[SSL Observatory] Number of CAs

Patrick Patterson ppatterson at carillon.ca
Thu Dec 8 10:23:02 PST 2011 

Hi Daniel:

On 2011-12-08, at 1:08 PM, Daniel Kahn Gillmor wrote:

> [reorganizing and trimming to highlight the salient point]
> 
> On 12/07/2011 09:27 PM, Phillip Hallam-Baker wrote:
>> On Wed, Dec 7, 2011 at 4:09 PM, Daniel Kahn Gillmor<dkg at fifthhorseman.net>wrote:
>>> Do you think the incentives underlying the current CA model are broken?
>> 
>> If you think 50 CAs is too many then make your case based on the
>> number there is support for rather than inflating it.
> 
> You'll note that the case i was making did not have to do with the
> number of CAs, it had to do with the incentives the CAs have for
> protecting the relying parties (i think they have no effective
> incentives to do so).
> 
> Do you think the incentives underlying the current CA model are broken?


Ok - this just tickled a long time pet peeve of mine. A CA has a contract with it's Subscribers, so there is mutual responsibility, accountability and financial interest there.

However, there exists no contract between the CA and a Relying Party. It is 100% up to the Relying Parties to examine the policies of a given CA, and make an active decision whether they should trust that CA or not. I HAVE seen arrangements where the relying party did enter into a contract with the CA, for details such as ensuring availability of CRL and other information above and beyond what was indicated in the Certificate Policy, but other than that, the CA has no responsibility to Relying Parties other than to follow it's policies. And a Relying Party should only trust that a CA has done so if there is an audit result from someone that the Relying Party trusts stating this.

So, stating that the financial model is broken because the CA's don't protect the Relying Parties is rather strange. A possible analogy is that a relying party is acting like someone who goes into a store, is given a lot of food by that store for free, and then complains to the store when they get fat off of that free food. No-one is forcing a Relying Party to trust any given CA. 

Far better that the Relying Party exercise some form of discretion and responsibility. For the average user, I agree that the browsers and OS folks should help them along, but in any organisation of any size, their IT Security folks need to start taking a look at Trust management the same way they do the other topics regarding network security.

All the best.

---
Patrick Patterson
President and Chief PKI Architect
Carillon Information Security Inc.
http://www.carillon.ca

tel: +1 514 485 0789
mobile: +1 514 994 8699
fax: +1 450 424 9559

More information about the Observatory mailing list