Question : SSL Certificate Authorities

Just under a year ago we purchased an SSL certificate from Verisign for our online store. Now it's time to renew and Verisign wants a boatload of money. I know of two others - Geotrust and Thawte. We require 128-bit encryption and would prefer to have a warranty of at least $10,000 for our customers should the encryption fail (read:never). We will be installing this on an IBM i-Series in an Apache environment.
I am looking for a somewhat less expensive solution, if possible, to accomplish the same goal. If anyone has any experience or advice to give, bring it on.

Answer : SSL Certificate Authorities

Here's an older discussion that I've provided on SSL Certificates; my general experience is that Thawte and Verisign CAN provide a higher level of authentication. Geotrust also now offers higher levels of trust, and I've had many people report back that they've had positive solutions. So, the discussion below is a bit old, but much of it still applies.

There are many SSL solutions, which do various levels of certification. Traditionally, SSL web server certificates indicate that (a) the information is coming from that given domain, (b) that the person or business who has the SSL certificate is in fact the business or person they say they are, and have a right to using the domain, according to a certifying agency.

Browsers have 'root certificates' installed for the recognized agencies - if your certifying agency is yourself, browsers will not automatically recognize you as an authority (nor really, should they).

There are several signing authorities; however not all of them are created equal. Traditionally, authorities verified that the user had a right to do business under a given name, as well as verified that there really was a business at that location, and that it had a right to a given domain name; newer authorities simply issue the domains on a contract trust.

Perhaps the most widely recognized and oldest authorities are Verisign and Thawte (which was originally a separate company that is now owned by Verisign). Close behind is GeoTrust.

Many of the newer and lesser known signing authorities are not automatically supported on the older browsers - users of those browsers have to download a root certificate to recognize these other signing authorities as an authority.

You can even self-sign certificates for a domain - but most browsers notice that it isn't from a recognized signing authority, and will shout out warnings about being signed from an unrecognized authority. By using an authority that is recognized by the browsers, you are indicating an additional layer of security - i.e. that the user of the domain actually has a right to be using the domain.

Many of these newer authorities do not perform the extensive background checks that Verisign and Thawte perform prior to issuing a certificate. Verisign and Thawte certs not only allow the web server to safely encrypt transmissions, but they also certify that the person who is delivering the content is who they say they are by requiring certificate requesters to send in company documentation. Each certificate request is actually handled by a human being, as opposed to an automated process.

Thawte has recently also produced a product called 'SSL 123' that was created to compete with the GeoTrust certs and the like; basically, they forgo the extensive background checks and simply rely on the whois information to verify data. I've used both the Thawte regular SSL certs and the SSL123 certs with great success.

Verisign is the grand-daddy of the certifying agencies, but is the most expensive. It's certificates are widely compatible, as are thawtes:

Some notes I have on compatibility with browsers:

Thawte - http://www.thawte.com
Compatible with: Netscape 2.x and above, AOL 3.02 and above, MSIE 3.02 and above
http://www.thawte.com/html/SUPPORT/browsers.html

TrustSSL - http://www.trustssl.co.uk
According to TrustSSL's faq, it supports MSIE 5.0 and above, Netscape 4.x and above, and AOL 5 and above:
http://www.trustssl.co.uk/faq_general.html#browsers

InstantSSL - http://www.instantssl.com
InstantSSL offers similar support, for MSIE 5.0 and above, Netscape 4.x and above, AOL 5.x and above, and Opera 5.0 and above:
http://www.instantssl.com/ssl-certificate-support/ssl-certificate-browser_compatibility.html

Random Solutions

DG814 and Port Forwarding

Checkpoint Smart Dashboard for Linux

testing a signal strength or ping of death?

remote desktop problem (PCIgina.dll) file

How to fix Internet acces quirk?

How do you find out the extension for a nortel port via the nortel phone?

Find User's OUs in Active Directory

Quartz Scheduler to invoke EJB Method

Can't load any Network device drivers after infection