Is there some kind of "governing" body or system in place if a company wants to sell secure certificates? For example, do GeoTrust and Verisign both have the same level of "security"?

Or can "anyone" simply create their own RSA keys and sell certificates?

(I'm not talking about browser compatability.. I'm talking about the actual "security" portion of the company who is selling the certificate. Is there a review, or central authority or anything that a company has to register with or be accredited for?)

Thanks.

I think you are just paying for 'browser compatability' when you buy one of those certs. You can still use 128 bit encryption and generate your own key, but a notice will popup on the end users screen that it is not signed.

Is there some sort of qualification to sell certificates, or can anyone do it? (An accredation body or something?)

Anyone can become a Certificate Authority (CA) and sign certificates. Absolutely anyone. So why would you pay VeriSign a lot of money to do something you can just as easily do yourself? For the simple reason that VeriSign's verification key is included in pretty much every browser out there, so the browsers can verify this key, and make sure it was really signed by VeriSign.

In other words, when your computer and the server do their public-key exchange, your computer can verify that it is indeed exchanging keys with the real server, and not somebody else who has taken it's place. If their certificate cannot be verified by a CA which your browser supports, you can't do this. You can still manually add your own CA's key to your browser (if you use Mozilla, that is) and still verify its authenticity. Hey, now you're sure that somebody hasn't replaced you webserver with one of their to steal CC#'s or something.

However, this is extremely unlikely to be a problem, as hijacking a connection from the client, over the Internet, is extremely difficult. 99% of the issue, and the real reason why people will pay several hundred dollars for VeriSign certificates is, the browser will pop up a dialog saying that the certificate cannot be verified, and this will cause potential clients to think your server is insecure and scare them away. Thats it. All there is to it. The only thing that makes VeriSign's CA better than FlightSimGuy's wonderful CA is that VeriSign has negotiated deals with popular browser creators to have its key included in them (the popular browsers) by default. If you can do this, you too can be the next VeriSign and get millions and millions for precisely nothing. :)

Now you know what the deal is. If you want to set this up, be your own CA, and sign your own certificates for fun and possibly (not likely) profit, check this page (http://www.modssl.org/related/howto.html) for some nice docs.