On Fri, Jul 12, 2002 at 11:18:12AM -0400, Trei, Peter wrote: | > I'd rather not state the exact figures. A search of SEC filings may or | > may not turn up further details. | > | > > And who actually owns these numerous trusted roots? | > | > I am not sure I understand the question. | > | > --Lucky | > | I think I do. A 'second hand' root key seems to have some | trust issues - the thing you are buying is the private half | of a public key pair .... but that's just a piece of information. | How can you be sure that, as purchaser, you are the *only* | possessor of the key, and no one else has another copy (the | seller, for example)? Who cares? If I can get a key thats in the main browsers for 90% off, who cares if other people have it? I understand that getting the public half of the 2 main browsers will run you about $250k in fees, plus all the setup work. If I can buy a slightly used Ncipher box whose public key bits are in the browsers for a 10th to a 5th of that, the extra copies of the bits aren't all that worrisome to me. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume
Adam wrote:
On Fri, Jul 12, 2002 at 11:18:12AM -0400, Trei, Peter wrote: A 'second hand' root key seems to have some trust issues | - the thing you are buying is the private half of a public key pair | .... but that's just a piece of information. How can you be sure that, | as purchaser, you are the *only* possessor of the key, and no one else | has another copy (the seller, for example)?
Who cares? If I can get a key thats in the main browsers for 90% off, who cares if other people have it?
I understand that getting the public half of the 2 main browsers will run you about $250k in fees, plus all the setup work. If I can buy a slightly used Ncipher box whose public key bits are in the browsers for a 10th to a 5th of that, the extra copies of the bits aren't all that worrisome to me.
Precisely. Nor would worrying make any difference, since all CAs preinstalled into the browser are equal from a user perspective. The security your CA, or VeriSign's CA, or anybody's CA can afford their customer is subject to an upper bound set by the preinstalled CA with the laxest certificate issuance standards in existence. In other words, anybody who selects a public CA on a factor other than price likely fails to understand the trust models that underlie today's use of Certificate Authorities. However, $250k will not nearly get you into the major browsers. Getting into Netscape is easy. You just hand them the cash and the floppy with your public key. Getting into MSIE is a lot harder. MSFT has never charged to include a CA's key in MSIE and MSFT does not intend on charging in the future. But after the root CA bonanza for MSIE 5, MSFT instituted policy changes. To get your CA's key included in MSIE, the CA must have passed an SAS 70 audit. (The CA also must offer its certificates to the public). The infrastructure, policy, staff, and auditing costs of passing such an audit will run you upwards of $500k. By the end of the day, getting a new root into the browsers will cost you about, give or take a few hundred k, $1M. Which makes the slightly used nCipher box an even better value. :-) --Lucky Green
participants (2)
-
Adam Shostack
-
Lucky Green