Re: verisign security,lol

From: mr.sir bossman (mrsirbossman_at_discussions.microsoft.com)
Date: 06/23/04 

Date: Wed, 23 Jun 2004 15:05:01 -0700

"Igor Tandetnik" wrote:

> "mr.sir bossman" <mrsirbossman@discussions.microsoft.com> wrote in
> message news:272B7B5C-B7AC-4D95-B2E2-29458647C65E@microsoft.com
> > All the companies are $100+ per year. I was looking for free, my
> > software is free.
>
> OK, let's start from the beginning. The purpose of the certificate is to
> provide a measure of trust for the user - the user knows for sure where
> a particular component comes from and who to complain to (or sue) if it
> does bad things to her machine. In order to provide this trust, the CA
> performs a background check on the company prior to issuing a
> certificate, and keeps the company's vital stats on file. This costs the
> CA money, plus they have expenses of running the servers, maintaining
> certificates and certificate revocation lists and so on.
>
> In other words, in order for the user to trust your software, somebody
> they already trust (the root CA) has to vouch for you. Since you are not
> affiliated with the CA, you pay for the privilege of them confirming
> their trust in you. This offsets their expenses in verifying your
> identity, as well as initial investment they had to make to gain their
> own trust (namely, pass audits and certifications necessary to become a
> root CA). Trust is an intangible asset, and as any asset, it costs
> money.
>

> > This Kinda kills people who make stuff available
> > for free all around.
>
> Does it? You don't have to distribute your software in the form of an
> Authenticode-signed ActiveX control. Make a web site, provide a link to
> an installation executable, then convince the user to download and run
> it. Make your value proposition good enough that the user chooses to
> accept the risk of running software from unknown source. Speaking in
> terms of trust, you are asking the user to take your word that the
> software is good and useful, and you are going to be around and take
> responsibility if anything goes wrong. If the user trusts you and
> installs the software, her trust costs you nothing.
>
> > Kinda pointless to. The checks they do, are real
> > weak and easy for hackers to get around.
>
> My company actually buys certificates from Verisign. They ask for your
> DUNS (http://www.dnb.com/us/) registration, then call you in person at
> the phone number listed in the registration (not the one you provided),
> in addition to performing other checks. This way, you have to register
> as a business to get the certificate. At this point, you are as
> accessible to the law as any other company committing fraud. Which is
> not to say that you absolutely cannot avoid getting caught, just that
> it's as easy or difficult to catch you as when you commit any other
> crime.
   So it allows them to punish after crime, kinda pointless. As for checks some of the ca dont do as much. Dont believe average user cares what ca is used anyways.
It is just my opinion microsoft can do better than this.
> > Also, a million ways to get
> > fake certificates on the web.
>
> Care to provide a link?
Dont pretend it dont happen. Try google.
>
> If this is true, why do you complain about monopolies and such? Just go
> ahead and get yourself one.
I was not complaining,original post was to find free microsoft loving ca.
> --
> With best wishes,
> Igor Tandetnik
>
> "For every complex problem, there is a solution that is simple, neat,
> and wrong." H.L. Mencken
>
>
>

Relevant Pages

  • Re: Proposal for a new PKI model (At least I hope its new)
    ... That is say I trust Paul Rubin's public key. ... two basic reasons for the SSL server domain name certificate: ... certificates have to check with the domain name infrastructure to see ... CA/PKI industry is that public keys be registered with the domain name ...
    (sci.crypt)
  • Re: How do I store secrets?
    ... One of the aspects of digital signature verification that is too often ... since encrypted with the PRIVATE key for which you have, and TRUST, ... If the certificate is issued by a KNOWN and TRUSTED CA, ... Then you create a server ...
    (microsoft.public.dotnet.security)
  • Re: New Method for Authenticated Public Key Exchange without Digital Certificates
    ... you are referring to any situation where there might be some trust ... resorting again to the merged security taxonomy and glossary ... as definitions specifically within the context of a Public Key, ... Certificate, Certification Authority environment. ...
    (sci.crypt)
  • Re: PGP and S/MIME
    ... instead of delegating the authentication ... > *.p7s signature signed by someone you already put explicit trust in. ... > recommend my clients and customers to separate the root certificate ...
    (sci.crypt)
  • RE: Hi, Any work around for windows mobile 6 dynamic loading warni
    ... Simon, afterfollowing the command suggested below i could only imported the ... still i dont see the certificate after clicking on 'select from store' using ... Visual Developer - Device Application Development MVP ... How to get the reuired certificate under 'select from store option'. ...
    (microsoft.public.dotnet.framework.compactframework)