Not sure which CA you went with, but we re-validate each time you renew.
I don't know about the premiums or your figures - could be right. The same figures could well apply to many hosting companies though, and they don't have the insurance. Just an example.
I don't believe it's a rip-off anymore. Yes, you can still pay $1000 for a cert.
You can also pay $100.
Is $100 too much? For something you couldn't make for yourself without several million dollars or 'just' a few hundred thousand and 5+ year wait before being able to use it?
The same figures could well apply to many hosting companies though, and they don't have the insurance. Just an example.
Hosting companies have actual, real expenses, such as hardware dedicated to each customer.
I don't believe it's a rip-off anymore. Yes, you can still pay $1000 for a cert. You can also pay $100. Is $100 too much? For something you couldn't make for yourself without several million dollars or 'just' a few hundred thousand and 5+ year wait before being able to use it?
I don't know what kind of kool-aid you've been drinking but these are the structures that I'm criticizing. That's why I'm calling for legislation. Verisign and friends should be put out of business today rather than tomorrow. They have proven maliciously incompetent for long enough, really.
They should be replaced with one government-operated CA per country. The government has better tools to validate identity than any privately held company anyways.
Moreover this would finally enable Joe Sixpack to make meaningful guesses about which websites to trust. Countries would quickly grow a reputation for certifying scammers or not. Browsers could offer customizable CA ratings where, for example, a site certified by Nigeria triggers a popup warning.
The CAs could further establish multi-country validation for more trust. I.e. "this cert has been signed by USA and France".
None of this is possible with the current oligopoly of "Verisign", "Thawte" and friends. Despite their insane revenue they're not even trying to improve the situation. They're not just slowing progress, they're actively pushing it backwards with brainfarts like those colored address-bars.
All for the sole purpose of making the money-printer run even faster.
The government. Oh yeah great idea. So when you post something critical of the wrong official or say the wrong words on your website your certificate is summarily revoked.
Depends. Some governments (hello China) may indeed do such a thing but if you have such drastic steps taken against you then your SSL certificate is probably the least of your worries.
I'm not saying that this solution would be perfect and yes, most governments don't exactly have a flawless track record of managing, well, anything.
But no matter how screwed an actual implementation would end up - it can't get much worse than what we have now.
Admittedly a government has relatively little motivation to make SSL good. But even that is still better than what we have today with the commercial CAs - those have a strong and frequently proven motivation to make SSL worse!
I don't know about the premiums or your figures - could be right. The same figures could well apply to many hosting companies though, and they don't have the insurance. Just an example.
I don't believe it's a rip-off anymore. Yes, you can still pay $1000 for a cert. You can also pay $100. Is $100 too much? For something you couldn't make for yourself without several million dollars or 'just' a few hundred thousand and 5+ year wait before being able to use it?