[17070] in cryptography@c2.net mail archive

home help back first fref pref prev next nref lref last post

Re: $90 for high assurance _versus_ $349 for low assurance

daemon@ATHENA.MIT.EDU (Peter Gutmann)
Tue Mar 15 10:45:05 2005

X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: pgut001@cs.auckland.ac.nz (Peter Gutmann)
To: cryptography@metzdowd.com, iang@systemics.com
Cc: gnu@toad.com, mozilla-security@mozilla.org
In-Reply-To: <42320C72.7060102@systemics.com>
Date: Tue, 15 Mar 2005 20:46:15 +1300

Ian G <iang@systemics.com> writes:

>In the below, John posted a handy dandy table of cert prices, and Nelson
>postulated that we need to separate high assurance from low assurance.
>Leaving aside the technical question of how the user gets to see that for
>now, note how godaddy charges $90 for their high assurance and Verisign
>charges $349 for their low assurance.
>
>Does anyone have a view on what "low" and "high" means in this context?

Given the universal implicit cross-certification model used in browsers,
mailers, etc etc, the only things that "Low" and "High" apply to are price,
not assurance.

(UIXC means that all certs are implicitly trusted equally, which is the same
as having all CAs cross-certify all other CAs.  The effect of either
implicitly or explicitly doing this is that all CAs are only as secure as the
least secure CA, and the only certificate that it makes any sense to buy is
the cheapest one).

>Indeed, what does "assurance" mean?

You are assured that your credit card will be charged before the certificate
is issued.

Peter.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com

home help back first fref pref prev next nref lref last post