Slashdot Mirror

yet they don't even trust themselves. The seal at the Verisign owned THAWTE site currently says:

Invalid Certificate
2003-09-23

and when you click on it:

This page (thawte.com/html/ISP/index.html) is not permitted to display the Thawte Site Seal.

Irrelevant, but amusing nonetheless.

If you have SSL certificates from Thawte (a subsidiary of Verisign), you can send them a message today.

Email your Thawte rep to explain why you or, better yet, your huge organization :) won't be renewing your certificates with Thawte.

You can tell them "it's a trust thing" (their own motto).

And the URL for that is http://www.thawte.com/html/COMMUNITY/.

Thawte offers a free certificate, and the CA root certificate is already installed pretty much everywhere.

1. go to thawte and choose "get your FREE personal email certificate."
2. fill out the info (this is legit info folks) and eventually you'll create a key
3. after you have an account and a key, go here and log in
4. click on Certificates-> view certifcate status, then click on the link that goes with your created key. for me it says MSIE, since I used IE when creating that key. note that you'll have to wait a bit until the status of the key moves from pending to valid. don't bother clicking until it is validated.
5. at the bottom of that screen click fetch and install the key on your system
6. now you'll have that key (and the details are scetchy from here since i can't go look at it) but in Internet Options under Content i think there is a certificates button. click that, and you should have the key on that list. choose the thawte key and export it. you'll want to export it to include the private key as well and to include all certificates. it should be a pfx file. i think you can choose a password here
7. go into aim, in the options, and security. i think there's an advanced button or somewhere in there where you can import a file.. and you'll just have to open the PFX file you exported earlier. yay for you... now your 1337 and have a padlock by your name. expect to have a million people IM you and ask why it's there. lol

8. if something doesn't work, post the problem and i'll see if i can figure out what i didn't explain correctly. :-)

1. go to thawte and choose "get your FREE personal email certificate."
2. fill out the info (this is legit info folks) and eventually you'll create a key
3. after you have an account and a key, go here and log in
4. click on Certificates-> view certifcate status, then click on the link that goes with your created key. for me it says MSIE, since I used IE when creating that key. note that you'll have to wait a bit until the status of the key moves from pending to valid. don't bother clicking until it is validated.
5. at the bottom of that screen click fetch and install the key on your system
6. now you'll have that key (and the details are scetchy from here since i can't go look at it) but in Internet Options under Content i think there is a certificates button. click that, and you should have the key on that list. choose the thawte key and export it. you'll want to export it to include the private key as well and to include all certificates. it should be a pfx file. i think you can choose a password here
7. go into aim, in the options, and security. i think there's an advanced button or somewhere in there where you can import a file.. and you'll just have to open the PFX file you exported earlier. yay for you... now your 1337 and have a padlock by your name. expect to have a million people IM you and ask why it's there. lol

8. if something doesn't work, post the problem and i'll see if i can figure out what i didn't explain correctly. :-)

Aim has encryption now! Check out AIM Encrypt for a crude (everyone shares the same key) method of AIM encryption. For a more sure method, grab a free key from Thawte and use that instead. It works (I tried it), and will give you a unique keypair. (It gives you a padlock next to your screen name in AIM).

CA's like Thawte, which has its certificates accepted on almost all systems, will freely give out certificates for e-mail with no identity verification.

Thawte notaries can give you points toward your identitiy authentication. Visit enough notaries and your identity will be verified. Visit more notaries and you can become a notary yourself. (I'm a Thawte notary, btw.)

The fact that the USPS will require you to re-authenticate every 4 years seems troubling to me....

frob

Big whoop. You can do that by looking up people near you in Thawte's Web of Trust and getting identified enough times. I got my cert and then enough signatures in one evening at a local UG meeting to get my name on my cert. Get 100 points and then you too can certify others. And no one needs to pay taxes to support Thawte's free certs.

Go to Thawte, get their Free Personal Email Certificate for your browser/email. Then, from your browser (it works in Mozilla/IE) export it as a .p12 file. Then go in to the Advanced option in AIM's Security preferences, and import the .p12 file. You'll start getting an extra password prompt and a little lock icon.

Go to Thawte, get their Free Personal Email Certificate for your browser/email. Then, from your browser (it works in Mozilla/IE) export it as a .p12 file. Then go in to the Advanced option in AIM's Security preferences, and import the .p12 file. You'll start getting an extra password prompt and a little lock icon.

