[14278] in cryptography@c2.net mail archive

home help back first fref pref prev next nref lref last post

Re: why are CAs charging so much for certs anyway? (Re: End of the

daemon@ATHENA.MIT.EDU (Damian Gerow)
Thu Sep 25 11:07:11 2003

X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Thu, 25 Sep 2003 01:16:28 -0400
From: Damian Gerow <dgerow@afflictions.org>
To: cryptography@metzdowd.com
In-Reply-To: <20030924223356.GA8159@dual.cypherspace.org>

--=.(NnMI)DleFTqx5
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

On Wed, 24 Sep 2003 15:33:56 -0700, thus spake Adam Back
<adam@cypherspace.org>:
: You'd have thought there would be plenty of scope for certs to be sold
: for a couple of $ / year.  Eg. by one of the registrars bundling a
: cert with your domain registration.  I mean if someone can provide DNS
: service for $10 or less / year (and lower for some tlds) which
: requires servers to answer queries etc., surely they can send a you a
: few more bits (all they have to do is make sure they send the cert to
: the person who they register the domain for).

Perceived worth.  CD's are cheaper to manufacture than cassette tapes,
but you'll pay more, because 'the audio quality is better'.  Welcome to
Capitalism.

: From what I heard Mark Shuttleworth (of Thawte) got his cert in the
: browser DBs for free just for the asking by being in the right place
: at the right time.  So once you have that charging > $100 for a few
: seconds of CPU time to sign a cert is a license to print money.
: 
: With all the .com crashes you'd think the price of a root cert ought
: to be pretty low by now.

Adding on to the lists below...

There's a fair bit more work than just randomly signing a certificate. 
At the very least, the issuing CA has to (/should) verify that the
contact requesting the certificate is a valid contact for the hostname
being requested, and that the domain is even /allowed/ to have
certificates (I'm thinking cryptography export laws, but I may be
wrong).

That being said, <http://www.openca.org/> gives them away for free. 
They're currently pushing to have their root certificate included within
Mozilla; I'm not sure if it will ever happen within IE (but they provide
it for the end user to download).

I have heard good things about their service, and I personally use them
to generate my certificates (the price is right).  Dunno about the
supposed security of their signed certificates vs. those signed by
Verisign/Geotrust/FreeSSL/whomever.

--=.(NnMI)DleFTqx5
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)

iEYEARECAAYFAj9yekYACgkQnzt0K8KInMl/+ACdH6JSPk2Vd8nxwRkZy51/2Yzx
+kkAoKr26aqF15pJidFOOUL6WzLbr1XV
=nFyA
-----END PGP SIGNATURE-----

--=.(NnMI)DleFTqx5--

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com

home help back first fref pref prev next nref lref last post