[17061] in cryptography@c2.net mail archive
Re: $90 for high assurance _versus_ $349 for low assurance
daemon@ATHENA.MIT.EDU (John Levine)
Tue Mar 15 10:35:14 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: 13 Mar 2005 22:33:56 -0000
From: John Levine <johnl@iecc.com>
To: cryptography@metzdowd.com
In-Reply-To: <42320C72.7060102@systemics.com>
Cc: iang@systemics.com
>Does anyone have a view on what "low" and "high" means in this
>context? Indeed, what does "assurance" mean?
Just last week I was trying to figure out what the difference was
between a StarterSSL certificate for $35 (lists at $49 but you might
as well sign up for the no-commitment reseller price) and a QuickSSL
cert for $169. If you look at the bits in the cert, they're nearly
identical, both signed by Geotrust's root.
As far as the verification they do, QuickSSL sends an e-mail to the
domain's contact address (WHOIS or one of the standard domain
addresses like webmaster), and if someone clicks through the URL, it's
verified. StarterSSL even though it costs less has a previous
telephone step where you give them a phone number, they call you, and
you have to punch in a code they show you and then record your name.
Score so far: QuickSSL 0.0000001, StarterSSL 0.00000015.
Both have various documents available with impressive certifications
from well-paid accountants, none of which mean anything I can tell.
Under some circumstances they might pay back some amount to someone
defrauded by a spoofed cert, but if anyone's figured out how to take
advantage of this, I'd be amazed.
Comodo, who sell an inferior variety of cert with a chained signature
(inferior because less software supports it, not because it's any less
secure) is slightly more demanding, although I stumped then with
abuse.net which isn't incorporated, isn't a DBA, and isn't anything
else other than me. I invented some abuse.net stationery and faxed
them a letter assuring that I was in fact me, which satisfied them.
Back when I had a cert from Thawte, they wanted DUNS numbers which I
didn't have, not being incorporated nor doing enough business to get a
business credit rating, so they were satisfied with a fax of my county
business license, a document which, if I didn't have one, costs $25 to
get a real one, or maybe 15 minutes in Photoshop to make a fake one
good enough to fool a fax machine.
I gather that the fancier certs do more intrusive checking, but I
never heard of any that did anything that might make any actual
difference, like getting business documents and then checking with the
purported issuer to see if they were real or, perish forbid, visiting
the nominal location of the business to see if anything is there.
So the short answer to what's the difference between a ten dollar cert
and a $350 cert is: $340.
Next question?
Regards,
John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Information Superhighwayman wanna-be, http://www.johnlevine.com, Mayor
"I shook hands with Senators Dole and Inouye," said Tom, disarmingly.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com