Thawte has provided free personal certificates through this Web of Trust for more than 5 years. I know, because I'm a WOT notary.

I agree with the apathy of many of the posts on this thread. People like the idea of being annonymous on the Internet, but they don't like the consequences that go with it.

Spam is a consequence of the freedoms provided by annonymity. While it may be possible to construct a new mail exchange system that prevents mail of uncertain origin, such solutions will likely have a cost of reduced personal annonymity (aka certification of origin or identification of sender).

-mazor

Just a thought. If you really need 2-factor authentication, setup the reverse proxy (unless you can get TiVo to require SSL client-side authentication). Pick up a smart card and reader from http://www.cardstore.slb.com/. I recommend the CyberFlex E-gate for this as it will reduce you overall costs and give you MAXIMUM convenience. Once you get this all set up (you may want to visit the M.U.S.C.L.E. site if you're using Linux or Mac OS X or other un*x variants), go to your favorite free-cert provider like Thawte/Verisign. When you generate your keys, be certain to instruct your smart card to do the work. Next, configure your web-server (TiVO or Apache) to require client-side SSL authentication and specifically, your certificate. Viola! Two-factor authentication. In this case, your private key makes your smart card very unique (what you HAVE) and you should set a PIN on your smart card to protect it (what you KNOW). If you're really up for a project, add some biometric (what you ARE) card-authentication for 3-factor authentication.

I've used Earthlink as an ISP for going on 6 years now, and I must say, I've never dealt with better. For one thing, in the years that I've had my earthlink address, I'd say I never get more than 3 or 4 spams per week. What is my secret? For starters, if I need to provide an e-mail address for something that may result in unsolicited messages, I use one of the free webmail providers (Hotmail, Yahoo!, etc.) I can check those to confirm what I wanted, then never check it again, and my Outlook (with my primary e-mail) doesn't fill up with useless crap.

Another way to stop the spam before it starts is to keep your e-mail address from getting on those lists in the first place. When posting to Usenet, BBSes, forums, even Slashdot, use some sort of clever cloaking (Slashcode does this already), or even a fake email. Encryption for e-mail such as using a free personal certificate from Thawte or a GPL encryption such as GNU Privacy Guard is always a good idea.

In addition, Earthlink's Spaminator is a Godsend. With that baby enabled, I'm lucky if I get one spam a month. Case in point: my mother has an Earthlink address that she uses for her business contact. She complained that she's getting hundreds of porn spam and "enlarge your penis"-type e-mails (no idea how these got here.) Setting up a few Outlook Express filters and enabling Spaminator cut the dirty messages by about 90%, and she is grateful she no longer has to wade through such filth to get to her real mesages.

The bottom line is, the fewer spammers that have your address, the fewer spams you're gonna get. I have a Hotmail that gets 1000+ spams a day. My real e-mails get next to none. It's just like telemarketers, they get your number from companies who need a contact info for whatever reason. However, Hotmail address are free, whereas extra phone numbers to give the telemarketers, and then never answer, are not. Well, we do have Caller-ID for that, but that's another post...

I dont believe how redundant some of you are. After living in South Africa for my entire life, I am proud to be South African.

South Africa, is far more ahead of the time and technology than some of you think. We aren't as sophisticated as any of the first world countries, but coming from a second world country, I think, we have come a loooong way.

Opensourceness in South Africa has also come a long way. In my province (KwaZulu Natal) some of the schools are switching to Linux and ridding them selves of M$ Windos. Even though M$ has offered low-cost licences and other packages, some of us are not blinded by this.

Please think of South Africa, not as a 3rd World country that has suffered and is in the process of developing, but as a country that has grown and has developed into a new era of technology, some even better than first world countries could. Take Mark Shuttleworth for example, he started Thawte, an internet based company that sparked most new encryption technology over the internet. His company was bought by Verisign for $400m.

South Africa is kewler than you think.

Personally, I joined the program when because they used to sign PGP keys also, unluckily they no longer do this.

Alex

"The Web of Trust is a unique, community-driven certification system based on face-to-face ID validation on a peer-to-peer basis. It's a "bottom-up" CA, compared to traditional "top-down" CA systems. You can be notarised, and then you in turn can act as a notary and certify the identity of your friends"

Thawte does offer a free certificate, which can be used to sign your applets. There is a guide on how to sign your code with that certificate. The only thing you need after signing up with them is to get notarized. This will most likely cost you a little money. It cost me around 12$ (yes, twelve dollars!) to become fully trusted and now my Web Start application is signed and trusted to the same degree as all the other expensive ones, for the full price of US$ 12!

