Validation - not a fixed cost. Some can take several real man-hours to complete, and additional costs of access to third-party databases, translation costs. I see it possible to make a loss on some certs purely in validation.
Oh, so if validation is the big factor then why do you make me pay my hundred bucks year after year? Shouldn't it go down to, say, $10 from the second year onwards?
Also I have certified quite a few domains for the same company. Thawte strangely didn't ask us to send n copies of the same paperwork - but still happily charged the full fee for each cert.
Legal costs - insurance premiums for something this specialised are high
Again. Cry me a river. I have no idea how many customers VeriSign and the ilk have but the figure must be in the millions. Assuming an average profit per customer, per year of only $50 (which is probably a low shot) I'm not so worried about your insurance fees.
CA chaining - as per other comments, you're look at potentially $50K
Wow. Assuming one million customers this is almost half a day's worth of revenue! Indeed, you guys are suffering over there...
Plus, it keeps me gainfully employed :)
I'm not attacking you personally. I just hate being ripped off like that. And it is a rip-off, no matter how you spin it.
Not sure which CA you went with, but we re-validate each time you renew.
I don't know about the premiums or your figures - could be right. The same figures could well apply to many hosting companies though, and they don't have the insurance. Just an example.
I don't believe it's a rip-off anymore. Yes, you can still pay $1000 for a cert.
You can also pay $100.
Is $100 too much? For something you couldn't make for yourself without several million dollars or 'just' a few hundred thousand and 5+ year wait before being able to use it?
The same figures could well apply to many hosting companies though, and they don't have the insurance. Just an example.
Hosting companies have actual, real expenses, such as hardware dedicated to each customer.
I don't believe it's a rip-off anymore. Yes, you can still pay $1000 for a cert. You can also pay $100. Is $100 too much? For something you couldn't make for yourself without several million dollars or 'just' a few hundred thousand and 5+ year wait before being able to use it?
I don't know what kind of kool-aid you've been drinking but these are the structures that I'm criticizing. That's why I'm calling for legislation. Verisign and friends should be put out of business today rather than tomorrow. They have proven maliciously incompetent for long enough, really.
They should be replaced with one government-operated CA per country. The government has better tools to validate identity than any privately held company anyways.
Moreover this would finally enable Joe Sixpack to make meaningful guesses about which websites to trust. Countries would quickly grow a reputation for certifying scammers or not. Browsers could offer customizable CA ratings where, for example, a site certified by Nigeria triggers a popup warning.
The CAs could further establish multi-country validation for more trust. I.e. "this cert has been signed by USA and France".
None of this is possible with the current oligopoly of "Verisign", "Thawte" and friends. Despite their insane revenue they're not even trying to improve the situation. They're not just slowing progress, they're actively pushing it backwards with brainfarts like those colored address-bars.
All for the sole purpose of making the money-printer run even faster.
The government. Oh yeah great idea. So when you post something critical of the wrong official or say the wrong words on your website your certificate is summarily revoked.
Depends. Some governments (hello China) may indeed do such a thing but if you have such drastic steps taken against you then your SSL certificate is probably the least of your worries.
I'm not saying that this solution would be perfect and yes, most governments don't exactly have a flawless track record of managing, well, anything.
But no matter how screwed an actual implementation would end up - it can't get much worse than what we have now.
Admittedly a government has relatively little motivation to make SSL good. But even that is still better than what we have today with the commercial CAs - those have a strong and frequently proven motivation to make SSL worse!
Oh, so if validation is the big factor then why do you make me pay my hundred bucks year after year? Shouldn't it go down to, say, $10 from the second year onwards?
Also I have certified quite a few domains for the same company. Thawte strangely didn't ask us to send n copies of the same paperwork - but still happily charged the full fee for each cert.
Legal costs - insurance premiums for something this specialised are high
Again. Cry me a river. I have no idea how many customers VeriSign and the ilk have but the figure must be in the millions. Assuming an average profit per customer, per year of only $50 (which is probably a low shot) I'm not so worried about your insurance fees.
CA chaining - as per other comments, you're look at potentially $50K
Wow. Assuming one million customers this is almost half a day's worth of revenue! Indeed, you guys are suffering over there...
Plus, it keeps me gainfully employed :)
I'm not attacking you personally. I just hate being ripped off like that. And it is a rip-off, no matter how you spin it.