Sarad AV wrote:
The first visit scenario is definitely an issue. that brings it to the other question - why cannot CA's issue certificates to sites say like 10 years or 20 years and get the corresponding money for that.
They can. There is the revocation issue (once a certificate passes its validity date, they no longer need to store a revocation for it if it was revoked; for one and two year certificates that is only one or two years, but if it were longer than that the CRL would be correspondingly larger. certificates can *specify* where the CRL is, giving a mechanism to assign a different URL to each year's offerings, but surprisingly, many of the older CAs don't use it and rely on the browser having hard-coded data for the CRL. I think it is more that most sites don't want to pay that sort of cash up front for their cert - with the current crop of EV certificates exceeding #400/year, a 10 year cert would be in excess of #4K, and a 20 year 9K or more. even with a discount, that's a *lot* of upfront cost for a business. Another factor is that prices for normal certificates have been steadily declining, year on year, for some time now - even given that money *now* is worth more than money this time next year, if the cert is going to be cheaper next year in absolute terms, you would be ill advised to to buy too many years up front at the higher price. EV is another good example of a factor; it didn't exist a few years ago, now it is a "must have" for big name sites. What will the next big thing be five years from now, and would it mean discarding your expensive 10 year certificate for the new and more secure "we really really check you are who you claim to be, this time, honest" Super EV that is then considered a requirement? Finally, will you still be called the same thing ten years from now? companies change, their branding (and corporate image) changes, they merge and split; you may not wish to have five more years as www.superwidget.com if you no longer make widgets, and your company name has changed to megagadget...
Most certificates issued by CA's usually have 2-3 years validity.
still a lot of one year certs out there - bigger sites may find the trouble of renewal on what is only a small difference in price an issue, and thus go with a longer certificate, but the default for most purchases is the One year cert. But regardless - the whole pricing structure of the CA market is commercial - certificates exist *only* to make money for commercial CAs; any actual security benefit is a side effect.
Incase of a significant mathematical breakthrough the CA should provide an alternate secure certifying mechanism if the breakthrough occurred within the service period (10/20 years). The question is why do popular https sites not go for certificates that expire in 10/20 years if it helps security?
Because it doesn't. the vast majority of browsers don't report a certificate that has changed since your last visit - because they don't keep a copy of the certificate to verify against. Those that do have been specifically modified for that purpose by their users - as is detailed in this thread, pretty much - and suffer from the first visit problem because there is no mechanism to say "if it is a cert I don't have, verify it against the CA, tell me which CA it is (and if that seems a sane choice) and then store a copy so next time I have my own standard to refer to". There is also no mechanism to chain from a trusted certificate that is due to expire (or already has) to a new, not yet verified one. But then, there is no commercial incentive for either of these features, as browsers are happy to support the commercial CA model, and certainly the commercial CAs don't want anyone to leave the hierarchical "CA as god" model.
Another question, this one is specific to gmail - which the entire session is on https.
when i click a pdf in my gmail to be opened with google docs, the certificate is signed by google(used a third part browser plugin to check this). that is fine, however my browser never alerts me as a potential untrusted certificate and if want to add it as an exception. does that mean google is an intermediate CA or what does that mean?
You should be able to check the certificate chain on the object and see. I haven't tried this (and given its 1am I am not going to now, but I may do so when I get time :)