Thawte does offer a free certificate, which can be used to sign your applets. There is a guide on how to sign your code with that certificate. The only thing you need after signing up with them is to get notarized. This will most likely cost you a little money. It cost me around 12$ (yes, twelve dollars!) to become fully trusted and now my Web Start application is signed and trusted to the same degree as all the other expensive ones, for the full price of US$ 12!

• Verisign
• Microsoft
• GTE CyberTrust
• KeyWitness 2048
• Thawte

• ABA.Ecom
• AddTrust
• American Express
• Baltimore CyberTrust
• BankEngine
• BelSign
• CertEngine
• Digit al Signature Trust Co.
• E-Certify
• Entrust.net
• Equifax
• FortEngine
• GTE CyberTrust
• GlobalSign
• MailEngine
• TC TrustCenter
• Thawte
• TraderEngine
• USPS
• ValiCert
• Verisign
• Visa International
• Xcert
• beTRUSTed

To see these under IE, Pull down the Tools menu, Choose "Internet Options", choose the "Content" tab, and click the "Certificates" button. Finally select the Intended Purpose labelled "Client Authorization", and use the right arrow to scroll over and choose "Trusted Root Certification Authorities". The list of certificates will be displayed in the box there, for your easy perusal.
In Netscape Communicator: Communicator menu, Tools, Security Info, Certificates, Signers.

But for proper compatibility, I think we're kinda stuck with IE's smaller list, minus M$ and KeyWitness 2048. So, that leaves:

• Verisign
• GTE CyberTrust
• Thawte

Although, if I remember correctly, you could get away by getting into the "circle of trust" even if your certificate isn't signed by one of these companies. Just get it signed by some company that is signed by one of those listed in the third list above, and theoretically that should be good enough. Although, I'm just speculating here, based on a little too much schooling... :)
(Of course, I've skipped over the whole 40/48/64/128-bit encryption hassles with IE, but that's more an issue for webmasters and a bit outside the scope of this discussion.)

What is surprising is that their prices are cheaper than the parent company's. I like their SPKI program, which allows you to get 5 certificates for $500.

What is surprising is that their prices are cheaper than the parent company's. I like their SPKI program, which allows you to get 5 certificates for $500.

And appears to be a different company than Thawte. I wouldn't trust them (or nelsonal now that I've read his endorsement).

Thwate's site is a different design than Thawte's site but still uses the 'Thawte' name. This looks like a lawsuit waiting to happen.

Thawte may be worth looking into. They used to be a competitor to Verisign, although now I believe they are owned by them (what isn't?).

They have certs available for $199. Still not cheap, but better.

-Pete

Neither. Its thawte

Who signs the certificate? I don't want to pay Verisign $200/year just so I can send email. I certainly don't want more spam from Waitrose just because they paid Verisign $200 for a certificate.

Thawte does. For free. As far as I remember, it's an automated system that requires a good deal of info to generate a certificate, and has a higher privilege certificate for people who have been independently stamped, probably like the PGP/GPG web of trust.

The point isn't to make a whitelist, but to exclude anyone who doesn't use a certificate. It would probably then be an ISP service to give you a certificate with every account signup (or let you get your own, or use your previous one if you have one already), so it would be significantly less a barrier to entry for new users. I think it would raise the stakes significantly for spammers, especially since forging a certificate is a legal offense, since signed documents are admissible as evidence, IIRC.

We use Thawte. I haven't seen any deceptive marketing practices from them. They have a root cert in just about every browser I've seen. Plus their certs are only $150 and $125 to renew. They also offer wildcard certs (*.netmar.com), but those are 1.) rediculously expensive, and 2.) IE doesn't deal with them well, it still gives an error message about the site not matching the name on the cert. Insert random conspiracy theory about verisign's involvemenet with Microsoft.

Basically, what you look for in an SSL cert is trust, price, and that it's in I.E. And I hate to say it, but of the people that issue certs, the only one that anyone in the general public has heard of is Verisign. (commercials - the value of trust, listed on nasdaq... Would I be proud to be listed on nasdaq nowadays?) If you're a webhosting provider, yes trust is important, and principles are important, but it's not the reason I would choose thawte over verisign, that would be price. Your customers most likely will never see who signs the cert as long as it's included in I.E. You would never want to use a cert that was included in moz, konq, galeon, netscape, but not in I.E. - You'll alienate 90% of the web.

