Verisign Buyout of Thawte Consulting Challenged 80
andyr writes "Independent Online has a
report
that Entrust Technologies is
challenging Verisign's buyout of
Thawte consulting.
Verisign is the world's largest SSL Certificate issuer,
with 60% of the market, with Thawte the second-largest, with about 40%.
Combined, they own 99% of the market.
"
The Slashdot Address (Score:2)
Four flames and seven firsts ago our fathers brought forth upon this site, a new slashdot, conceived in liberty, and dedicated to the proposition that all posts are created equal.
Now we are engaged in a flamebait war, testing whether that thread, or any thread so conceived and so dedicated, can long endure. We are met on a great opensource arena of that war. We have come to dedicate a portion of that thread, as a first posting place for those trolls who here gave their posts that this site might live. It is altogether fitting and proper that we should do this.
But in a larger sense, we cannot dedicate - we cannot consecrate - we cannot hallow - this site. The off-topic trolls, Moderated up and down, who struggled here, have consecrated it, far above our poor power to add or detract. The slashdot community will little note, nor long remember what we say here, but it can never forget what they did here. It is for us, the trolls, rather to be dedicated here to the unfinished work which they who fought here have thus far so nobly advanced.
It is rather for us to be here dedicated to the great task remaining before us, that from these naked and petrified posts we take increased devotion to that cause for which they gave the last full measure of devotion; that we here highly resolve that these trolls shall not have posted in vain; that this slashdot, under Hemos, shall have a new birth of freedom, and that this moderation of the people, by the people, and for the people shall not perish from this site.
.
Trollmastah
this seems unacceptable (Score:2)
obvious, maybe, but I recently went with thawte for the very reason that they weren't verisign.
this sucks, i hope the challenge sticks.
I'm sure if those figures are correct (Score:1)
Was wondering about that..... (Score:1)
--patrick
Bad Thing (tm) (Score:1)
After all those Microsoft Anti-trust stuff on
I don't have much experience with Certificates issued by verisign (I always sign my own ones) but I think it's a Bad Thing (tm) that one company owns 99% of whatever market you like. How is it possible that Versign is allowed to do this?
Well (Score:1)
-----------
"You can't shake the Devil's hand and say you're only kidding."
Not worried about monopoly... (Score:1)
In the Site.Cert market, I've had excellent experiences with Entrust support and their certificates. Of course, Entrust Certs were signed by...Thawte...
Silly Idea in the First Place (Score:1)
Entrust's Perspective (Score:4)
http://www.entrust.com/investor/12_21_ 99.htm [entrust.com]
Re:Well (Score:3)
As I understand it, both Verisign and Thawte (and a few others) have been in the industry long enough that almost all browsers come with a Verisign and a Thawte root certificate. When the browser wants to open an SSL transaction, it can verify the server's certificate by tracing it back to the known and presumed valid Verisign or Thawte certificate. No database lookup and no problem.
Where the yes and no comes in is if the root is invalid or otherwise not recognized, the user can still proceed with the SSL session, she'll just get an error message about an untrusted certificate.
I don't know how many other trusted root certificates normally ship with browsers these days. My copy of Netscape has 63, six of which are Verisign and four of which are Thawte.
huge scam (Score:4)
And guess what? I didn't need to send all that info after all, as long as I paid the $725.
What a great business!
What's the biggy? (Score:1)
Why do we need certificate providers? (Score:1)
For correspondents with whom you have previously had contact, simply digitally signing a document gives high confidence that it comes from the same source as previous documents signed by the same key. Thus a 3rd party certificate serves no useful purpose for already established relationships.
For first-time contacts, how much do 3rd party certificates really tell you about the certificate holder? Is a simple digital signature (without a cert) not just as reliable as letter with an unknown handwritted signature? (Or even more reliable as the digital signature also ensures that the document contents have not been changed since being signed)
Re:this seems unacceptable (Score:2)
a monopoly on key pair authorization seems orwellian to me.
But it isn't a monopoly like the USPS. Any competitors are welcome to enter the market. Our capital market is pretty good--if your idea is sound, you should be able to get backing for it.
If Thawte/Verisign start charging an arm and a leg, you'll see a hundred Entrusts pop up in months. Profit margin draws capital like sherry draws Ted Kennedy.
