The worst trouble I've had with https is that you have no way to use host header names to differentiate between sites that require different SSL certificates. i.e. www.foo.com www.bar.com www.baz.com can't all live on the same IP and have individual ssl certs for https. :( This is because the cert is exchanged before the http 1.1 layer can say "I want www.bar.com" So you need to waste IP's for this. Since the browser standards are already in place, it's unlikely to be to find a workaround. i.e. be able to switch to a different virtual host after you've established the ssl session. :( Personally I find thawte certs to be much cheaper than verisign and they work just as well. In any case, anyone is free to do the same thing AlterNIC did - become your own free CA. You'll just have to convince everyone else to add your CA's cert into their browser. You might be able to get the Mozilla guys to do this, good luck with the beast of Redmond though. Either way, having a pop-up isn't that big deal so long as you're sure of the site you're connecting to. In either case, we wouldn't need to worry about paying Verisign or anyone else if we had properly secured DNS. Then you could trust those pop-up self-signed SSL cert warnings. ----------------------Kaos-Keraunos-Kybernetos--------------------------- + ^ + :25Kliters anthrax, 38K liters botulinum toxin, 500 tons of /|\ \|/ :sarin, mustard and VX gas, mobile bio-weapons labs, nukular /\|/\ <--*-->:weapons.. Reasons for war on Iraq - GWB 2003-01-28 speech. \/|\/ /|\ :Found to date: 0. Cost of war: $800,000,000,000 USD. \|/ + v + : The look on Sadam's face - priceless! --------_sunder_@_sunder_._net_------- http://www.sunder.net ------------ On Tue, 10 Jun 2003, James A. Donald wrote:
The most expensive and inconvenient part of https, getting certificates from verisign, is fairly useless.
The useful part of https is that it has stopped password sniffing from networks, but the PKI part, where the server, but not the client, is supposedly authenticated, does not do much good.