It just so happens that I trust Thawte, and they are cheaper than Verisign. It's a good combination.

~Will

If we consider that Thawte is selling their 128-but SuperCerts at the price of US $300 per year, which is not even the highest price on the market (Verisign, $348, then:

it is completely understandable that the price is similar, as they are supposed to go into similar actions to verify the authentity of the registrant - or atleast this is what their marketing speach makes you think - that they only give this domain name for fully qualified registrants, this they can verify only by same procedures, as Thawte or Verisign. They sell different product, but need to do similar procedures to deliver the product

What is not understandable, is if their price for renewals is as high - as the work involved in renewal is minimal compared to first time granting. This is also the case with Thawte and Verisign, they charge way too much for the renewals too (Thawte, $300 Verisign $249 )

A lot of information is to be found at the First African In Space website. The are also a lot of pre-launch images in their photo gallery as well as more info on Thawte's founder Mark Shuttleworth.

Then, I go to Outlook, or Outlook Express, or Netscape Communicator, or Mozilla, and I install the certificate. Then, I click the "Digitally sign this email" checkbox to automagically send my certificate to sign the email, and additionally click the "Encrypt this email" once I receive a certificate from an end-user to encrypt the email.

Sure, there are scalability issues, but any good PKI implementation can take care of those for corporate use. And, with a Network of Trust like Thawte is creating, you get the PGP-like ease-of-use with the PKI-class trust-level of a real PKI. All for the home user.

And no, I don't work for VeriSign or Thawte. I did work for a company that used certificates. A lot...

Thawte digital signatures integrate really well into MS Outlook (at least Outlook 2K).
PGP also integrates nicely into Outlook 2K. GPG however does better in Outlook Express.

That about sums it up. Most corporations are not in the software business; they have IT staff, but not programming and development staff....just guys that maintain and secure the servers and networks.

Most corporations are not in the car business, still I prefer to have a choice who can fix my car. You know how expensive are even the simplest things in brand authorized car service companies, now only imagine how much more expensive would it be if you were not even allowed to fix your car anywhere else.

These guys aren't going to desk-check all the code for buffer overflows and the like, they just want to install it, configure it, and apply security patches that the software developers wrote.

That's funny, because that's exactly what I do with my Debian boxes. Well, almost. I install them, configure, and I don't apply security patches, I just run apt-get upgrade.

Don't fool yourself, you don't have to check for buffer overflows when you use Debian and you don't have to check for buffer overflows when you use Windows (well, you can't anyway, so let's just say you don't have to). The difference is when you want to customize the software.

To customize IIS you have to hire Microsoft (good luck with that). To customize Apache you can hire someone from The Apache Software Foundation, you can hire someone from Apache Support Webring, you can hire someone from Covalent Technologies, Red Hat, Thawte, Dana Point Communications, or you can hire me - as we all have the source, we all know the internal API and we all have a right to customize Apache.

You can even use one of your guys that maintain and secure the servers and networks if the customizations you need are easy enough. Remember how Apache httpd internals are deigned. The most fancy customization is usually just a simple mod_perl module.

The same is with ASP versus Perl, MS-SQL versus MySQL, MSVC++ versus GCC, et cetera. Using free software is smarter from the business standpoint than using proprietary software, it's only the transition that's difficult, once you've got into the mess of proprietary file formats, protocols and "standards".

Do it the same way it's done now.
You have big com's selling 'em (VeriSign for example)
and people giving them away for free.
thawte.
Thawte is great, it'll give you a DigitalID/Personal Certificate thing for free, but it comes with the name of "Thawte Free User".
You then earn "points", and when you have 50 (i think) you can have your name instead of "TFU".
You get points by going to see other members who have got over 100 points, and then show 'em your ID (passport/drivers lience/etc) and they award up 10 points.

This way you can have an "ignore free members" option aswell, insuring that all posters can be traced, or ignored.

Mike

Re: http://www.thawte.com/getinfo/products/devel/conte nts.html ("Due to
current world circumstances developer certificates can no longer be issued
to individuals.")