Steve
Formula (Score:3)
Take the sum of the squares of market shares of the various competitors, and you will get a value ranging from 0 (for what amounts to perfect competition, i.e., a very large number of infinitesimal competitors) to 10,000 (for an absolute monopoly). If the figures in the story are true, then:
Verisign = 60%
Thawte = 39%
Everyone else total = 1%
So--
OLD: 60^2 + 39^2 + negligible = 5121
NEW: 99^2 + negligible = 9801
Hmmm.....
Re:The Slashdot Address (Score:1)
Another funny one, thanks a bunch. I can't believe that the moderators think this isn't funny.
Hey, if you can get Frank Rizzo to speak... (Score:1)
p.s. For those of you who might not know, Frank Rizzo was the mayor of Philadelphia for many years, and not exactly a civil rights advocate.
Maths, 101 (Score:3)
Seriously, I doubt these figures are meaningful, anyway. Most certificates in use are probably for private intranets or extranets, and therefore rolled by the local sys admins. (Best way to keep a network private.)
Even if you're talking about the markets which are open, you're talking about a very dynamic system. This isn't the PC market, which has largely stagnated at the hands of Macrospot, but a realm where fortunes are made and lost quicker than LinuxOne can say "IPO".
The number of SSL-enabled web servers is still pitifully small. By now, most (if not all) servers should be delivering -everything- encrypted. If you only encrypt the stuff you don't want "the wrong people" to see, "the wrong people" know where to look. And international SSL is a pathetic 40-bits.
If -every- web server delivered -every- web page in 128-bit encrypted form, or even 40-bit form, it would be almost impossible for sniffers to pick out the useful information, let alone break the encryption. They'd stand much more chance of just ending up with the local weather forecast or someone's prawn bookmarks. With no way of telling what was what, they'd have to break -every- packet to get -any- useful data. They'd die of old age before they'd get anywhere.
Then, there's IPSec. For the same reason as above, IPSec could destroy the certificate market, as most IPSec implementations don't support X.509 as standard. A merger might create a giant with sufficient power to prevent IPSec becoming adopted, or it might be completely obliterated by the use of Total Encryption.
In short, I don't see the buyout as a threat or a boon. It's an irrelevency, in a market that's made itself that way.
(Besides, Thawte dumped Sioux, and some things can't be forgiven.)
I like it...(not a troll) (Score:1)
ahhh... (Score:1)
/ k.d / earth trickle / Monkeys vs. Robots Films [xoom.com] /
Need for a CA of CAs (Score:1)
Re:this seems unacceptable (Score:4)
For God's Sake SHUT UP! (Score:3)
Jeez, do you people really not get it or are you just looking to pick nits?
LK
Re:News flash! 60% + 40% != 99% (Score:1)
Re:I like it... (Score:1)
From my own experiences with VeriSign and Thawte (as limited as those experiences may have been up to this point), I certainly have not felt that I trusted VeriSign any more as a result of their market position. And, truthfully, I would tend to trust "centralized control" less than a more diverse marketplace, because the benefits of competition extend beyond simple pricing issues.
Thawte's demise is depressing (Score:5)
Verisign certainly is large, and their root key is probably in more trusted stores than Verisign's, but not by much. Both, for example, are in the IE4/5 trusted store that comes with shipping windows. IE3 too, I believe. And Thawte will issue keypairs for no charge. Or at least, they used to.
Verisign has made a practice of issueing "temporary" certificates containing arbitrary unverified data. True, the user cert is marked as temporary, and the key expires after I believe 40 days, but the marking is buried and 40 days is ample time to perpetrate a fraud on an unwary user. As a game, the members of my test team would send messages to each other "signed" by famous figures like Ghandi and President Clinton. Since the from header is trivial to forge, these mails looked like the real deal to a cursory inspection. You would have to have a medium-level understanding of crypto even to guess they might be fakes.
Thawte has never allowed this sort of thing to go on. When I applied for my one and only Thawte keypair I had to submit a great deal of information about myself, all of which they verified over the course of a day. I understand Verisign's desire to promote their product, and certainly it must work because of their prominence, but playing fast and loose with authentication is a surefire way to get the whole crypto industry discredited in the eyes of the public.
-konstant
Yes! We are all individuals! I'm not!
Re:I like it...(not a troll) (Score:1)
So as long as you make good decisions about whose keys you sign (and at what trust level) it should work.
Someone needs to start a NON-PROFIT organization.. (Score:1)
do you trust someone, like say.. the EFF? I mean really.. go get OpenSSL and start your own CA.
nuff said.
pan
Re:Well (Score:2)
Another reason that Entrust may be suing is because the certificates they issue are generated from a root belonging to Thawte. Thawte has offered this cross-signing service in the past, but Verisign/Thawte combined may not. This would put a big dent in the way Entrust does business.
