LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Blaze: The Spy in the Middle

Blaze: The Spy in the Middle

Posted Mar 26, 2010 21:56 UTC (Fri) by dlang (✭ supporter ✭, #313)
In reply to: Blaze: The Spy in the Middle by branden
Parent article: Blaze: The Spy in the Middle

huh?, where was the Mark Shuttleworth bashing in this thread? I was talking about the pricing that verisign puts on certs.

(Log in to post comments)

Blaze: The Spy in the Middle

Posted Mar 26, 2010 22:30 UTC (Fri) by foom (subscriber, #14868) [Link]

It was a joke.

Mark Shuttleworth is rich enough to fund Ubuntu because he sold Thawte (another company that
used to sell overpriced certs) to Verisign in 1999.

Blaze: The Spy in the Middle

Posted Mar 26, 2010 23:29 UTC (Fri) by nix (subscriber, #2304) [Link]

And stevan's comment was one of the worst puns I've seen this year.

Cert generation

Posted Mar 28, 2010 6:28 UTC (Sun) by man_ls (subscriber, #15091) [Link]

$900 to generate a random prime number, no matter how long, does indeed seem a bit steep. Nowadays even $10 is a ripoff: it takes about 10 seconds of CPU time.

Cert generation

Posted Mar 28, 2010 6:46 UTC (Sun) by dlang (✭ supporter ✭, #313) [Link]

to be fair, the cost of the cert is supposed to cover the cost of validating the identity of the person asking for the cert and then to maintain housekeeping things like security, redundancy of the signing key, revocation list, etc.

the thing that makes the $900 so bad is that all of this work needed to be done for th $300 cert as well, the only difference between the $300 and $900 option is a tag inside the cert. Most cert vendors don't have the two grades anymore.

also, since the export browser restrictions were lifted, there really shouldn't be anyone using an 'export browser' that would act any differently with the two types of certs (when was the last 'export' browser shipped?) If anyone is still using such a browser they have so many security holes that downgrading the encryption to 40 bits is a minor risk.

Profit!

Posted Mar 28, 2010 8:11 UTC (Sun) by man_ls (subscriber, #15091) [Link]

The marginal cost of an additional certificate, in terms of keeping backups and revocation lists and securing master keys is close to zero. Storing and sending 2KB has always been cheap. The only item with an appreciable marginal cost is identity validation, and the validation done by "certificate authorities" is a joke, now as always. Why? Because they are businesses; you just have to follow the incentives.

Imagine the amount of identity validation done by credit agencies such as Visa, or even by banks: they are very superficial. These guys are actually giving you credit, and they will have to pay if you don't. Even so, the amount of validation is (at least here in Europe) hardly worth €10, according to my own estimations. Now what incentives do CAs have to make thorough checks? They are not giving you credit, and they have zero liability if you are not who you claim to be. Therefore it makes good business sense to skim over any ID presented and not think twice about it.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds