[SSL Observatory] Number of CAs
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Sat Dec 10 04:49:56 PST 2011
Patrick Patterson <ppatterson at carillon.ca> writes:
>A possible analogy is that a relying party is acting like someone who goes
>into a store, is given a lot of food by that store for free, and then
>complains to the store when they get fat off of that free food. No-one is
>forcing a Relying Party to trust any given CA.
Uh-oh, arguing by analogy... RP's are being forced to rely on a CA (it's not
trust because most users don't trust CAs, they don't even know what they are).
What browsers do is give users a choice:
1. Rely on a CA.
2. Don't do business online, for example "don't pay your power bills" or
"don't file your taxes" or "don't sell to your customers".
Since companies and governments take a rather dim view of people who choose to
opt out of paying them, RPs in effect have no choice. They have to rely on a
CA, or else.
You need a better analogy for commercial PKI that the one you're using. I
think a protection racket would be a good starting point ("youse gotta real
nice web site here. Be a shame iff'n customers was scared away..."). I
realise that's a fairly emotive way of describing things, but as browsers
today implement it, the closest analogy I can think of is a protection racket,
and that's not from any deliberate attempt to choose emotionally laden terms.
Peter.
More information about the Observatory
mailing list