Re: [cobalt-security] SSL Insight

[Jeff Lasman <jblists@xxxxxxxxxxxxx>]

Gerald Waugh wrote:

> lets be a little realistic here!
> There are certs and there are certs and then there are warranties!!!

When we build our pages to discuss and sell certs we'll mention various
warranty levels.  But we'll also ask the hard question... how much is
the warranty worth?  And has anyone ever collected on one?  The purpose
of the "warranty" is to cover damages if the cert misidentifies the
website as someone it's not.  So the warranty isn't protecting the site
purchaser; s/he knows if s/he is or isn't the owner of the real site. 
The warranty is protecting the visitor.

The value in it is only if you've got customers who will only log onto
your site if they know and recognize the cert provider.  My gut feeling
is that very few customers care.

Personally I think most people use certs for secure connection, and not
to verify identification.  Discussions on various isp-lists have shown
I'm not alone in the thought, though of course there are a lot of
disagreements.

However I'm sure I'm not the only cert reseller who'll be happy to
charge you $300 or $400 for a cert and to make sure you are who you say
you are before I issue it.

Jeff
-- 
Jeff Lasman <jblists@xxxxxxxxxxxxx>
Linux and Cobalt/Sun/RaQ Consulting
nobaloney.net, P. O. Box 52672, Riverside, CA  92517
voice: +1 909 778-9980  *  fax: +1 909 548-9484