Re: IP: SSL Certificate "Monopoly" Bears Financial Fruit
-- On 6 Jul 2002 at 9:33, R. A. Hettinga wrote:
Thawte has now announced a round of major price increases. New cert prices appear to have almost doubled, and renewals have increased more than 50%. While Thawte proclaims this is their first price increase in five years, this comes at a time when we should be seeing *increased* competition and *lower* prices for such virtual products, not such price increases. But of course, in an effective monopoly environment, it's your way or the highway, so this should have been entirely expected.
IE comes preloaded with about 34 root certificate authorities, and it is easy for the end user to add more, to add more in batches. Anyone can coerce open SSL to generate any certificates he pleases, with some work. Why is not someone else issuing certificates? --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG FgD9xqiaNt/GIr99+cDvezUuY9K7pVf/sr8sYLtx 2U+1rnhprPRzvE4aLRCq4ADtyF4DDrnAKjbwHgbFn
At 03:48 PM 7/10/2002 -0700, jamesd@echeque.com wrote:
-- On 6 Jul 2002 at 9:33, R. A. Hettinga wrote:
Thawte has now announced a round of major price increases. New cert prices appear to have almost doubled, and renewals have increased more than 50%. [...] Why is not someone else issuing certificates?
See <http://www.securityspace.com/s_survey/sdata/200206/certca.html> for recent data re SSL certificate market share; Geotrust, at <http://www.geotrust.com>, has 11% of the market, and appears (from their web pages; I haven't bought one) to be ready to issue SSL server certs without the torturous document review process which Verisign invented but Thawte managed to make simultaneously more intrusive and less relevant. -- Greg Broiles -- gbroiles@parrhesia.com -- PGP 0x26E4488c or 0x94245961
On Wed, 10 Jul 2002 jamesd@echeque.com wrote:
-- On 6 Jul 2002 at 9:33, R. A. Hettinga wrote:
Thawte has now announced a round of major price increases. New cert prices appear to have almost doubled, and renewals have increased more than 50%. While Thawte proclaims this is their first price increase in five years, this comes at a time when we should be seeing *increased* competition and *lower* prices for such virtual products, not such price increases. But of course, in an effective monopoly environment, it's your way or the highway, so this should have been entirely expected.
IE comes preloaded with about 34 root certificate authorities, and it is easy for the end user to add more, to add more in batches. Anyone can coerce open SSL to generate any certificates he pleases, with some work.
Why is not someone else issuing certificates?
--digsig James A. Donald
Because the buyers of certificates have a different model of what they are buying. They neither know, nor can they care, because they do not know, about the subtle "protocols" published over the last twenty-five years that supposedly, if executed carefully, provide certain "guarantees". No. The customers know that to get stuff they want, such as permission to put the label "Your credit card information is secure. We use Thawte Certificates, Thawte, the Guarantor, your Rock of Assurance." on their PAY HERE NOW web page, they must buy a certificate from Thawte, and not from Captain Gull Enterprises, Division of Certificates. The customer knows that crypto is subtle, and only a well known large corporation can be trusted. After all, they have the resources, and the name, and if you do not use them, and something goes wrong, well perhaps a canny lawyer might be able to show that you were not using the industry standard, which might lose you the case. oo--JS.
IE comes preloaded with about 34 root certificate authorities, and it is easy for the end user to add more, to add more in batches.
A colleague of mine just loaded a new root into IE, and pointed out that when one does this, the new root is apparently BY DEFAULT enabled for all purposes, including some interesting ones like "Digital Rights" and "Windows System Component Verification." I just tried this, and it appears to be the case. (But I haven't yet tried to see whether Windows will happily use my root for these OS-specific purposes....) --Sean -- Sean W. Smith, Ph.D. sws@cs.dartmouth.edu http://www.cs.dartmouth.edu/~sws/ (has ssl link to pgp key) Department of Computer Science, Dartmouth College, Hanover NH USA --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
IE comes preloaded with about 34 root certificate authorities, and it is easy for the end user to add more, to add more in batches. Anyone can coerce open SSL to generate any certificates he pleases, with some work. Why is not someone else issuing certificates? Mostly because of the alarming things IE/NS/Whatever says if you haven't already got the root cert in your browser when you visit a site relying on a "homebrewed" cert. Certainly some time ago, the OpenCA project were giving away ssl certs for free to all comers; the software they produced is open source (and at sourceforge) so anyone could open their own CA with whatever authentication criteria they wish (and indeed, the owner of news.securecomp.org (nntp) is in the early stages of a X509-based CA on a hierachical but distributed model (ie, regional CAs you can apply
jamesd@echeque.com <jamesd@echeque.com> was seen to declaim: personally to with proof of ID) Doesn't help much when the sheeple won't trust anything that doesn't come pre-installed by microsoft though.
Thanks for the tip! I just got a new cert from Geotrust, and it was such an amazing contrast to those I've gotten from Verisign and Thawte! They apparently take the verification info from the whois data on the site, and you really can do the process from start to finish in 10 minutes or so. The cert shows that it's issued by Equifax, however. rj At 04:31 PM 7/10/2002 -0700, Greg Broiles wrote:
At 03:48 PM 7/10/2002 -0700, jamesd@echeque.com wrote:
-- On 6 Jul 2002 at 9:33, R. A. Hettinga wrote:
Thawte has now announced a round of major price increases. New cert prices appear to have almost doubled, and renewals have increased more than 50%. [...] Why is not someone else issuing certificates?
See <http://www.securityspace.com/s_survey/sdata/200206/certca.html> for recent data re SSL certificate market share; Geotrust, at <http://www.geotrust.com>, has 11% of the market, and appears (from their web pages; I haven't bought one) to be ready to issue SSL server certs without the torturous document review process which Verisign invented but Thawte managed to make simultaneously more intrusive and less relevant.
-- Greg Broiles -- gbroiles@parrhesia.com -- PGP 0x26E4488c or 0x94245961
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
RJ Harvey wrote:
Thanks for the tip! I just got a new cert from Geotrust, and it was such an amazing contrast to those I've gotten from Verisign and Thawte! They apparently take the verification info from the whois data on the site, and you really can do the process from start to finish in 10 minutes or so.
I believe that Geotrust has come up with an excellent new model to make money out of the CA business with minimum hassle to the customer while reducing Geotrust's vetting costs down to next to zero. Their introduction of this new model was one of the more interesting news at this year's otherwise rather bland RSA Conference.
The cert shows that it's issued by Equifax, however.
The cert shows as being issued by Equifax because Geotrust purchased Equifax's root embedded in major browsers since MSIE 5 on the secondary market. (Geotrust purchased more than just the root). --Lucky Green
participants (7)
-
David Howe
-
Greg Broiles
-
jamesd@echeque.com
-
Jay Sulzberger
-
Lucky Green
-
RJ Harvey
-
Sean Smith