[17056] in cryptography@c2.net mail archive
$90 for high assurance _versus_ $349 for low assurance
daemon@ATHENA.MIT.EDU (Ian G)
Sun Mar 13 14:46:44 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Fri, 11 Mar 2005 21:24:02 +0000
From: Ian G <iang@systemics.com>
To: cryptography@metzdowd.com
Cc: John Gilmore <gnu@toad.com>, mozilla-security@mozilla.org
In-Reply-To: <200503042353.j24Nrpti023003@new.toad.com>
In the below, John posted a handy dandy table of cert prices, and
Nelson postulated that we need to separate high assurance from low
assurance. Leaving aside the technical question of how the user
gets to see that for now, note how godaddy charges $90 for their
high assurance and Verisign charges $349 for their low assurance.
Does anyone have a view on what "low" and "high" means in this
context? Indeed, what does "assurance" mean?
iang
John Gilmore wrote:
> For the privilege of being able to communicate securely using SSL and a
> popular web browser, you can pay anything from $10 to $1500. Clif
> Cox researched cert prices from various vendors:
>
> http://neo.opn.org/~clif/SSL_CA_Notes.html
Nelson B wrote:
> https://www.godaddy.com/gdshop/ssl/ssl.asp shows that this CA runs
> two classes, high assurance and low assurance.
>
> Do they have two roots that correspond to these two classes?
> If not, how can users choose to trust high assurance separately
> from (perhaps instead of) low assurance certs?
>
> I think mozilla's policy should require separate roots for separate
> classes of assurance. Alternatively, we could require separate
> intermediate CAs for each class, issued from a common root, but
> then the intermediates would have to be shipped with mozilla so
> that they can be marked with explicit trust.
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com