[Discuss] Who sells the least expensive SSL certs right now?

[blu at nedharvey.com (Edward Ned Harvey (blu))]

> From: Bill Bogstad [mailto:bogstad at pobox.com]
> 
> However, I am not sure why I would ever
> bother to
> revoke a certificate for a general purpose web site.

Depends on your website.  For https://nedharvey.com, I wouldn't bother with revocation.  But for *.microsoft.com, if I were the admin there, you can bet your sweet buns I would follow through with revocation.  Because if the private key were compromised, and some bad guys want to perform MITM attacks to compromise high value assets - that should be taken seriously.


> As for someone
> else spoofing my site with the stolen cert, I thought that it was
> still possible to get certificates signed for almost any domain from
> some of the CAs.

In general, no, no random schmos out there can get a CA validated cert for a random domain.  I'm not sure where you got your information, but it's almost completely rubbish in this case...

The tiny grain of truth, which the above quote has conflated beyond sanity or reason, is this:  

The actual individuals who operate the CA, of course, could generate certs for any domain they don't own.  Also, it's likely the President of China, probably has some way of getting a cert from Hong Kong Post.  Which is a real thing that's really on Apple's and Mozilla's CA trust list.  I'm guessing the POTUS and the CIA probably have ways of getting certs out of Verisign and others.  Also, there have existed situations where some root CA sold intermediates to customer companies - the owners of those intermediates would then be able to sign stuff they didn't actually own.

Speaking of Hong Kong Post - The list of root CA's distributed by Microsoft has 43 roots in it, all of which seem at least moderately trustworthy IMHO.

Linux, Mozilla's and Apple's root trusts are over 140 roots, including various foreign governments (I named Hong Kong Post as an example.  There are many others.)