I can access inww.com site thru my browser, using a supposedly "secure" connection. The certificate presented by Melbourne IT is signed by Verisign! :-) It takes me 2 minutes to make a change, not two weeks.
However, all the security you have with *their* certificate is some degree of confidence that you connected to the correct site. What is not provided for secure identification of you to them (apart from the password). PGP authentication (if it works, which with NSI does not seem to be the case anymore, they rejected perfectly valid PGP-signed templates from me for the last few days without indication what they think is the problem, sigh) does provide a mechanism for client-side authentication using strong-encryption technology. While I believe that such is possible with SSL, this does not seem to be used at all, IMHO for the following reasons - lack of tools to generate one's own client-certificate for use with webbrowsers, and/or documentation etc for that and - lack of support by websites for submitting your cert's public part or - lack of certification authorities that accept user-generated certs and are widely accepted by site-operators for this purpose (most CAs seem to generate certs for their customers, which always leaves the possibility for some form of escrow, whether by law, by the CA's policies or internal procedures [backup etc] or even a single rogue staff). I know someone is going to chip in with lots of details and info I have missed/overlooked, and I'd welcome pointers if such services and tools are actually available [in a relatively user-friendly for accessible form]. Mathias