Anonymous via the Cypherpunks Tonga Remailer <nobody@cypherpunks.to> writes:

Why is it that none of those 100-odd companies with keys in the browsers are doing anything with them? Verisign has such a central role in the infrastructure, but any one of those other companies could compete. Why isn't anyone undercutting Verisign's prices? Look what happened with Thawte when it adopted this strategy: Mark Shuttleworth got to visit Mir! Maybe that was a one shot deal, but clearly these keys are not being utilized up to their economic potential.

Is there some behind the scenes coercion? Contractual limitations? Will Microsoft pull the keys if someone tries to compete with Verisign? What's the deal?

No-one ever got fired for buying Verisign. Unfortunately in order to understand that buying your certs from anything but the cheapest CA present is a waste of money, you need a certain amount of understanding of how PKI (or at least certificate manufacturing, as currently practiced) works. Verisign have invested an enormous amount of time and money into communicating the message that it ain't secure if it doesn't say Verisign, and that's been very effective. I have, very occasionally, run into people who've told me how they managed to locate a CA that sold them their certs for $29.95/year instead of $495/year, but this is very much the exception to the rule. Peter. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com