Why isn't there an easy to issue Free SSL CA?
Where is the SSL Certification Authority that is issuing SSL certificates that are trusted by all browsers without a yearly fee?
It's bad enough that startups differentiate pricing tiers with SSL, why do we make it so user un-friendly to secure their visit?
10 comments
[ 2.5 ms ] story [ 31.4 ms ] threadThey've been doing it for years. So long as you get the intermediate CA cert installed on the server, their free certs seem to work fine in as near as practical "all browsers".
I believe we should have a SSL cert that only enforces the encryption but makes no claims about the server's owner or that any transaction is guaranteed up to a specific dollar amount.
I know you can self sign, but when the browser shows the user the site is self signed, they get nervous. Conversely, I could get a minimal identification req SSL cert from Godaddy that doesn't alert the user, but I have to pay at least $15 for that right.
My main issue or question is why SSL is paired with COMPANY/PERSON identification? Why do I rely on the CA to verify a company is real? Why aren't there 2 elements. One is encryption, one is identification. Encryption is free to implement with no warnings in the browser. ID can cost money to pay for the verification process.
Thoughts?
By not requiring ID, I meant Company name, state, city, etc.
I'm realizing that what I'm wanting is to split the SSL cert into 2 aspects. One provides security and endpoint verification. The other verifies the actual person/company and potentially insures that any losses will be covered. It seems like this is pretty much the idea of an EV cert (more verbose entity ownership) but that costs a ton.
I don't know about you, but I don't use the SSL cert to verify the legitimacy of a company. I do ensure it's there when sending sensitive information though.
It follows that you can get at best two out of these three: Free, Secure, Easy.