Have you guys given any thought to how much of the current IT world was
built by self-employed individuals? How is a single-person development
shop -- even one such as my own that's been in business since 1991 --
supposed to deploy browser-based software that requires security
certification, if a monopolistic company such as yours is allowed to
maintain arbitrary discriminatory policies such as this one?

Finally, how in the _world_ do you expect this policy to have any impact on
terrorists who have absolutely no historical record of abusing this type of
technology? Every time a corporation or government exhibits a
poorly-thought-out knee-jerk reaction such as yours to the events of
September 11, the score on the bad guys' side of the board jumps up a tick.

Given the rate of consolidation in the IT infrastructure world, in a few
years, Thawte/VeriSign will be the only game in town. Any suggestions as to
what steps I and similar lone-wolf developers can take when that happens?

http://www.thawte.com/corporate/cps/privacy.html

• interesting overall view
  
• neat to look at, shows you that Linux users include www.thawte.com, Rackspace, www.dialtoneinternet.com and www.cihost.com
  
• a neat look at sites with linux in their name
  

An army - no. A big issue is education - it requires a basic level of education to become a hacker, and much of the African population falls below that level. But there are African hackers, I know a couple. South Africa has produced quite a few, since it has a somewhat first-world education system, at least for its wealthier citizens (used to be whites only, but that's changed a bit now).

The digitial certificate company Thawte is South African, for example (see this article. Of course, Thawte has since been acquired by the U.S. certificate monopoly, Verisign - can't have any foreign competition, wouldn't be good for business.

For your amusement, here are a few links (found on Google):

• Zambian hacker replaces president's picture on web site
• South African hacker 0wnz government telecomm network
• Hacking in South Africa

But some of the best African hackers leave for other countries, where they can earn more money and leave the various problems of Africa behind.

The founder of X.com, Elon Musk, is a South African. X.com now owns Paypal. Musk founded X.com with the $305 million in cash he made from selling the Internet directory company he founded, Zip2.

You may argue whether some of the above are truly hackers, but the point is, the skills are there, just not in the numbers that you get in countries with better-educated populations.

Thawte Consulting is of course the certificate authority that started out in Mark's condo, that offered a lower cost alternative to Verisign. It was bought by Verisign a year or so ago for a stupendous amount of money at the height of the dotcom balloon. So that's where the cash for the space trip came from, and now we know what Mark is doing with the cash! Wow!

Once you have one of these go off to www.thawte.com and get your self a nice new certificate.

All you need to do then is send an e-mail to someone and they automatically learn your public key. They can then send you email encrypted with your public key that only you can decrypt with your secret private key.

PGP is a little more painful as you have to install PGP on everyones machine, and get this working with your mail client (Netacape 4.7 doesn't support PGP at all).

Brian

Come on, it's easy! Use a PKI certificate. Sure, PKI still has a ways to go, but it works great for encrypting e-mail. You and your friends can get free certificates here.

Netscape (on all platforms) and Outlook/outlook express already support PKI certificates for e-mail signing/encryption.

Everyone should use certificates. Certificates are used in browser apps. By using certificates, we can verify we are ourselves as we connect to a website. Any decent email system supports certificates. You can get a free e-mail certificate from www.thawte.com (which is part of verisign). These can be used not just to encrypt your message but also to sign it (to verify it is from you). According to Versign, Digital Certificates are the only way to electronically sign something (just like your ink signature on a check). You also have the ability to declare multiple e-mail addresses. Since it is handled by a CA, you can revoke your digital certificate at any time, and you do not need to send your public key to everyone who wants to use it (as you would with PGP). Typically, if your receiver has a digital certificate, you can encrypt the data to them (outlook does this, I know off hand) and then sign it with your key, just like in PGP. This is all done automatically through the CA, as opposed to e-mailing someone and requesting their public key.

Besides all of this, it's just a good method. The encryption isn't as powerful as PGP, but for most secure communications it's excellent (how many of us do banking with 128bit encryption daily?)

Anyway, my two cents.

I agree that eventually most of my applications will sit across the 'net.

While it is scary (refer the story about Application Service Provider / Software authors going out of business) in that you no longer have the data here --> it is much more convenient.

The majority of my work is performed in:

• A SecSH/SSH window to another computer
• A web browser
• A samba file share

If someone was to nick this computer I'm currently using I would be disappointed because 1) it has my Half-Life key config, and 2) I have a Thawte personal key sitting in my Mozilla PSM.

If someone stole that computer on my right I would be disappointed because it has one of my SSH private keys on it. Good luck trying to get through OpenBSD's security, but it is in there somewhere.