Why it's a bad thing (Score:5)
What Thawte and Versign do isn't exactly related to the encryption part of SSL, it's related to the X.509 certificates of sites that implement SSL. A site can do SSL without a certificate signed by Thawte or Versign, but if the Certifying Authority that signed the certificate doesn't have its own signature in the lists of CAs maintained by the browsers (Netscape and MSIE include a list of CAs on the local machine when they get installed; I'm not sure how other browsers handle it.) then the browser will pop up some manner of error message when the site is contacted to the effect of "This site's certificate is signed by someone we don't know, do you want to continue?" It doesn't affect the server's ability to do SSL traffic - it can still do that - it only affects the browser's ability to verify that the certificate assigned to the site is who it says it is. (i.e. if you go to a site called www.mcdonalds.com to buy burgers over the 'net, you can look at the certificate to verify whether or not this is really the place that has the golden arches out front by the information in their certificate.)
The problem here is that probably 95% of the people doing e-Commerce on the net today are going to balk at a purchase if ANY sort of message box that looks like an error box pops up. It doesn't matter if you explain to them that the message only means that the browser doesn't recognize the authority that signed the certificate and that traffic is still encrypted when you communicate with the server, like my mom, they're just going to see an error message and freak out and not want to to business there. (In addition, I've personally had problems with MSIE properly passing information from forms when connecting to a secure site before we get the valid certificate installed. With the "Push here to connect to our secure server" button, ID information we might want to pass across to the secure server seems to get vaporized or something in the process of the user clicking the "Ok, connect anyway" dialog.)
So why can't some new, faster, better CA pop up and just start doing business? Because they're signature isn't in the tens of millions of copies of Netscape and MSIE that are already active on the internet. Why can't they just get their signature into the new version? They can, I suppose, although after looking into it from a developer's perspective, I've not been able to find out how one would go about doing this other than I suppose contacting Netscape/AOL or Microsoft directly and passing along various salespersons until you found the person who could tell you how you could pay to have your CA's signature put into the next version. It still doesn't help the millions of people who haven't upgraded yet and will still get that error message.
Further, even if you could manage to get your signature into the new versions of the browsers, there's still the issue of what a CA is supposed to do. The CA exists to verify that the server is run by who it says it is. That means when you go to www.mcdonalds.com to buy burgers and check the certificate and it says "McDonald's, Inc." the CA had better have done its job and verified that the server is indeed being run by the golden arches people. If not, and the customer gets a load of rancid meat, I don't know what kind of liability comes into play, but in the U.S. anyway, someone's probably going to try to sue someone. It's hard to run the kind of services you need to be able to do this sort of thing reliably out of your living room, which means that the cost of entry is rather high. (This is completely ignoring the fact that most CA's I've dealt with lately just seem to accept any old thing you feel like faxing them with whatever letterhead you can throw together. As long as I have a Microsoft Word Form Letter Wizard that can put the McDonald's logo on my letterhead, I could probably get a certificate signed by one of the big CA's stating that I'm McDonald's, Inc.)
So, the problem with this merger is that if you combine Thawte and Verisign, they not only have 99% of the market, but also they, or subsidiaries of those two companies, are most of the CA signatures included with the current version of your web browser. The monopoly is not only in the market share, but also in the fact that the browsers themselves limit the number and which companies are "allowed" entry into the business without generating error messages on the client machines.
One solution would be to seperate out the encryption from the trust capabilities; i.e. don't make having a valid X.509 certificate on your site a prerequisite for doing encryption. Or at least program the browser differently so the error message just warns about an unsigned certificate but specifically states that encryption is still capable, you just can't verify that the site is run by who it says it is. Again, this still doesn't fix the problem of the millions of people using current or old versions of the browsers out there right now.
I obviously feel very strongly about this issue.
-=-=-=-=-
Re:The math... (Score:1)
Re:is this the new math? (Score:1)
59.6% --> 60%
39.6% --> 40%
-------------
99.2% --> 99%
Anyway, unless the actual total really is 100%, people would leave 99% to indicate that there still are a few others out there.
It's like scoring on standardized tests where they tell you you've beaten a certain percentage of other students taking the test. Their policy is never report 100%, even if you alone had the highest score in the nation.
Re:Someone needs to start a NON-PROFIT organizatio (Score:1)
Who's watching out for us??? (Score:1)
=======
There was never a genius without a tincture of madness.
