Please explain why, if the old SSL model was so secure and could not
be corrupted by MITM attacks or spoofing, that now Verisign offers
"high assurance" or "extended verification" certs. If the previous
and still existing SSL model was/is so great, gee, now why would there
be a need to improve it.

http://www.verisign.com/ssl/ssl-info...tificates.html

Are all current sites that implement SSL certs required to migrate to
EV certs? No, but they can *optionally* upgrade. Will users know the
difference? No. They see the padlock in the browser for the cert
proffered by an SSL-enabled site but whose CA is not a root CA. Have
all the SSL-enabled sites that you visit always use HA certs? No. In
fact, seeing the HA indicator in IE7 is unusual, not the norm. But
then the HA cert simply has the *trusted* CA to include validated info
in the cert (domain name, company name, address, city, state,
country).

As I recall, one of the improvements to IE7 was it alerts when an EV
SSL cert is being proffered. I suspect that IE7 still relies on the
"Trusted Root Certification Authorities" list. Is that list truly
static that no one else after the list was created can become a root
CA? And does an SSL cert only become accepted by the browser only
where a root CA from this list is in their certs CA hierarchy? If so,
does alerts popup all over because the CA came from the "Third-Party
Root Certificate Authority" list?

Versus EV or HA certs, you have heard of low-assurance certs. "Some
CAs now issue low-assurance server certificates without authenticating
the subscriber, thereby providing only two security services -
confidentiality and integrity. Using current browser technology, it
is very difficult for an Internet user to dinstinguis between higher-
and lower-assurance server certificates"
(http://www.us.kpmg.com/RutUS_prod/Do...2/DC80502.pdf). So,
since 2002 when this report was issued, have these low-assurance CAs
been wiped from the face of the Earth?

Seems a bit odd that cybersoft.com would patent
(http://www.freepatentsonline.com/20020129237.html) a process for SSL
interception that you say is impossible; see
http://www.cybersoft.com/products/nticry.shtml. Since this was back
in 2000, seems a bit odd that you don't know about SSL interception.
The company still exists. I doubt they would survive if they sold a
product that didn't deliver [some of] its promises.

A bit odd that NATO would waste their time describing MITM for SSL
interception
(http://ftp.rta.nato.int/public//PubF...IST-041-19.pdf)
if, according to you, it were impossible.