[olug] Web Site Certificates - OT

[Dan Anderson]

On Thu, Jul 31, 2008 at 4:57 PM, Will Langford <unfies at gmail.com> wrote:
> re: CACert
> If an SSL cert is invalid or is spoofed or however you wanna befall evil.
> Can you return to the original root cert issuer and complain ?  Can someone
> be held liable ?  What if the original root cert gets compromised and
> someone creates some bogus signages ?

Yes, you can complain (as I recall you are obligated to notify them)
and there is some very limited liability.

> In short -- while having  a central trusted signing area is needed, is it
> generally a farce to charge more than a buck or two for the service because
> some automated script generates signage for the client to use on their
> domains ?

All commercial CAs do some sort of validation, in my experience the
expensive CAs do a bit more.

> How does $200 buy you better protection than $2 ?

It mostly buys you better support and compatibility (and probably
better infrastructure).  GoDaddy is cheap, but if you want lots of
technical support the bigger, more expensive players are probably a
better match.

There's also some piece of mind that comes with selecting a CA that
has been in business since the mid-90's and still has a good
reputation.  If WellsFargo trusts Verisign for their SSL, it is
probably good enough for lawn-darts.com.  Similarly, you might be able
to buy auto insurance from "Bob's Insurance and Bait" but you might be
better off with State Farm. (I realise this is kind of FUD'y, but at
least for me it plays into the equation - maybe $1000 for a cert is
not out of line if it is protecting millions of dollars in
transactions).

>  How does the
> $20/year I pay maintain the original ~4k of data that the master cert is ?

The $20 a year pays for a tiny bit of the infrastructure and support
(including validation).

> For my $20 do I get retribution if evil is afoot ?

Not much, but you get some degree of protection and maybe you
practiced "due care" to protect your site.

Dan