Re:Maths, 101 (Score:2)
While I agree with this statement in principle, in practise it's not going to happen anytime soon. I work for a web development/hosting agency in the UK, and am "in charge" of one of the websites we host (that's in charge in the sense that should anyone have a question of a technical nature regarding the site, it's me that they (should) come to).
I was informed a few days ago by one of our sysadmins that the site is accounting for roughly 40% of the processor usage on the Sun server it's sharing with a few other sites. The secure server is only protecting half a dozen or so pages, totalling probably about 100-120K in size. There are a couple of CGIs, but they're both relatively simple. Were we to move the entire site over to SSL, I very much doubt that the server would be able to handle it adequately.
If you only encrypt the stuff you don't want "the wrong people" to see, "the wrong people" know where to look.
That, I agree with completely. Those of us who regard encryption as a good thing really ought to be encrypting as much as possible, even the emails that are literally just "Hi, how are you? Mail me back when you've got time!". If only more of my friends actually had the faintest idea how to use encryption, then I'd be able to (the one that's the most clued-up in this area, a sysadmin, is still "meaning to have a look at PGP when I get round to it"). More work needs to be done to integrate encryption seemlessly with email clients (and instant messengers? IRC?) before it will be adopted more widely.
Cheers,
Tim
Re:Why do we need certificate providers? (Score:1)
The idea that you don't need certs to digital sign docs leads to numerous problems including forgery, using comprimised keys and other policy problems.
(Or even more reliable as the digital signature also ensures that the document contents have not been changed since being signed)
But suppose I intercept this transmission of this document -- I can can the contents and the signature because I can also corrupt your local store or the public key (or even intercept you access for the public key). Despite your previous trust relationship, I've changed the doc.
In addition, this is an IETF standard.
Re:The Slashdot Address (Score:2)
(This is posted at plus-two to keep it from vanishing beneath your threshold anytime soon.)
--
Re:Why it's a bad thing (Score:1)
Amazing!!! (Score:1)
Amazing!!! (Score:1)
orwell (Score:1)
Orwellian means:
"Of, relating to, or evocative of the works of George Orwell, especially the satirical novel 1984, which depicts a futuristic totalitarian state." (dictionary.com)
Please do not refer to monopolistic business practices as Orwellian. They are not, and calling them such merely serves to erode the meaning of the term.
Re:Why it's a bad thing (Score:2)
Your argument is that there is a significant barrier to entry into the market and that competitors cannot easily begin to compete because of this barrier.
My point would be that there is a significant barrier to entry into every market, otherwise I'd be in them all. Your related point that it would take a not trivial amount of money to begin competing also doesn't make sense, as if there is enough profit to be made then the appropriate investment is justified.
My point is, that monopoly or no as a company's performance begins to suck then the money to be made will outweigh the cost of entry, otherwise its not worth entering the market at all.
See Bionomics by Micheal Rothschild for where I get all my ideas.
Hotnutz.com [hotnutz.com]
Re:The Slashdot Address (Score:1)
This is definitely the best use of karma bonus I have seen; thanks, Tau Zero, for giving me the opportunity to see such a beautiful piece of work, despite the misguided efforts of the moderators (and my own unfortunate tendency to threshold at 0).
Re:this seems unacceptable (Score:1)
does anyone know what root certs Mozilla will be supplied with, when/if it gets to a stable release?
--
Re:this seems unacceptable (Score:1)
This is true only if there are no barriers to entry. But key pair authorization has a huge barrier to entry: you are essentially paying for the trust people have in the company, and trust begets more trust.
It's the same reason why you won't have much hope starting your own general auction site: EBay is valuable precisely because lots of people use it already. The more people use it, the more valuable it is, and the more new users it will attract.
-Erik
Re:Maths, 101 (Score:1)
Re:The DOJ *are* investigating this (Score:1)
=======
There was never a genius without a tincture of madness.
server choice, bank rules (Score:2)
Verisign and Thawte provide different choices for the SSL web servers you can use.
Many banks will not allow a company to sell their products over the Internet unless the transaction is handled over an SSL connection.
Therefore, if you are interested in e-commerce, and happen to be outside the U.S., I would be very worried about this development.
In the future... (Score:1)
Or have Netscape and Microsoft already thought of this? hmmm...
OK, that wouldn't help the folks running Netscape 2.0, but it might prevent a nasty future monopoly...
