[SSL Observatory] Number of CAs

Ben Wilson ben at digicert.com
Mon Dec 12 10:05:04 PST 2011


Peter,
Is your interest in the current PKI trust model involving CAs and browsers
academic or personal?  I've heard you present before and thought you gave
even-handed legitimate criticisms about the errors found in the use of
digital certificates on the Internet.  Your recent comment about protection
money shows that your cynicism has reached a new level.  Whether you are
prophet, pundit or pariah, you are alleging that Certificate Authorities are
run by back end mob bosses actually behind the online threats that everyone
faces on the Internet.  I suppose you have the same feelings for anti-virus
software providers and security hardware vendors as well. 
Ben Wilson

-----Original Message-----
From: observatory-bounces at eff.org [mailto:observatory-bounces at eff.org] On
Behalf Of Peter Gutmann
Sent: Saturday, December 10, 2011 5:50 AM
To: observatory at eff.org; ppatterson at carillon.ca
Subject: Re: [SSL Observatory] Number of CAs

Patrick Patterson <ppatterson at carillon.ca> writes:

>A possible analogy is that a relying party is acting like someone who goes
>into a store, is given a lot of food by that store for free, and then
>complains to the store when they get fat off of that free food. No-one is
>forcing a Relying Party to trust any given CA.

Uh-oh, arguing by analogy... RP's are being forced to rely on a CA (it's not
trust because most users don't trust CAs, they don't even know what they
are).
What browsers do is give users a choice:

1. Rely on a CA.
2. Don't do business online, for example "don't pay your power bills" or
   "don't file your taxes" or "don't sell to your customers".

Since companies and governments take a rather dim view of people who choose
to
opt out of paying them, RPs in effect have no choice.  They have to rely on
a
CA, or else.

You need a better analogy for commercial PKI that the one you're using.  I
think a protection racket would be a good starting point ("youse gotta real
nice web site here.  Be a shame iff'n customers was scared away...").  I
realise that's a fairly emotive way of describing things, but as browsers
today implement it, the closest analogy I can think of is a protection
racket,
and that's not from any deliberate attempt to choose emotionally laden
terms.

Peter.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5461 bytes
Desc: not available
URL: <http://lists.eff.org/pipermail/observatory/attachments/20111212/0a975ed5/attachment.bin>


More information about the Observatory mailing list