Here's the way that I understand it: anyone can be a certificate authority. In fact, you can install Microsoft certificate server on your IIS server (I'm sure there is an apache equivalent) and viola, you are an authorithy. You can then use Verisign or you can use your own server as the authority. Of course, the problem with using your own server is no one else recognizes it. The browser manufacturers include a number of authority certificates when they ship the browser, which is how verisign gets recognized as one of the big authorities.

You can see how this works by installing the appropriate certificate software on your server, then creating a cerificate and not use any authority but your own. Now visit the site with a browser, and it will pop up and tell you it does not know the authority, then it will ask you if you trust it. YOu can answer yes or no.

so verisign and others were only granted authority because the browser manufacturers distribute their certificate with the browsers, so the browsers will, by default, accept any certificate signed using verisign.

I believe, in overview, that's the way it works.

Richard LOwe

So how much does Microsoft take on kick backs to trust Verisign?

Or really, How much would it cost me to have Microsoft distribute and trust me?

Oh a few billion, I'd bet.

I really have no idea, though.

Richard Lowe