http://noahsmark.disqus.com/enSun, 14 Sep 2008 13:23:55 -0000http://noahsmark.com/2008/08/19/firefoxs-ssl-policy-is-not-bad-you-idiot/#comment-2347808Good read. I think it's a good system to get in your face; especially for my relatives who are computer illiterate. This step is completely necessary to protect any user from doing harm to themself.PaulSoltSun, 14 Sep 2008 13:23:55 -0000http://noahsmark.com/2008/08/19/firefoxs-ssl-policy-is-not-bad-you-idiot/#comment-1668040Because they are different services - note the keyword _verification_ in that second part. The first part, the "I want a domain name here plzthx", isn't a complicated problem because there aren't many (enforced) trust/identity strings attached. Also, because there are an inordinate amount of domains being registered and a much smaller number of sites getting SSL certs, I can only imagine the cost for the first will be much cheaper than the second. Sounds pretty simple to me.<br><br>Oh, and the real answer is, "because they charge that much and people will pay it." Enter capitalism.<br><br>Your suggestion, in the first paragraph, is for how a "trusted" authority should establish trust with an untrusted endpoint - you do some activity to prove to that party that you "own" the domain, and that third party, which is a trusted authority by some other definition, is depended on for its verification of your site. Maybe that is enough to establish trust, but how does it relate to the post?<br><br>If you want to complain about the methods CAs use to verify identity, then that is a different discussion. If you feel a CA charges too much for its services, find a different one. The digicert price I found was after clicking 2 links in a google search. I bet you can find better prices without looking too hard.<br><br>Or you get behind someone like <a href="http://CACert.org" rel="nofollow">CACert.org</a>, who gives out free (as in beer) certs and (I believe) is still trying to be accepted by mozilla as a trusted root CA:<br><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=21" rel="nofollow">https://bugzilla.mozilla.org/show_bug.cgi?id=21</a>...<br><br>Mozilla has a nice, fair, and public policy for how to become a trusted CA:<br><a href="http://www.mozilla.org/projects/security/certs/" rel="nofollow">http://www.mozilla.org/projects/security/certs/</a>...<br><br>So I don't think there are major roadblocks preventing somebody from using your method to establish trust and charging less than $100 a year and getting accepted by mozilla as a root CA. Except, you know, capitalism.noahrichardsTue, 19 Aug 2008 23:50:44 -0000http://noahsmark.com/2008/08/19/firefoxs-ssl-policy-is-not-bad-you-idiot/#comment-1667871Server identity verification can and should be tested in the same manner that Google Apps does it - stick a new page up on your server or add a new CNAME record to prove you control the domain.<br><br>If domain names can be registered for under $10, why should domain name verification cost hundreds of dollars per year?trevelyanTue, 19 Aug 2008 16:02:26 -0000