Back in this entry I casually mentioned in passing that there is a CA that will give you completely functional SSL certificates for free. To some people this will be horrifying; after all, as the story goes, SSL certificates are supposed to cost money so that they mean something and verify your identity (well, your website's identity).

The truth of what is going on here is that these free certificates contain exactly as much verification of your identity as everyone else's. In fact they may contain more verification, because this CA actually performs automated tests to verify that you have some control over the domain you want a certificate for; I don't know how much checking other CAs do besides making sure that they can charge your credit card. This particular CA is simply being honest about how much this particular 'service' costs to provide, ie essentially nothing. So they give you basic SSL CAs for free and charge you if you want additional features.

(There are a number of CAs that will give you free but short duration SSL certificates for testing purposes. This CA gives year-long ones and will happily issue you new ones for the next year.)

Given my long-standing irritation with what I've called the SSL CA racket, I'm kind of glad that there is a CA that is willing to be honest about exactly what's going on. If it horrifies people and offends them that such a CA is trusted by browsers, well, good, maybe it will spark a little reflection about what SSL CAs are really providing and not providing.

On a pragmatic basis, given that SSL certificates are a commodity and you can now obtain this commodity for free (which demonstrates its actual natural price) I see no reason to pay for basic SSL certificates any more.

(I continue to not name the SSL CA for a number of reasons including that I don't feel like doing their marketing for them. It isn't difficult to work out what CA it is, either with some web searches or by checking the SSL certificate chain for the website I mentioned in the earlier entry.)

Sidebar: what I mean by a basic SSL certificate

By a basic SSL certificate I mean one for a single name without wildcards. Single name certificates are slightly inconvenient but my impression is that SNI support is now common enough in both servers and (modern) clients that you can deal with this if you have to.

(I was pleasantly surprised about how few things I tried had problems with SNI after I set it up on various subdomains of my personal domain. Of course smartphones may complicate this pleasant picture.)