[NTLUG:Discuss] SSL and Patents

[MadHat]

On Thu, 2003-04-03 at 16:45, asenec at senechalle.net wrote:
> A CSR signed by a recognized signing authority, such
> as Verisign, also acts to show that you are who you say
> you are.
> 

Yeh, thats why Verisign issued a Microsoft Cert to a third, unknown
party...  its real safe and secure in the verification process. 
Especially since most products don't support the SSL revocation list
functionality, so even though Verisign revoked it, IE and other products
had no way of knowing.  And of course we all know that everyone reads
the certs anyway to verify it is signed by the company they think it
should be signed by.  Encryption and Digitally signed Certs are not a
panacea.

> Also, you question re www.$domain vs $domain.  You can have
> a Cert issued for either; however, if you have it issued
> for www.$domain and the access https://$domain, you will
> get a message to the effect that the Cert was not issued
> for the domain you are accessing, but rather for www.$domain.
> If I remember correctly, you used to be able to have what would
> amount to a Cert for wildcards--that is, for $domain and *.${domain}.
> The wildcard Cert was not cheap.

Pay enough and you get to sign your own certs that are trusted because
of the trust chain.

> > On Thu, 2003-04-03 at 12:02, m m wrote:
> > > If we can issue an certificate by ourself (be a/as CA)
> > > and no any patents violation, why should we pay ($139.00/yr) for it?
> > > 
> > 
> > You should buy a cert if you are trying to make one of your customers
> > feel good.  For personal use there is no reason to buy a cert.
> > 
> > All buying will do is keep the "Signed by an unknown CA" message from
> > popping up when you go to the site or use the SSLified service.  The SSL
> > still works either way.

-- 
MadHat at Unspecific.com
`But I don't want to go among mad people,' Alice remarked.
`Oh, you can't help that,' said the Cat: `we're all mad here...'
   -- Lewis Carroll - _Alice's_Adventures_in_Wonderland_