Re: IP: SSL Certificate "Monopoly" Bears Financial Fruit
jamesd@echeque.com writes:
On 6 Jul 2002 at 9:33, R. A. Hettinga wrote:
Thawte has now announced a round of major price increases. New cert prices appear to have almost doubled, and renewals have increased more than 50%. While Thawte proclaims this is their first price increase in five years, this comes at a time when we should be seeing *increased* competition and *lower* prices for such virtual products, not such price increases. But of course, in an effective monopoly environment, it's your way or the highway, so this should have been entirely expected.
IE comes preloaded with about 34 root certificate authorities, and it is easy for the end user to add more, to add more in batches. Anyone can coerce open SSL to generate any certificates he pleases, with some work.
Both Netscape 6 and MSIE 5 contain ~100 built-in, automatically-trusted CA certs. * Certs with 512-bit keys. * Certs with 40-year lifetimes. * Certs from organisations you've never heard of before ("Honest Joe's Used Cars and Certificates"). * Certs from CAs with unmaintained/moribund websites ("404.notfound.com"). These certs are what controls access to your machine (ActiveX, Java, install- on-demand, etc etc). * It takes 600-700 mouse clicks to disable these certs to leave only CAs you really trust. (The above information was taken from "A rant about SSL, oder: die grosse Sicherheitsillusion" by Matthias Bruestle, presented at the KNF-Kongress 2002).
Why is not someone else issuing certificates?
How many more do you need? Peter.
Peter Gutmann wrote, quoting Matthias Bruestle:
Both Netscape 6 and MSIE 5 contain ~100 built-in, automatically-trusted CA certs.
* Certs with 512-bit keys.
* Certs with 40-year lifetimes.
* Certs from organisations you've never heard of before ("Honest Joe's Used Cars and Certificates").
* Certs from CAs with unmaintained/moribund websites ("404.notfound.com").
One thing to keep in mind is that the name of the CA on the pre-installed root cert in some cases will bean no relation to the actual issuer of the cert. Just because the business of some.trusted.ca.nil has gone under does not mean their root keys are out of circulation. "Trusted roots" have long been bought and sold on the secondary market as any other commodity. For surprisingly low amounts, you too can own a trusted root that comes pre-installed in >95% of all web browsers deployed. In fact, it is considerably more expensive for an aspiring public CA provider to incur the costs of policies and procedures development, equipment expenditures, auditing cost, etc. required to have a root added to browsers nowadays than it is to just buy an existing trusted CA's Chrysalis or nCipher HSM. --Lucky --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
-- On 11 Jul 2002 at 1:22, Lucky Green wrote:
"Trusted roots" have long been bought and sold on the secondary market as any other commodity. For surprisingly low amounts, you too can own a trusted root that comes pre-installed in >95% of all web browsers deployed.
How much, typically? And who actually owns these numerous trusted roots? --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG y1gI63PXnGNK7Iznu3+gY+/0JLBPRaEEV/OWwPub 20YHSnGmtg7lQW0NdXU4WMeKWfIQmlq3u3F/wjkOo --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
James wrote:
On 11 Jul 2002 at 1:22, Lucky Green wrote:
"Trusted roots" have long been bought and sold on the secondary market as any other commodity. For surprisingly low amounts, you too can own a trusted root that comes pre-installed in >95% of all web browsers deployed.
How much, typically?
I'd rather not state the exact figures. A search of SEC filings may or may not turn up further details.
And who actually owns these numerous trusted roots?
I am not sure I understand the question. --Lucky
participants (3)
-
jamesd@echeque.com
-
Lucky Green
-
pgut001@cs.auckland.ac.nz