (Verisign) has a single point of failure.
As well Verisign doesn't have to renew your certificate if it doesn't want to,
putting you out of business.
The US Govt's scheme is like the PGP web of trust where there are many root
authorities and if any root authority becomes invalid (looses their private
key, gets knocked out in a nuclear war), the system continues to work.
Quite how the rest of us get into this scheme I don't know
Joe
--
Joseph Mack PhD, High Performance Computing & Scientific Visualization
SAIC, Supporting the EPA Research Triangle Park, NC 919-541-0007
Federal Contact - John B. Smith 919-541-1087 - smith.johnb@xxxxxxx
|