--
Re:Why it's a bad thing (Score:4)
I absolutely agree. I'm not even sure that I would say that a Verisign/Thawte merger *should* be considered a "monopoly", only that it would certainly, for *many* reasons, be "bad" for the industry.
In fact, as I sort of skirted around in the previous comment, I don't even think the best solution to the problems that would certainly arise from a merger between these companies would be to disapprove the merger but to revamp the way secure communications happen over HTTP. As someone else pointed out in another comment somewhere, IPSec is something that might make the merger a moot point anyway, but I think the deployment timeframe for IPSec will prevent it from being a "total" solution for some years.
"Your argument is that there is a significant barrier to entry into the market and that competitors cannot easily begin to compete because of this barrier."
Not entirely, just that several barriers exist, two of which (the list of CAs that come with the browsers today and the relative cost and/or difficulty of becoming a company that people will trust to verify the identies of sites on the 'net) aren't even really related to a server's ability to do encryption. If it were just a matter of writing some new software, you've gotta admit the entry to the market would be a lot easier since all you'd need were some good programmers as opposed to trying to make some sort of "Relationship" between yourself and the browser makers and also the ability to accurately do identity verification.
The biggest problem, as I see it, is that the way SSL happens, you HAVE to have a CA before your server can effectively do SSL, even though the signing of your certificate has nothing directly to do with the fact that your SSL server can do encrypted HTTP traffic.
The fact that SSL server act the way they do causes lots of problems with a situation like this because you can't really "blame" Verisign or Thawte for making SSL happen the way it does - so is it their problem that you need to get a CA to sign your certificate before your browser will stop complaining about an invalid certificate? Does that mean you shouldn't let them merge? Isn't it Netscape's "fault" for designing SSL the way it is that you have to have a signed certificate to do SSL? Is the the browser's manufaturer's faults for not making the error messages more descriptive that a certificate signed by someone not in the built-in list of CAs has no bearing on the security of the connection?
Every time I have to deal with setting up a new SSL server, it just reaffirms my conviction that the whole SSL thing just needs to be redesigned to avoid these issues to begin with. Have one part of the spec handle encrypted communications and another part entirely deal with the certificate/identity part of the issue. (I'm sure the reason it's done the way it's done is because Netscape believed that by now there would be so much encrypted commerce over the internet by now, between companies and individuals, that the X.509 certificate on the parts of both parties would be an invisible part of the situation to the point that you would simply go to a website and click "buy this" and the server would initiate some sort of secure connection to get *your* X.509 identity and handle all the commerce stuff invisibly, instead of the more-or-less invasive method of going to the secure server and filling out a bunch of HTML forms with your personal information that we're actually doing.)
And besides, it would make me feel better if we didn't need the CAs to do SSL because I get so irked that they like to claim that they're a necessary part of doing secure communications over the Web, when that's such a misleading statement. And Verisign's the worst because they don't even do the part of the job they're supposed to do (identity verification) very well and still want to gouge you for hundreds of dollars to do it.
-=-=-=-=-
Re:Formula (Score:2)
Re:The Slashdot Address (Score:1)
"Evil...it's not just for Satan anymore" --Me
Re:orwell (Score:2)
Orwellian means: "Of, relating to, or evocative of the works of George Orwell, especially the satirical novel 1984, which depicts a futuristic totalitarian state." (dictionary.com)
Please do not refer to monopolistic business practices as Orwellian. They are not, and calling them such merely serves to erode the meaning of the term.
This is absolutely evocative of said literature (and I should have said authetication, not authorization, excuse my vocab) - the key pair system exists, I believe, to protect our privacy, and a system in which one body as opposed to several potential ones, may hold the key to our ultimate communication encryption scares me - it is in conflict with notions such as 'choice' or 'free speech' - even if it is ultimately dealing with financial transactions for the most part. This is not a monopoly in your usual sense - this is specific to personal safety, and I don't care for the thought of there being a central authority in that regard. Disagree? That's your right - but it smacks of orwellian to this drooling moron.....
Pointer to previous slashdot discussion, DOJ, FTC (Score:1)
Complain to antitrust@ftc.gov [mailto] and newcase.atr@usdoj.gov [mailto] (see http://www.usdoj.gov/atr/contact/newcase.htm [usdoj.gov] ). They do listen sometimes!
--Neal
Verisign bad, Entrust good (Score:2)
I went to the Entrust [entrust.net] site to see if they might have a root CA certificate I could download. Bingo! They do!
