[SSL Observatory] Number of CAs
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Thu Dec 8 20:13:59 PST 2011
Daniel Kahn Gillmor <dkg at fifthhorseman.net> writes:
>A well-intentioned CA that actually cares about their relying parties could
>probably contribute healthily to the promotion and adoption of a corroborative
>or relying-party-driven system; and their experience doing so might even give
>them a leg up on their competitors (though their profit margins might drop).
As long as the browser vendors continue their current practice of treating the
most careful, diligent CA identically to the most negligent, incompetent one,
there's no benefit to any CA doing this. So they're stuck with the current
situation of having to use either branding and advertising or cut-throat
pricing in order to get ahead. The economically rational thing for a CA to do
is to minimise costs everywhere because you'll be treated the same as all of
your competitors, and as long as they don't minimise costs as much as you are,
you win.
(Cue Ian Grigg... :-)
Peter.
More information about the Observatory
mailing list