[cap-talk] Evidence of CA costs, from a CA

Tyler Close tyler.close at gmail.com
Sat Jul 9 17:59:07 EDT 2005


This news is a little stale, but I think it's still worth logging.

Verisign has begun offereing SSL certs with a 3 year duration.

http://biz.yahoo.com/prnews/050425/nym082.html?.v=6

The press release admits that this move is in response to the high
coordination costs of using CAs. This and other costs are enumerated
in my essay "Naming vs. Pointing":

http://www.waterken.com/dev/YURL/Analogy/#coordination

However, they just brass it out by claiming they are doing this "...,
without sacrificing the highest levels of security possible."
Apparently having your private key sitting on an Internet facing
server for 3 years instead of 1 doesn't affect your security. The
phishing scene should get even more interesting once we start seeing
phishing sites using valid but stolen SSL certs. Now you can grab a
copy of the cert file and wait up to 3 years before launching your
attack.

http://www.waterken.com/dev/YURL/Analogy/#identity_loss

Tyler

-- 
The web-calculus is the union of REST and capability-based security:
http://www.waterken.com/dev/Web/



More information about the cap-talk mailing list