Now tell me why a big resourceful company like Verisign is totally unable to build a root CA certificate for Netscape 3.04 while a little puny company like Entrust has the resources to pull it off (and even earlier versions).
And Verisign [verisign.com] can't even get their web site to work without having to type in the "www." while most places, including Entrust [entrust.net] and Slashdot [slashdot.org] can.
Re:In the future... (Score:1)
If course this will confuse the 99.9% clueless biomass that has infested the net these days.
Slashdot should generate their own root CA certs and let us install them ourselves.
Re:Well (Score:1)
Why isn't Entrust in at least the newest browsers?
Really, the only root cert that comes in a browsers should be the browser maker's own, and then the browser maker would sign, using the private half of this cert, the CA certificates, which should be obtained dynamically via HTTP. Then new CAs can be added more readily.
Disagree on one point (Score:2)
Rancid meat? That is a normal and successful purchase at McDonalds. ["Our pledge to you is at least one bandaid in every egg mcmuffin!"]
Your other points are spot on.
Re:Why it's a bad thing (Score:1)
I realise that the browsers require a certificate... any certificate (trusted or not) to connect to an SSL web server, but why ?
Is it not just another protocol, encapsulating data that has been encrypted, and passing it straight to the server that passed your browser the encryption key ?
My customers know that they are at my company because they have that URL in their browser location. If corporate identity on the web was going to be such and issue, why is the DNS system not plagued by encryption and certificates ?
We should be demanding that browsers allow secure connections to any URL, not just those with a meaningless certificate !
Somehow, ppl need to understand that the connection is encrypted and not the database at the other end.
If the system storing the information is not secure, then you might as well not have had the secure connection in the first place.
What am i trying to say ... yes the current certificate issuing / browser-bundling issue is dire, but it needn't be that way ! Just allow a secure connection and make sure you read a privacy statement of the sites policy on storing your sensitive information :)
Re:Thawte's demise is depressing (Score:1)
its not a buyout ! (Score:1)
when they are not.
you are making it something that it isnt.
when companies hand people have choices they are
just being acquired.
Re:Verisign bad, Entrust good (Score:1)
See my previous post [slashdot.org] for the root cert URL
Re:Well (Score:1)
The problem with this is that the browser producers key becomes a link in the security chain. At least CAs have a big incentive to keep there root keys very secure - their whole business depends upon it. Would you trust MS to keep their key for IE6 securely.
Maybe someone like AOL/MS could afford to hire the expertise to check that they are doing things securily (whether they would bother is a different question), but would Opera, or any other potential competitor, have the resources to keep there keys in guarded safes in the way that the CAs do.
Difficulty of being your own CA (Score:2)
Due to the root CA crap, it's not easy. I thought maybe we could become our own internal CA and get one of the root CAs to sign our CA so it chained up and was recognized by browsers, but you wouldn't BELIEVE how much that costs. Even Thawte charged a fortune. $20,000 plus a dollar for each cert we'd sign.
So I set up our own CA. I could embed our own root CA into all browsers we distribute. I also put the root CA [dtcc.edu] on our web server so people could chose to import it into their own browsers, but for whatever reason, IE 4.5 on a Mac does not have this ability. Plus you wouldn't believe how many people bitch about installing the root CA due to the dire messages some browsers put out about it, but these same people think nothing of granting a java applet permissions to "read/write files/settings" from some unknown site.
It's a mess, and sometimes I think it's all a scam to make encryption for the masses to be too much of a pain in the ass to bother.
Yes, verifying a server's identity is important for e-commerce situations, but if given the choice between encrypted traffic between two unverified points or unencrypted traffic between two unverified points (which is what almost all net traffic is anyway), marginal safety is better than no safety (as long as it doesn't lull you into a false sense of security).
One goal of mine was to prevent a boss of mine from saying "get this slackers e-mail from his account or else be fired" in the future. Then I could say "it's all encrypted, sorry." (Thank *GOD* I've never been asked this in my 10 years as a net administrator here...yet)
We need a standard (Score:1)
I've had to switch email clients many times, that gets kinda of frustrating. We need one encryption method that all clients support, for free. I do like the way Thawte has the "free" digital sig, and you can add your actual name to it with a little bit of verification. People will never use this stuff consistently unless it becomes a standard.
Fook
Re:orwell (Score:1)
Certificate Authorities (CAs) *CANNOT* read your encrypted traffic, which seems to be what some people think. All they do is sign your PUBLIC key, the one available to everyone.
Re:In the future... (Score:1)