Steal my computers and you steal a nice video card. Steal my web server and you steal my life's work.

Who wants software via a browser? I want software via a browser. Heck, just on Monday I wrote a to-do list that I use via a browser. And on a 100MB network, they are not slow.

I don't like applets, I haven't written applets. I write forms. I write database backed 'dynamic' web pages that serve up the information.

My applications do sit across the 'net! Viva the terminal.

They own the patent for that stupid GIF image format

No, that's Unisys. Verisign owns a monopoly (not court-enforced but MS-enforced) on trusted SSL and Authenticode certificates (having bought Thawte), even though VeriSign isn't doing a good job of checking its facts.

Wouldn't be a problem if Thawte Consulting hadn't have sold out to Verisign in '99.

The certs in question can't be used to sign a website (although you might see it pop up if a website run by (friends of) the forgers tried to get your browser program to run a program that they wrote, and signed with the purloined certs.

If you want to get an idea as to what sort of uses you can put a cert to, try going to the Thawte site. Register for their free certs (requires identifying info) and see what they offer (and what they want to charge for some of it!)
--

I hate having to quote my own previous posts in a reply...

2. If you want to use the cert on multiple servers, that's the same as a company buying a single Microsoft Office CD to install on 100 workstations. SSL CA's are businesses too, and greedy or not, they exist for the sole purpose of making money just like your business.

If you want to secure multiple servers, Thawte has a special package that allows you to manage your own certs for $500 (http://www.thawte.com/enterprise/managed.html). If you can afford to colocate 4 or more servers, you can certainly afford $500 to secure them.

Renewing your cert obviously requires less work on the CA's part, and therefor they charge a little less (http://www.thawte.com/certs/server/renew.html).

Companies don't make money by giving their services away. Not many companies sell you a product with free support for life, it's just not a profitable business model. I realize that most slashdot readers, myself included, enjoy working cooperatively to share information and help each other out of the goodness of their hearts, but when a question is asked about why a business doesn't give away their products or services for free, the answer will always be the same, monopoly or not.

If you don't like that, then generate your own SSL cert, and post a paragraph on your site explaining why your customers will get a browser warning about an unsigned cert so they don't get scared off. I don't host any large e-commerce sites, but my customers still want to do business. Using a signed SSL cert is really the only option they have to convince their new customers they are trustworthy.

I hate having to quote my own previous posts in a reply...

2. If you want to use the cert on multiple servers, that's the same as a company buying a single Microsoft Office CD to install on 100 workstations. SSL CA's are businesses too, and greedy or not, they exist for the sole purpose of making money just like your business.

If you want to secure multiple servers, Thawte has a special package that allows you to manage your own certs for $500 (http://www.thawte.com/enterprise/managed.html). If you can afford to colocate 4 or more servers, you can certainly afford $500 to secure them.

Renewing your cert obviously requires less work on the CA's part, and therefor they charge a little less (http://www.thawte.com/certs/server/renew.html).

Companies don't make money by giving their services away. Not many companies sell you a product with free support for life, it's just not a profitable business model. I realize that most slashdot readers, myself included, enjoy working cooperatively to share information and help each other out of the goodness of their hearts, but when a question is asked about why a business doesn't give away their products or services for free, the answer will always be the same, monopoly or not.

If you don't like that, then generate your own SSL cert, and post a paragraph on your site explaining why your customers will get a browser warning about an unsigned cert so they don't get scared off. I don't host any large e-commerce sites, but my customers still want to do business. Using a signed SSL cert is really the only option they have to convince their new customers they are trustworthy.

I've had no trouble with Thawte. It disturbs me that they see fit to list their employees' star signs, though.

How do you pronounce that name, anyway? It looks like "thought" to me but everyone here says "thwaite" like the English surname. Who is correct?

I've had no trouble with Thawte. It disturbs me that they see fit to list their employees' star signs, though.

How do you pronounce that name, anyway? It looks like "thought" to me but everyone here says "thwaite" like the English surname. Who is correct?

Verisign practically have a monopoly market here, they bought up Thawte a few months back, and I believe they now own the certificate services that belonged to RSA. So if you want a SSL cert, Verisign have the monopoly.

Also, you have to remember this isn't a fundamental part of the net like DNS, whoever manages to "persuade" the browser makers (read: MS) basically gets complete access to the market.