[SSL Observatory] Number of CAs

Peter Gutmann pgut001 at cs.auckland.ac.nz
Mon Dec 12 15:52:27 PST 2011 

Ben Wilson <ben at digicert.com> writes:

>Is your interest in the current PKI trust model involving CAs and browsers
>academic or personal?  

Is there a difference?

>Your recent comment about protection money shows that your cynicism has
>reached a new level.

Yeah, that's the problem with having to use terms with emotional connotations,
I'm sure there's some more neutral economic term that says the same thing, but
then no-one would know what I was referring to.

>you are alleging that Certificate Authorities are run by back end mob bosses
>actually behind the online threats that everyone faces on the Internet.  

No, I'm criticising the business model that's been created by browser vendors:
If end users don't want customers to be scared away from their business, they
have to pay money to a third party to ensure that this doesn't happen (and
even if you're going with one of the small number of free CAs, which in any
case many users don't even know exist, you have to invest considerable time
and effort into obtaining and configuring certificates, I did a back-of-the-
envelope calculation of what "free" certs actually cost based on time
estimates and hourly rates a while back and the cost was staggering).  I'm not
an economist so I don't know all the models that could be applied here, but in
terms of trying to find an analogy for what's going on I can't see how that's
anything other than a protection racket.

The depressing thing is that the current system acts to incentivise the race
to the bottom: If I was running a CA as a charity I'd perform careful checking
and whatnot; if I was running it as a commercial operation I'd maximise
throughput (in other words sell as many certs as possible while doing as
little checking as possible) because I know that customers will have to come
to me, the browsers will treat me identically to the most diligent, careful CA
out there, and as long as I sell enough certs to be TB2F I can get away with
any glitches that may arise due to my cutting corners.

To get back to the original poster's comments, he proposed some complex
analogy involving free food and whatnot, but the best analogy for what
browsers are currently doing seems to be a protection racket.  If anyone has a
better one (with convincing supporting arguments), I'd be happy to entertain
it.  While reasoning by analogy isn't perfect, it does allow you to look at
how others have solved the same (equivalent) problem in other areas, so 
there's some value to finding a good analogy.

Peter.

More information about the Observatory mailing list