- From: George Staikos <staikos@kde.org>
- Date: Sun, 7 Jan 2007 12:54:47 -0800
- To: W3 Work Group <public-wsc-wg@w3.org>
On 27-Dec-06, at 9:20 AM, Stephen Farrell wrote: > Stuart E. Schechter wrote: > >> I don't think there is a large set of sites that can't afford a >> CA cert >> (category 2) and actually require the security offered by HTTPS. > > I don't know of any evidence for that, but would be interested if > there > were some. (Technically, I could also quibble a bit with your > statement, > since we're discussing server-authentication, so I guess you meant an > SSL-server cert above and HTTPS can also be used with D-H, without > providing server authentication, though that doesn't get much use.) > > (At least in the developed world,) the point is not the actual amount, > but whether or not to increase the existing bias towards getting > people to pay commercial CAs for certs or not. Commercial CAs have > their purpose, but should not IMO be required in order to create a > perception of security for HTTP traffic. Sometimes they are > appropriate, sometimes they just add a burden that arguably could > cause less use of SSL - if its too much hassle to turn it on. I think we should aim to avoid talking about costs. Market pressures will solve this problem, and FWIW, the cost of a certificate is absolutely miniscule in the scope of the cost of operating a site no matter which country that site is located in. Home users and non-commercial users can just use their own issuing CA or self-signed cert. -- George Staikos KDE Developer http://www.kde.org/ Staikos Computing Services Inc. http://www.staikos.net/
Received on Sunday, 7 January 2007 20:55:25 UTC